Scans package manifests for known CVEs across npm, pip, Go, Cargo, and Bundler.
Dependency Auditor reads your project's package manifest — package.json, requirements.txt, go.mod, Cargo.toml, or Gemfile.lock — and checks every dependency (including transitive ones) against the GitHub Advisory Database and the National Vulnerability Database.
For each vulnerability found, the skill reports the CVE ID, CVSS score, affected version range, and the minimum patched version. It groups findings by severity and generates a prioritized remediation plan. For npm and pip projects, it can auto-generate a patched lockfile that resolves all fixable vulnerabilities.
The skill requires `curl` for API access and reads only your manifest and lockfiles. It makes HTTPS requests to the GitHub Advisory API (no authentication required for public data). No code is executed, no files are modified unless you explicitly request the patched lockfile output.