NPM Package Vulnerability Scanner
Scans npm dependencies for known vulnerabilities using the npm audit JSON API and the OSV.dev REST API (api.osv.dev/v1/query). Cross-references findings with the GitHub Advisory Database (GHSA) for severity scoring.
npx skills add agentskillexchange/skills --skill npm-package-vulnerability-scanner
The NPM Package Vulnerability Scanner skill performs deep security analysis of Node.js project dependencies by combining multiple vulnerability data sources. It executes npm audit with JSON output parsing to identify known CVEs in the dependency tree, then enriches findings by querying the OSV.dev REST API (api.osv.dev/v1/query) for additional vulnerability context and affected version ranges.
What this skill actually does
Each identified vulnerability is cross-referenced against the GitHub Advisory Database (GHSA) to retrieve CVSS scores, exploit availability information, and patch recommendations. The skill differentiates between direct and transitive dependency vulnerabilities, providing specific upgrade paths using npm ls to trace dependency chains.
Advanced features include lock file analysis for detecting dependency confusion attacks by comparing registry sources, checking for typosquatting indicators against popular package names, and validating package provenance using npm sigstore signatures where available.
The skill generates prioritized remediation reports sorted by CVSS severity and exploitability, with automated fix suggestions using npm audit fix –dry-run output. It supports monorepo scanning across multiple package.json files and can track vulnerability trends over time for compliance reporting.