From ring-dev-team
Audits dependencies for supply-chain risk before install (pip/npm/go/cargo): checks typosquatting, maintainer/age, vulnerability DBs, lockfile pinning, outputs risk score and decision.
How this skill is triggered — by the user, by Claude, or both
Slash command
/ring-dev-team:auditing-dependency-securityThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
- Adding a new dependency to any project
Complementary: ring:hardening-dockerfiles, ring:implementing-tasks
Supply-chain gate for every install command in a Lerian codebase.
For every package, verify:
├── Typosquatting: compare against known popular packages
│ e.g., "requets" vs "requests", "rnodule" vs "module"
├── Homoglyph attacks: look-alike Unicode characters
├── Maintainer risk:
│ - Single maintainer = higher risk
│ - Account age < 6 months = flag
│ - Recent ownership transfer = CRITICAL flag
└── Package age: < 30 days = flag
| Source | Ecosystem | What It Covers |
|---|---|---|
| OSV.dev | All | Google aggregated CVEs |
| GitHub Advisory Database | All | GHSA linked to CVEs |
| Socket.dev | npm, pip | Supply-chain: install scripts, network access |
| PyPI JSON API | pip | Metadata, maintainers, release history |
| npm registry API | npm | Metadata, maintainers, install scripts |
| Go vulnerability DB (vuln.go.dev) | Go | Official Go CVE database |
| Signal | Risk Level | Description |
|---|---|---|
| Install scripts | HIGH | postinstall (npm), setup.py subprocess |
| Network access at import | CRITICAL | Package phones home on import |
| File system access outside project | HIGH | Reads ~/.ssh, ~/.aws, env vars |
| Obfuscated code | CRITICAL | Base64 payloads, eval(), exec() |
| Native binary bundled | HIGH | Pre-compiled binaries without source |
| Ecosystem | Lockfile | Hash Requirement |
|---|---|---|
| Go | go.sum | SHA-256 native — Go handles automatically |
| npm | package-lock.json | integrity field (SHA-512) must be present for ALL deps |
| pip | requirements.txt | --require-hashes MUST be enforced |
| Cargo | Cargo.lock | checksum field verification |
risk_score = weighted_sum(
typosquatting_similarity * 25,
maintainer_risk * 20,
package_age_risk * 15,
vulnerability_count * 20, # weighted by severity
behavioral_flags * 15,
lockfile_integrity * 5
)
Score thresholds:
| Risk Level | Action |
|---|---|
| LOW (0-25) | ✅ Approve — document in PR |
| MEDIUM (26-50) | ⚠️ Conditional — mitigations required |
| HIGH (51-75) | 🚨 Escalate to Fred before installing |
| CRITICAL (76-100) | ❌ Block — do not install |
## Dependency Security Report
Package: {name} @ {version}
Ecosystem: {go|npm|pip}
Risk Score: {score}/100 — {LOW|MEDIUM|HIGH|CRITICAL}
### Verification Results
| Check | Status | Details |
|-------|--------|---------|
| Typosquatting check | PASS/FLAG | {comparison} |
| Maintainer verification | PASS/FLAG | {maintainer count, age} |
| Vulnerability scan | PASS/FLAG | {CVE count, severity} |
| Behavioral analysis | PASS/FLAG | {signals found} |
| Lockfile integrity | PASS/FAIL | {hash present/missing} |
### Decision
{APPROVED|CONDITIONAL|ESCALATE|BLOCKED}
### Required Actions (if not APPROVED)
1. {specific mitigations or alternatives}
npx claudepluginhub p/lerianstudio-ring-dev-team-dev-teamEvaluates packages, manages dependencies, and addresses supply chain security for npm/pip/cargo/bundler/Go. Use for auditing packages, reviewing lockfiles, checking vulnerabilities, comparing alternatives, assessing trustworthiness.
Audits project dependencies for supply chain risks including single maintainers, unmaintained packages, low popularity, and high-risk features.
Detects supply-chain risks in dependency manifests, lockfiles, install commands, and CI pipelines — missing lockfiles, absent vulnerability scanners, unverified installs, install hooks that pipe remote content to a shell, and AI-hallucinated package names.