Stats
Actions
Tags
From skills
Sweep a codebase for unhealthy third-party dependencies — outdated majors on load-bearing deps, versions with known advisories, abandoned upstreams, and license drift — and surface each as a finding. Static-first, reads manifests and lockfiles, no installs or tool runs required. Use when the user wants to audit dependencies, find outdated or vulnerable deps, check for abandoned upstreams, or asks "what are we depending on that's risky?".
How this skill is triggered — by the user, by Claude, or both
Slash command
/skills:audit-deps [path or manifest to focus on, or leave blank for the whole codebase][path or manifest to focus on, or leave blank for the whole codebase]The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Find where the project **depends on third-party code that has gone stale, vulnerable, abandoned, or license-incompatible**, and surface each as a finding. Run the shared audit method in [../AUDIT-METHOD.md](../AUDIT-METHOD.md) with the lens, sub-dimensions, and dimension below.
Find where the project depends on third-party code that has gone stale, vulnerable, abandoned, or license-incompatible, and surface each as a finding. Run the shared audit method in ../AUDIT-METHOD.md with the lens, sub-dimensions, and dimension below.
The aim is risk-weighted dependency findings, not a raw list of every out-of-date package — target the dependencies whose staleness or exposure actually reaches the project.
Read the project's manifests and lockfiles (package.json / lockfile, requirements.txt / poetry.lock / Pipfile.lock, go.mod / go.sum, Cargo.toml / Cargo.lock, Gemfile.lock, and the like) and rank declared dependencies by how much their failure costs:
For each high-risk dependency, confirm the concern actually applies here, not just upstream in the abstract. An advisory in a code path the project never calls, a major version behind that the project pins deliberately (recorded in a comment or ADR), or a dual-licensed dep used under its permissive terms is not a finding. Trace the declared version against the lockfile's resolved version, and check the project's recorded decisions before flagging a deliberate pin.
Drop low-confidence noise — a dev-only dependency a major behind, or a deliberate pin the project documents, is not a finding.
The manifest/lockfile analysis is fully static and always runs. The advisory- and upstream-health sub-dimensions consult the network when it's available — never as a requirement (per ../AUDIT-METHOD.md → Static-first). With no network, emit the static findings, note in the run that advisory and abandonment checks were skipped, and mark any finding that would have relied on a lookup with confidence low so the cull weighs it accordingly. Package-manager audit tooling may be consulted when already present, but is never required.
deps (the sub-dimension goes in the title/evidence, e.g. "outdated major on the DB driver in …", "known advisory in the resolved version of …" — never as a new top-level dimension)enhancement (bringing a dependency current or off an abandoned upstream); a dependency carrying a live, reachable advisory is a bugPer ../AUDIT-METHOD.md → Handover.
capture — dedups against open issues, culls, files survivors as needs-triagenpx claudepluginhub krixon/skills --plugin skillsGuides creation, editing, and verification of skills for AI coding agents using test-driven development with subagent scenarios. Use when authoring or debugging skills.