Supply Chain Risk Auditor
技能 活跃Identifies dependencies at heightened risk of exploitation or takeover. Use when assessing supply chain attack surface, evaluating dependency health, or scoping security engagements.
To identify dependencies at heightened risk of exploitation or takeover, enabling users to assess supply chain attack surfaces and scope security engagements effectively.
功能
- Identifies dependencies at heightened risk
- Assesses supply chain attack surface
- Evaluates dependency health
- Generates risk reports with suggested alternatives
- Uses `gh` CLI for data collection
使用场景
- Assessing dependency risk before a security audit
- Evaluating supply chain attack surface of a project
- Identifying unmaintained or risky dependencies
- Pre-engagement scoping for supply chain concerns
非目标
- Active vulnerability scanning (use dedicated tools like npm audit, pip-audit)
- Runtime dependency analysis
- License compliance auditing
Trust
- warning:Issues Attention13 issues opened and 4 closed in the last 90 days indicates a closure rate below 50% with a significant number of open issues.
Practical Utility
- info:Usage examplesWhile the skill describes its purpose and workflow, explicit, ready-to-use end-to-end examples demonstrating invocation and output are missing.
安装
请先添加 Marketplace
/plugin marketplace add trailofbits/skills/plugin install supply-chain-risk-auditor@trailofbits质量评分
类似扩展
Ship Gate
100Pre-production audit that scans a codebase for security, database, deployment, code quality, AI/LLM, dependency, frontend, and observability issues. Intercepts deploy commands and blocks until critical items pass. Stack-agnostic. Use for "run ship gate", "am I ready to ship", "pre-launch audit", "can I deploy", "push to production", "go live checklist", "preflight check". Not for CI/CD setup or infra provisioning.
Audit Dependency Versions
100Audit project dependencies for version staleness, security vulnerabilities, and compatibility issues. Covers lock file analysis, upgrade path planning, and breaking change assessment. Use before a release to ensure dependencies are current and secure, during periodic maintenance reviews, after receiving a security advisory, when upgrading to a new language version, before submitting to CRAN or npm, or when inheriting a project to assess its dependency health.
Update Deps
98Audit and update npm/Bun dependencies with supply chain integrity checks — verifies maintainers, publish age, tarball diffs, and provenance before bumping. Defers risky packages to ~/.supply-chain/notes/.
TradeMemory Protocol
100Evolution Engine 的领域知识 — 支持 LLM 从原始 OHLCV 数据中自主发现策略。涵盖生成-回测-选择-进化循环、向量化回测、样本外验证和策略梯度。在发现交易模式、运行回测、进化策略或审查进化日志时使用。由“evolve”、“discover patterns”、“backtest”、“evolution”、“strategy generation”、“candidate strategy”触发。
Gdpr Dsgvo Expert
100GDPR and German DSGVO compliance automation. Scans codebases for privacy risks, generates DPIA documentation, tracks data subject rights requests. Use for GDPR compliance assessments, privacy audits, data protection planning, DPIA generation, and data subject rights management.
Refactor Plan
100Prioritized redesign action plan covering quick wins, medium effort, major rework