Analyse Dependency Graphs for Hidden Risk
Map the full dependency tree for any npm package and identify risky transitive dependencies buried in the graph.
Audit npm Packages for Security and Supply Chain Risk
Check any npm package for vulnerabilities, malware indicators, typosquatting, and supply chain risk before installing.
Tool
Installing an npm package is an act of trust — you're running code written by someone you've never met, maintained by a team you know nothing about, with dependencies that could number in the hundreds. Most developers never audit the packages they install beyond a quick GitHub star count, yet malicious packages, abandoned dependencies, and credential-stealing typosquats are real and increasing threats.
The package_risk and batch_risk skills assess npm packages against multiple risk dimensions: CVE vulnerabilities, malicious code indicators, download trend anomalies (often a sign of typosquatting), maintainer count and activity, and dependency chain depth. Each package gets a risk score with explanatory detail rather than a binary pass/fail.
Security engineers auditing a new codebase, developers evaluating packages before adoption, open source programme offices managing approved package lists, and DevSecOps pipelines that need automated risk gating all use this to make evidence-based decisions about which packages to trust.
Agent Guides
Claude
- Connect ToolRouter to Claude: claude mcp add toolrouter -- npx -y toolrouter-mcp
- Ask: "Check the supply chain risk for the lodash npm package using supply-chain-risk"
- Claude returns a risk assessment with scores across each dimension
ChatGPT
- Add ToolRouter to ChatGPT using the MCP JSON configuration
- Ask: "Check supply chain risk for the axios npm package using supply-chain-risk"
- ChatGPT returns a risk breakdown by category
Copilot
- Add ToolRouter to your Copilot MCP configuration
- In Copilot Chat: "Check supply chain risk for the moment npm package using supply-chain-risk"
- Copilot returns a structured risk assessment
OpenClaw
- Connect ToolRouter to OpenClaw: openclaw mcp add toolrouter -- npx -y toolrouter-mcp
- Run: "Check supply chain risk for all packages in this package.json [list] using supply-chain-risk"
- OpenClaw returns risk assessments for the complete dependency list
Related Use Cases
Detect Typosquatted and Malicious npm Packages
Identify npm packages that impersonate popular libraries through typosquatting, namespace confusion, or name similarity attacks.