Loading...
Loading...
Found 34 Skills
MUST be used whenever fixing dependency issues in a Dune app. This skill finds AND fixes vulnerabilities, outdated packages, deprecated dependencies, and license issues — it does not just report them. Triggers: dependencies, packages, fix dependencies, update packages, fix vulnerabilities, npm audit fix, pnpm audit fix, CVE fix, outdated, deprecated, supply chain, license.
You are a dependency security expert specializing in vulnerability scanning, license compliance, and supply chain security. Analyze project dependencies for known vulnerabilities, licensing issues, outdated packages, and provide actionable remediation strategies.
Audits project dependencies for license compliance, maintenance health, security vulnerabilities, and bloat. Analyzes both direct and transitive dependency trees, detects abandoned packages, identifies license conflicts (copyleft, unknown), checks for known CVEs, and finds unused or duplicate dependencies. Triggers on: "audit dependencies", "dependency check", "license check", "dependency health", "abandoned packages", "bloat check", "unused dependencies", "security audit dependencies", "dependency review", "license compliance", "package audit", "supply chain", "dependency risk". Use this skill when reviewing project dependencies for risk.
ML supply chain security scanner. Scans model files, scores risk (0-100), maps to 5 global compliance frameworks (ISM-2072, EU AI Act, OWASP LLM, MITRE ATLAS, NIST AI RMF), and provides remediation steps. Zero-config, auto-installs scanners. Use when the user asks to scan a model, check if a model is safe, audit ML security posture, check compliance, inspect pickle/safetensors/pytorch files, or mentions model supply chain security. Also trigger on ISM-2072, EU AI Act, OWASP LLM06, model risk score, "is this model safe", "scan my models", "check compliance".
Sonatype integration. Manage data, records, and automate workflows. Use when the user wants to interact with Sonatype data.
Audit MCP (Model Context Protocol) server configurations for security issues. Use this skill when: - Reviewing .mcp.json files for security risks - Checking MCP server args for hardcoded secrets or shell injection patterns - Validating that MCP servers use pinned versions (not @latest) - Detecting unpinned dependencies in MCP server configurations - Auditing which MCP servers a project registers and whether they're on an approved list - Checking for environment variable usage vs. hardcoded credentials in MCP configs - Any request like "is my MCP config secure?", "audit my MCP servers", or "check .mcp.json" keywords: [mcp, security, audit, secrets, shell-injection, supply-chain, governance]
Rust security skill for supply chain safety and memory-safe development. Use when auditing dependencies with cargo-audit, enforcing policies with cargo-deny, reviewing RUSTSEC advisories, writing memory-safe FFI patterns, or integrating fuzzing and Miri into a security review pipeline. Activates on queries about cargo-audit, cargo-deny, RUSTSEC advisories, supply chain security, Rust CVEs, safe FFI, or fuzzing for security.
Managing third-party dependencies — version pinning, security auditing, license compliance, update workflows, lockfile management, supply chain security. Activate on "npm audit", "dependabot", "renovate", "pin versions", "dependency update", "supply chain", "license compliance", "lockfile", "security advisory", "typosquatting", "SBOM". NOT for internal monorepo package management (use monorepo-management) or publishing your own packages to npm/PyPI.
Use when checking for security vulnerabilities in NanoClaw skills, before installing new skills, or when asked about security advisories affecting the bot
OWASP Top 10:2025 security vulnerabilities. Covers access control, injection, supply chain, cryptographic failures, and more. Use for security reviews. USE WHEN: user mentions "OWASP 2025", "Top 10", "security review", "vulnerability assessment", asks about "broken access control", "injection", "supply chain", "cryptographic failures", "exception handling" DO NOT USE FOR: general OWASP (2021) - use `owasp` instead, secrets - use `secrets-management`, dependencies - use `supply-chain`