Skill Detail
Score open source repositories for supply-chain risk signals before adoption or release decisions with Scorecard
Check a repository against OpenSSF security heuristics before you trust it as a dependency, approve it for use, or ship from it.
Security & VerificationMulti-Framework
Security & Verification
Multi-Framework
Security Reviewed
β 5.4k GitHub stars
INSTALL WITH ANY AGENT
npx skills add agentskillexchange/skills --skill score-open-source-repositories-for-supply-chain-risk-signals-before-adoption-or-release-decisions-with-scorecard
Works best when you want a reusable capability, not another fragile one-off prompt.
At a glance
Tools required
Scorecard CLI or GitHub Action, network access to the target repository host, and optional GitHub authentication for higher API limits.
Install & setup
Install Scorecard from the upstream release, package, or action path documented at scorecard.dev, then run it against the target repository URL or dependency list and review the reported checks before adoption or release work proceeds.
Author
OpenSSF
Publisher
Organization
Last updated
Apr 17, 2026
Quick brief
Use Scorecard when an agent needs a repeatable upstream trust check on an open source repository, not when someone is simply browsing GitHub or running a full SCA platform. The job is concrete: inspect a repo against published OpenSSF checks, surface weak supply-chain signals, and hand back a reviewable risk summary before adoption or release decisions. That scope boundary, repository security posture scoring against a known check set, keeps this skill-shaped instead of turning it into a generic product listing.