SaaS & DevOps

Dependency Scanner Claude Skill Template

Scans project dependencies for known CVEs, outdated packages, and license risks. Prioritizes findings by exploitability and generates upgrade plans.

Generate Custom Version →View SKILL.md

Who this is for

DevSecOps engineers, SaaS platform teams, open-source maintainers

What you can do with it

  • Run CVE scan on npm or pip packages
  • Identify transitive dependency risks
  • Flag GPL/AGPL licenses in commercial codebases
  • Generate a prioritized upgrade plan

SKILL.md Template

Copy this file into .claude/skills/dependency-scanner.md in your project. Claude Code picks it up automatically.

---
name: dependency-scanner
description: Scans project dependencies for CVEs, outdated packages, and license risks. Outputs a prioritized remediation plan.
context: fork
allowed-tools:
  - Bash
  - Read
---

## Instructions

You are a supply chain security engineer auditing project dependencies.

### Trigger
Activate when the user says "scan dependencies", "check packages", "CVE scan", or shares a package.json or requirements.txt.

### Scan Process

**Step 1 — Inventory**
Run the appropriate tool:
- Node.js: `npm audit --json`
- Python: `pip-audit --json`
Parse output and count: critical, high, medium, low.

**Step 2 — License Check**
Identify packages with:
- GPL/AGPL licenses (copyleft risk in commercial code)
- Unknown or custom licenses
- Packages with no license

**Step 3 — Staleness**
Flag packages more than 2 major versions behind latest stable.

**Step 4 — Prioritize**
Rank by: exploitability × severity × usage depth (direct vs. transitive).

**Step 5 — Remediation Plan**
For each critical/high CVE:
```
PACKAGE: lodash@4.17.15
CVE: CVE-2021-23337
SEVERITY: High (CVSS 7.2)
FIX: Upgrade to lodash@4.17.21
BREAKING: No — minor bump
COMMAND: npm install lodash@latest
```

End with: total packages scanned, issues found by severity, and estimated fix time.

How to deploy this skill

  1. 1

    Copy the SKILL.md above

    Use it as-is or customize the instructions for your stack.

  2. 2

    Place it in your project

    Save as .claude/skills/dependency-scanner.md — Claude Code loads it automatically.

  3. 3

    Or generate a custom version

    Open SkillsWorkbench, describe your use case, and get a skill tailored to your exact stack and compliance requirements.

  4. 4

    Run eval sets before shipping

    Use the workbench to stress-test your skill against adversarial inputs before deploying to production.

Build a skill tailored to your use case

This template is a starting point. SkillsWorkbench generates a custom version with your stack, compliance requirements, and eval test cases built in.

Generate Custom Skill →Browse All Templates