Supply Chain Audit

Audit the dependency supply chain for security risks beyond what `npm audit` or `pip audit` catches. Analyzes dependency health, maintainer trust signals, typosquatting risk, and transitive dependency exposure.

5 stars

Best use case

Supply Chain Audit is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Audit the dependency supply chain for security risks beyond what `npm audit` or `pip audit` catches. Analyzes dependency health, maintainer trust signals, typosquatting risk, and transitive dependency exposure.

Teams using Supply Chain Audit should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/supply-chain-audit/SKILL.md --create-dirs "https://raw.githubusercontent.com/BasharAmso/Bashi/main/create-bashi-app/template/custom-skills/supply-chain-audit/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/supply-chain-audit/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How Supply Chain Audit Compares

Feature / AgentSupply Chain AuditStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Audit the dependency supply chain for security risks beyond what `npm audit` or `pip audit` catches. Analyzes dependency health, maintainer trust signals, typosquatting risk, and transitive dependency exposure.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Skill: Supply Chain Audit

## Metadata

| Field | Value |
|-------|-------|
| **Skill ID** | SKL-0031 |
| **Version** | 1.0 |
| **Owner** | reviewer |
| **Inputs** | Dependency manifests, lock files, STATE.md |
| **Outputs** | Supply chain risk report, STATE.md updated |
| **Triggers** | `SUPPLY_CHAIN_AUDIT_REQUESTED` |

---

## Purpose

Go beyond `npm audit` and `pip audit` to assess the *health and trustworthiness* of your dependency supply chain. Known vulnerabilities are only part of the picture — abandoned packages, single-maintainer risks, typosquatting, and deep transitive dependencies are where real supply chain attacks happen.

Inspired by [Trail of Bits' supply-chain-risk-auditor skill](https://github.com/trailofbits/skills).

> **See also:** For code-level vulnerabilities and OWASP checks, see SKL-0015 (Security Audit).

---

## Procedure

### Step 1 — Inventory Dependencies

Read all dependency manifests and lock files. Build a dependency inventory:

| Field | Source |
|-------|--------|
| Direct dependencies | package.json, requirements.txt, etc. |
| Dev dependencies | Separate from production deps |
| Transitive dependencies | Lock files |
| Total dependency count | Lock file line count |
| Dependency depth | Max nesting level in lock file |

Flag if total dependency count exceeds thresholds:
- **Web app:** >200 total deps = HIGH concern
- **API/backend:** >100 total deps = HIGH concern
- **Library:** >50 total deps = MEDIUM concern

### Step 2 — Assess Dependency Health

For each **direct** dependency, evaluate:

| Signal | Healthy | Concerning | Risky |
|--------|---------|-----------|-------|
| Last publish | <6 months | 6-18 months | >18 months |
| Weekly downloads | >10,000 | 1,000-10,000 | <1,000 |
| Maintainers | 3+ | 2 | 1 (bus factor) |
| Open issues ratio | <20% | 20-50% | >50% |
| License | MIT, Apache, BSD | LGPL, MPL | GPL, AGPL, None, Unknown |
| Repository | Active, public | Archived | Missing, private |

> Note: This assessment uses publicly available metadata. For packages where metadata is unavailable, flag as "Unable to assess" rather than scoring.

### Step 3 — Check for Red Flags

| Red Flag | Severity | What to look for |
|----------|----------|-----------------|
| Typosquatting risk | HIGH | Package names similar to popular packages (e.g., `lodahs` vs `lodash`) |
| Install scripts | HIGH | `preinstall`, `postinstall` scripts in package.json that execute arbitrary code |
| Excessive permissions | MEDIUM | Packages requesting filesystem, network, or OS access beyond their stated purpose |
| Unpinned versions | MEDIUM | `"*"` or `"latest"` in dependency versions |
| No lock file | HIGH | Missing lock file means builds are non-reproducible |
| Deprecated packages | MEDIUM | Dependencies marked as deprecated by their maintainers |
| Name squatting | LOW | Packages with very few downloads that claim generic names |

### Step 4 — Evaluate Transitive Risk

Identify the highest-risk transitive dependencies — packages you didn't choose but are exposed to:

- Which transitive deps have the most dependents in your tree? (single points of failure)
- Are any transitive deps abandoned (>2 years, no maintainer)?
- Do any transitive deps have known vulnerabilities?

### Step 5 — Generate Report

Structure:
1. **Dependency Summary** — Total count, direct vs transitive, depth
2. **Health Assessment** — Table of direct deps with health signals
3. **Red Flags** — Specific findings with severity
4. **Transitive Risks** — Highest-risk transitive dependencies
5. **Recommendations** — Prioritized action items (replace, pin, remove, audit)

### Step 6 — Update STATE.md

Record audit completion and top-level findings.

---

## Constraints

- Assessment is based on publicly available metadata and heuristics
- Does not execute or install packages — read-only analysis
- Does not replace `npm audit` / `pip audit` — complements them with health/trust signals
- Health signals are indicators, not verdicts — a low-download package may be perfectly fine for a niche use case
- Never recommends removing a dependency without suggesting an alternative or explaining the trade-off

---

## Primary Agent

reviewer

---

## Definition of Done

- [ ] All dependency manifests identified and read
- [ ] Direct dependency count and transitive depth calculated
- [ ] Health assessment completed for all direct dependencies
- [ ] Red flag checks completed
- [ ] Transitive risk evaluation completed
- [ ] Report generated with prioritized recommendations
- [ ] STATE.md updated

## Output Contract

| Field | Value |
|-------|-------|
| **Artifacts** | Supply chain risk report (dependency health, red flags, transitive risks, recommendations) |
| **State Update** | `.claude/project/STATE.md` — mark task complete, log audit findings |
| **Handoff Event** | `TASK_COMPLETED` (supply chain audit complete) |

Related Skills

SEO Audit

5
from BasharAmso/Bashi

Audit web pages for search engine optimization: meta tags, heading hierarchy, structured data, image optimization, mobile-friendliness, and content quality. Complements SKL-0013 (Growth & Distribution) by validating what was built.

Token Audit

5
from BasharAmso/Bashi

Audit the current project for token waste patterns. Produces a Token Health Report with scored findings and actionable fixes. Use this skill when token usage feels high, sessions are hitting limits, or before optimizing costs.

Security Audit

5
from BasharAmso/Bashi

Audit code and dependencies for security vulnerabilities. Use this skill when a security review is requested, including OWASP checks, secrets scanning, and dependency audits.

Friction Audit

5
from BasharAmso/Bashi

Audit user-facing flows for unnecessary friction. Produces a friction report with scored findings and actionable fixes. Use this skill before launch readiness checks, after major UX changes, or when user drop-off is suspected.

Pitch Deck

5
from BasharAmso/Bashi

Create a structured pitch deck outline for investors, stakeholders, or partners. Covers problem, solution, market, traction, team, and ask. Natural output after PRD + Problem Stress Test validation.

Launch Checklist

5
from BasharAmso/Bashi

Pre-launch validation covering everything deployment (SKL-0021) doesn't: analytics, error tracking, social meta, legal pages, email setup, DNS, SSL, and go-live readiness. Produces a launch readiness report with pass/fail checklist. Use this skill before going live on any project.

Insecure Defaults Detection

5
from BasharAmso/Bashi

Detect insecure default configurations, hardcoded credentials, fail-open security patterns, and dangerous default values in application code and configuration files. Complements SKL-0015 (Security Audit) by focusing on configuration-level vulnerabilities that dependency scanners miss.

Differential Security Review

5
from BasharAmso/Bashi

Security-focused review of code changes using git diff analysis. Identifies security implications of recent modifications — new attack surfaces, removed protections, changed auth logic, and risky refactors. Complements SKL-0016 (Code Review) with a security lens on diffs.

Copywriting

5
from BasharAmso/Bashi

Write conversion-focused copy using proven frameworks (AIDA, PAS, BAB). Produces headlines, CTAs, landing page copy, email sequences, and micro-copy. Ensures copy matches brand voice and target audience.

Competitor Analysis

5
from BasharAmso/Bashi

Structured competitor research: features, pricing, positioning, gaps, and differentiation strategy. Feeds into PRD Writing (SKL-0004) and Problem Stress Test (SKL-0027) with better market context.

UX Design

5
from BasharAmso/Bashi

Design user experiences including wireframes, flows, and interaction patterns. Use this skill when UX design work is requested, including onboarding flows and interface layouts.

User Acceptance Testing

5
from BasharAmso/Bashi

Structured QA testing with four modes: diff-aware (auto-scoped to branch changes), full (systematic exploration), quick (30-second smoke test), and regression (compare against baseline). Produces health score, structured reports, and actionable bug lists. Use this skill when UAT is requested or a feature is ready for acceptance testing.