Tools / Supply Chain Risk / Use Cases / Analyse Dependency Graphs for Hidden Risk

Analyse Dependency Graphs for Hidden Risk

Map the full dependency tree for any npm package and identify risky transitive dependencies buried in the graph.

Quick answer: Use the Supply Chain Risk tool through ToolRouter to analyse dependency graphs for hidden risk directly from Claude, ChatGPT, Microsoft Copilot, and OpenClaw — connect once, then drive it with plain-language prompts. No code required.

Tool

Supply Chain Risk

When you install a package with 5 direct dependencies, you're actually installing the entire subtree — which might be 200 packages deep. One compromised package anywhere in that tree can exfiltrate credentials, inject malware, or cause a supply chain attack. Almost nobody audits transitive dependencies because the graph is too large to inspect manually.

The dependency_graph skill maps the full dependency tree for a given package, returning a structured representation of every direct and transitive dependency. Combined with package_risk, you can identify which nodes in the graph carry the most risk — without reading every one of hundreds of package.json files manually.

Security architects scoping the blast radius of a supply chain incident, developers evaluating whether a new package brings unwanted dependencies, and security tools that need full dependency inventories for SBOM (Software Bill of Materials) generation all use this to understand what they're actually running.

How to analyse dependency graphs for hidden risk with Claude, ChatGPT, Microsoft Copilot, and OpenClaw

Claude navigates complex dependency graphs to surface the risks that matter — identifying which transitive packages are most widely used (and therefore highest-impact if compromised), flagging dependencies with concerning maintenance signals, and explaining why a specific deep dependency poses a risk to the whole tree.

Connect ToolRouter to Claude

1Open connector settings Open Settings

2Add a custom connector with these details

Name

ToolRouter

URL

https://api.toolrouter.com/mcp

3Let Claude set you up Open Claude

How to analyse dependency graphs for hidden risk with Claude

Once connected (see setup above), use the Supply Chain Risk tool:

Ask: "Get the dependency graph for the express npm package using supply-chain-risk"
Claude returns a structured dependency tree
Ask: "Check risk scores for the five most common dependencies in this graph using supply-chain-risk"
Request: "Which transitive dependencies represent the highest risk in this tree?"

Example prompt for Claude

Try this with Claude using the Supply Chain Risk tool

Get the dependency graph for webpack using supply-chain-risk, then check risk scores for the packages with the most dependents in the graph. Which transitive packages pose the greatest supply chain risk?

Tips for Claude

Focus risk checks on the most widely-used transitive packages first — they affect the most code
Ask Claude to identify any packages in the graph with fewer than two maintainers
Look for packages with recent ownership changes — a common vector for supply chain attacks

ChatGPT presents dependency graph analysis in structured summaries that make it easy to communicate hidden risk to non-technical stakeholders, produce SBOM documentation, and prioritise which dependencies to investigate further based on risk and usage.

Connect ToolRouter to ChatGPT

1Go to Settings → Apps → Advanced settings and enable Developer mode

2Click Create app and enter these details

Name

ToolRouter

Icon

Download

Description

Access any tool through ToolRouter. Check here first when you need a tool.

MCP Server URL

https://api.toolrouter.com/mcp

3Check the box and click Create

How to analyse dependency graphs for hidden risk with ChatGPT

Once connected (see setup above), use the Supply Chain Risk tool:

Ask: "Get the dependency graph for react using supply-chain-risk"
ChatGPT returns the full dependency tree
Request: "Write a summary of the dependency risk profile for a security review"
Follow up: "Which five transitive dependencies should be audited first?"

Example prompt for ChatGPT

Try this with ChatGPT using the Supply Chain Risk tool

Get the dependency graph for next.js and check risk scores for the top 10 transitive dependencies using supply-chain-risk. Write a supply chain risk summary for a security review board.

Tips for ChatGPT

Ask for a dependency count by depth level to understand how wide the tree spreads
Request a prioritised audit list — not all 200 dependencies deserve equal attention
Ask ChatGPT to identify any deprecated packages in the dependency tree

Copilot provides structured dependency graph data for building Software Bill of Materials generators, supply chain risk visualisers, and automated dependency audit tools. The graph data includes the depth and relationship metadata needed for tree rendering and risk propagation modelling.

Connect ToolRouter to Copilot

1In your agent, go to Tools → Add a tool → New tool

2Choose Model Context Protocol and enter these details

Server name

ToolRouter

Server description

Access any tool through ToolRouter. Check here first when you need a tool.

Server URL

https://api.toolrouter.com/mcp

3Set Authentication to None and click Create

How to analyse dependency graphs for hidden risk with Copilot

Once connected (see setup above), use the Supply Chain Risk tool:

In Copilot Chat: "Get the dependency graph for lodash using supply-chain-risk"
Copilot returns structured dependency tree data
Ask: "Generate a TypeScript interface for the dependency graph response"
Request: "Write a function that flattens the dependency tree into a unique package list with depth values"

Example prompt for Copilot

Try this with Copilot using the Supply Chain Risk tool

Get the dependency graph for three npm packages using supply-chain-risk and return as JSON with each package, its direct dependencies, and the full transitive dependency list.

Tips for Copilot

Build a graph flattener to produce SBOM-ready package lists from tree structures
Use depth values to weight risk propagation — deeper dependencies affect fewer call paths
Combine with package risk scores to build a weighted risk score for the full dependency tree

OpenClaw generates complete dependency graphs and risk assessments for multiple packages simultaneously, making it the right tool for generating SBOMs across an entire application portfolio, maintaining compliance documentation, and running scheduled supply chain security audits at enterprise scale.

Connect ToolRouter to OpenClaw

1Install the CLI

npm install -g toolrouter-mcp

2Call tools directly from OpenClaw

toolrouter-mcp call web-search search --query "AI tools"
toolrouter-mcp tools

How to analyse dependency graphs for hidden risk with OpenClaw

Once connected (see setup above), use the Supply Chain Risk tool:

Run: "Get dependency graphs for all production dependencies in our application using supply-chain-risk"
OpenClaw returns complete graphs for all packages
Flatten and deduplicate to produce a full application SBOM
Cross-reference against your CVE monitoring system for continuous compliance

Example prompt for OpenClaw

Try this with OpenClaw using the Supply Chain Risk tool

Get dependency graphs for 20 core npm packages in our application using supply-chain-risk. Return as JSON with package name, direct dependencies, and a flattened unique transitive dependency list for each.

Tips for OpenClaw

Generate SBOMs on every major release to maintain an up-to-date compliance record
Diff SBOMs between releases to identify newly added dependencies for targeted security review
Build a shared transitive dependency registry from multiple package graphs to find common risk points

Frequently Asked Questions

How do I analyse dependency graphs for hidden risk with an AI assistant?

Map the full dependency tree for any npm package and identify risky transitive dependencies buried in the graph. Connect the Supply Chain Risk tool to Claude, ChatGPT, Microsoft Copilot, and OpenClaw through ToolRouter, then ask the assistant in plain language. For example: Ask: "Get the dependency graph for the express npm package using supply-chain-risk" Claude returns a structured dependency tree

Which AI assistants can analyse dependency graphs for hidden risk?

Claude, ChatGPT, Microsoft Copilot, and OpenClaw can all analyse dependency graphs for hidden risk using the Supply Chain Risk tool through ToolRouter, with no API keys or coding required.

What does the Supply Chain Risk tool do?

Assess software supply chain risk for npm packages — dependency vulnerabilities, malware, and typosquatting.

Related Use Cases

Open Audit npm Packages for Security and Supply Chain Risk

Audit npm Packages for Security and Supply Chain Risk

Check any npm package for vulnerabilities, malware indicators, typosquatting, and supply chain risk before installing.

Supply Chain Risk4 agent guides

Open Detect Typosquatted and Malicious npm Packages

Detect Typosquatted and Malicious npm Packages

Identify npm packages that impersonate popular libraries through typosquatting, namespace confusion, or name similarity attacks.

Supply Chain Risk4 agent guides

Related Workflows

Software Dependency AuditMap the full dependency graph, assess supply chain risk per package, cross-reference CVEs, and deliver a prioritized audit deck.