Supply Chain Risk Auditor
Skill ActiveIdentifies dependencies at heightened risk of exploitation or takeover. Use when assessing supply chain attack surface, evaluating dependency health, or scoping security engagements.
To identify dependencies at heightened risk of exploitation or takeover, enabling users to assess supply chain attack surfaces and scope security engagements effectively.
Features
- Identifies dependencies at heightened risk
- Assesses supply chain attack surface
- Evaluates dependency health
- Generates risk reports with suggested alternatives
- Uses `gh` CLI for data collection
Use Cases
- Assessing dependency risk before a security audit
- Evaluating supply chain attack surface of a project
- Identifying unmaintained or risky dependencies
- Pre-engagement scoping for supply chain concerns
Non-Goals
- Active vulnerability scanning (use dedicated tools like npm audit, pip-audit)
- Runtime dependency analysis
- License compliance auditing
Trust
- warning:Issues Attention13 issues opened and 4 closed in the last 90 days indicates a closure rate below 50% with a significant number of open issues.
Practical Utility
- info:Usage examplesWhile the skill describes its purpose and workflow, explicit, ready-to-use end-to-end examples demonstrating invocation and output are missing.
Installation
First, add the marketplace
/plugin marketplace add trailofbits/skills/plugin install supply-chain-risk-auditor@trailofbitsQuality Score
Trust Signals
Similar Extensions
Ship Gate
100Pre-production audit that scans a codebase for security, database, deployment, code quality, AI/LLM, dependency, frontend, and observability issues. Intercepts deploy commands and blocks until critical items pass. Stack-agnostic. Use for "run ship gate", "am I ready to ship", "pre-launch audit", "can I deploy", "push to production", "go live checklist", "preflight check". Not for CI/CD setup or infra provisioning.
Audit Dependency Versions
100Audit project dependencies for version staleness, security vulnerabilities, and compatibility issues. Covers lock file analysis, upgrade path planning, and breaking change assessment. Use before a release to ensure dependencies are current and secure, during periodic maintenance reviews, after receiving a security advisory, when upgrading to a new language version, before submitting to CRAN or npm, or when inheriting a project to assess its dependency health.
Update Deps
98Audit and update npm/Bun dependencies with supply chain integrity checks — verifies maintainers, publish age, tarball diffs, and provenance before bumping. Defers risky packages to ~/.supply-chain/notes/.
TradeMemory Protocol
100Domain knowledge for the Evolution Engine — LLM-powered autonomous strategy discovery from raw OHLCV data. Covers the generate-backtest-select-evolve loop, vectorized backtesting, out-of-sample validation, and strategy graduation. Use when discovering trading patterns, running backtests, evolving strategies, or reviewing evolution logs. Triggers on "evolve", "discover patterns", "backtest", "evolution", "strategy generation", "candidate strategy".
Gdpr Dsgvo Expert
100GDPR and German DSGVO compliance automation. Scans codebases for privacy risks, generates DPIA documentation, tracks data subject rights requests. Use for GDPR compliance assessments, privacy audits, data protection planning, DPIA generation, and data subject rights management.
Refactor Plan
100Prioritized redesign action plan covering quick wins, medium effort, major rework