Get started
Tools / Supply Chain Risk
Supply Chain Risk icon

Supply Chain Risk

Package, dependency & exploit risk

Audit open-source package versions for advisories, exploited CVEs, and dependency exposure across major ecosystems. Score one package, batch-audit a package list, inspect supported dependency graphs, or fetch full advisory records.

4 skillsv0.02
Package Risk

Assess the security risk of one exact package version. Returns advisories, severity counts, KEV hits, exploitability signals, provenance, repository health, fixed versions, and a deterministic risk score.

Returns: Risk score, severity breakdown, KEV hits, package metadata, and paginated advisory details for one package version
Parameters
package_urlstringPackage URL including version (preferred). Example: pkg:npm/lodash@4.17.20 or pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1
ecosystemstringPackage ecosystem when not using package_url. Common values: npm, PyPI, Go, crates.io, Maven, NuGet, RubyGems, Packagist, Debian, Ubuntu, Alpine.
namestringPackage name when not using package_url. Maven uses group:artifact (for example org.apache.logging.log4j:log4j-core).
versionstringExact package version when not using package_url.
include_latestbooleanLook up the latest known version from deps.dev when the ecosystem supports it.
pagenumberPage number for advisory pagination (default 1).
per_pagenumberNumber of advisories to return per page (default 10, max 25).
Example
Audit a vulnerable lodash release by package URL
curl -H "Authorization: Bearer $TOOLROUTER_API_KEY" \
  -d '{
  "tool": "supply-chain-risk",
  "skill": "package_risk",
  "input": {
    "package_url": "pkg:npm/lodash@4.17.20"
  }
}' \
  https://api.toolrouter.com/v1/tools/call
Batch Risk Audit

Audit up to 10 exact package versions in one request. Returns a sortable table with risk scores, advisory counts, KEV hits, exploitability signals, provenance, and repository health.

Returns: A ranked table of package versions with risk scores, advisory counts, KEV hits, and severity breakdowns
Parameters
packages *arrayList of package descriptors. Each item supports package_url or ecosystem, name, and version. Max 10 items.
per_package_limitnumberHow many advisory records to load internally per package for scoring (default 5, max 25).
Example
Audit a mixed npm and PyPI package list
curl -H "Authorization: Bearer $TOOLROUTER_API_KEY" \
  -d '{
  "tool": "supply-chain-risk",
  "skill": "batch_risk",
  "input": {
    "packages": [
      {
        "package_url": "pkg:npm/lodash@4.17.20"
      },
      {
        "package_url": "pkg:pypi/django@5.0.3"
      }
    ]
  }
}' \
  https://api.toolrouter.com/v1/tools/call
Dependency Graph

Fetch the dependency graph for one package version on ecosystems supported by deps.dev. Returns direct and transitive dependencies with per-node vulnerability counts from OSV, plus vulnerable paths and remediation candidates.

Returns: Dependency graph nodes with direct or indirect relation types, vulnerable paths, and remediation candidates
Parameters
package_urlstringPackage URL including version. Best for npm, PyPI, Go, Cargo, Maven, NuGet, and RubyGems packages.
ecosystemstringdeps.dev-supported ecosystem when not using package_url: npm, pypi, go, cargo, maven, nuget, or rubygems.
namestringPackage name when not using package_url.
versionstringExact package version when not using package_url.
depthnumberDependency graph depth for deps.dev (default 3, max 6).
max_nodesnumberMaximum dependency nodes to return in the response table (default 100, max 150).
Example
Inspect the React dependency graph
curl -H "Authorization: Bearer $TOOLROUTER_API_KEY" \
  -d '{
  "tool": "supply-chain-risk",
  "skill": "dependency_graph",
  "input": {
    "package_url": "pkg:npm/react@18.2.0"
  }
}' \
  https://api.toolrouter.com/v1/tools/call
Advisory Details

Open a single advisory by ID. Works well for GHSA, CVE, and ecosystem-specific IDs and returns aliases, affected packages, fixed versions, KEV status, exploitability, and GitHub-reviewed metadata when available.

Returns: One advisory record with aliases, affected packages, fixed versions, KEV enrichment, exploitability, and source metadata when available
Parameters
advisory_id *stringExact advisory identifier, for example GHSA-29mw-wpgm-hmr9, CVE-2020-28500, or PYSEC-2024-57.
Example
Open a GitHub security advisory
curl -H "Authorization: Bearer $TOOLROUTER_API_KEY" \
  -d '{
  "tool": "supply-chain-risk",
  "skill": "advisory_details",
  "input": {
    "advisory_id": "GHSA-29mw-wpgm-hmr9"
  }
}' \
  https://api.toolrouter.com/v1/tools/call
Loading reviews...
Loading activity...
v0.022026-03-27
  • Initial release with package_risk, batch_risk, dependency_graph, and advisory_details
v0.012026-03-27
  • Added exploitability enrichment via FIRST EPSS and GitHub global advisories
  • Added deps.dev provenance and related-project metadata plus OpenSSF Scorecard repository health
  • Added dependency remediation candidates and vulnerable path summaries

Quick Start

MCP (Claude Code)
claude mcp add --transport stdio \
  --env TOOLROUTER_API_KEY=YOUR_API_KEY \
  toolrouter -- npx -y toolrouter-mcp
REST API
curl -H "Authorization: Bearer $TOOLROUTER_API_KEY" \
  -d '{"tool":"supply-chain-risk","skill":"package_risk","input":{}}' \
  https://api.toolrouter.com/v1/tools/call