How to Audit npm Package Security with Claude
Audit npm package security with Claude and ToolRouter. Vulnerability, malware, and supply chain risk scores.
Tool
Claude combines package risk scores with its knowledge of the ecosystem to give contextualised verdicts — explaining whether a specific CVE affects your usage pattern, recommending safer alternatives for high-risk packages, and identifying whether a typosquat is targeting a specific popular library you're already using.
Connect ToolRouter to Claude
1Open connector settings Open Settings
2Add a custom connector with these details
Name
ToolRouterURL
https://api.toolrouter.com/mcp3Let Claude set you up Open Claude
Steps
Once connected (see setup above), use the Supply Chain Risk tool:
- Ask: "Check the supply chain risk for the lodash npm package using supply-chain-risk"
- Claude returns a risk assessment with scores across each dimension
- Ask: "Are any of the identified CVEs exploitable in a typical Node.js server context?"
- Request: "What safer alternatives to this package would you recommend?"
Example Prompt
Try this with Claude using the Supply Chain Risk tool
Check supply chain risk for these npm packages: event-stream, left-pad, and colors using supply-chain-risk. Flag any that have a history of supply chain incidents and explain what happened.
Tips
- Ask about the specific CVEs and whether they affect your actual usage of the package
- Request a recommendation on whether to pin the version, find an alternative, or proceed
- Ask Claude to check for known typosquats targeting packages you regularly use