Audit npm Packages for Security and Supply Chain Risk
Check any npm package for vulnerabilities, malware indicators, typosquatting, and supply chain risk before installing.
Map the full dependency tree for any npm package and identify risky transitive dependencies buried in the graph.
Quick answer: Use the Supply Chain Risk tool through ToolRouter to analyse dependency graphs for hidden risk directly from Claude, ChatGPT, Microsoft Copilot, and OpenClaw — connect once, then drive it with plain-language prompts. No code required.
ToolSupply Chain RiskWhen you install a package with 5 direct dependencies, you're actually installing the entire subtree — which might be 200 packages deep. One compromised package anywhere in that tree can exfiltrate credentials, inject malware, or cause a supply chain attack. Almost nobody audits transitive dependencies because the graph is too large to inspect manually.
The dependency_graph skill maps the full dependency tree for a given package, returning a structured representation of every direct and transitive dependency. Combined with package_risk, you can identify which nodes in the graph carry the most risk — without reading every one of hundreds of package.json files manually.
Security architects scoping the blast radius of a supply chain incident, developers evaluating whether a new package brings unwanted dependencies, and security tools that need full dependency inventories for SBOM (Software Bill of Materials) generation all use this to understand what they're actually running.
ToolRouterhttps://api.toolrouter.com/mcpClaude navigates complex dependency graphs to surface the risks that matter — identifying which transitive packages are most widely used (and therefore highest-impact if compromised), flagging dependencies with concerning maintenance signals, and explaining why a specific deep dependency poses a risk to the whole tree.
Once connected (see setup above), use the Supply Chain Risk tool — the same steps work with Claude, ChatGPT, Microsoft Copilot, OpenClaw, and any MCP client:
Map the full dependency tree for any npm package and identify risky transitive dependencies buried in the graph. Connect the Supply Chain Risk tool to Claude, ChatGPT, Microsoft Copilot, and OpenClaw through ToolRouter, then ask the assistant in plain language. For example: Ask: "Get the dependency graph for the express npm package using supply-chain-risk" Claude returns a structured dependency tree
Claude, ChatGPT, Microsoft Copilot, and OpenClaw can all analyse dependency graphs for hidden risk using the Supply Chain Risk tool through ToolRouter, with no API keys or coding required.
Assess software supply chain risk for npm packages — dependency vulnerabilities, malware, and typosquatting.