Supply Chain Risk audits open-source packages for known vulnerabilities, exploited CVEs, and dependency exposure across every major ecosystem — npm, PyPI, Maven, Go, Cargo, NuGet, RubyGems, and more. It turns a package name and version into a clear risk score in seconds.
Security teams and developers use it to triage dependency risk before shipping, catch vulnerabilities in pull requests, and investigate specific advisories. Each package audit returns a deterministic 0–100 risk score, severity breakdown, CISA KEV hits, EPSS exploitability probability, provenance checks, OpenSSF Scorecard health, fixed versions, and vulnerable dependency paths — everything you need to make a go/no-go call.
What you can do
- package_risk — full security audit for one exact package version with risk score, advisories, and fix recommendations
- batch_risk — rank up to 10 packages by risk in one call — great for triaging a dependency list
- dependency_graph — fetch the full dependency tree for a package with per-node vulnerability counts and vulnerable paths
- advisory_details — look up a specific CVE, GHSA, or OSV advisory by ID for full details
Who it's for
Security engineers, developers, and DevSecOps teams who need to understand and communicate dependency risk. Also useful for anyone doing vendor due diligence or supply chain compliance work.
How to use it
- Use package_risk with a package URL like pkg:npm/lodash@4.17.20 to get an instant risk score and advisory list
- For a list of dependencies, use batch_risk to get a ranked table sorted by descending risk
- Use dependency_graph to see which transitive dependencies are vulnerable and which direct upgrades would fix the most paths
- When you see a CVE or GHSA ID in results, use advisory_details to open the full record
Getting started
No setup needed — all four skills work immediately with no credentials required.
