- Home
- Skills
- Charlesjones Dev
- Claude Code Plugins Dev
- Security Scan Dependencies
security-scan-dependencies_skill
26
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill charlesjones-dev/claude-code-plugins-dev --skill security-scan-dependencies- SKILL.md35.1 KB
Overview
This skill scans a deployed website for outdated client-side dependencies, known CVEs, and common security misconfigurations without needing source code access. It provides a prioritized security report that highlights vulnerable libraries, CMS detections, and HTTP security header issues. Use it to quickly assess surface-level supply-chain and configuration risks on publicly accessible sites.
How this skill works
The skill asks for the target URL and scan scope interactively, then invokes an automated dependency scanner agent that fetches the site using raw HTTP requests (WebFetch or curl). It parses HTML, asset URLs, and fetched file contents to detect frontend libraries, meta-frameworks, and CMS platforms, checks versions against a vulnerability database (Context7), audits HTTP security headers, and produces a timestamped markdown report saved to /docs/security/.
When to use it
- Assess a third-party or client website for outdated frontend libraries and known CVEs
- Perform pre-acquisition technical due diligence on a web property
- Audit HTTP security headers (CSP, HSTS, X-Frame-Options, etc.) for missing or weak configurations
- Compare external dependency exposure against internal security scans
- Run a supply-chain check for public-facing client-side assets
Best practices
- Only scan sites you have explicit permission to analyze and avoid authenticated areas
- Provide the full URL when prompted; the skill ensures protocol correctness (auto-prepends https:// if missing)
- Select precise scan scope to limit noise (Frontend libraries, CMS platforms, Security headers, or All)
- Review and remediate critical and high-severity findings first, then re-scan after fixes
- Test dependency upgrades in staging before rolling changes to production
Example use cases
- Find outdated jQuery, Bootstrap, or React versions exposed on a public website and get CVE details with CVSS scores
- Detect WordPress or Drupal instances and identify version-specific vulnerabilities
- Audit HTTP security headers to find missing CSP or weak HSTS settings
- Produce a report for a security review or as part of M&A technical due diligence
- Compare results against internal SBOMs to discover third-party supply-chain exposure
FAQ
I will ask you for the target website URL and the scan scope via interactive prompts. Do not pass any URL or arguments directly in the command — they will be ignored.
Which tools are used to fetch the site?
The scanner uses only raw HTTP fetch methods (WebFetch or curl) to retrieve HTML and response headers. Browser automation is not used because it cannot reliably expose raw HTTP headers.
What can the scan not detect?
It cannot find server-side vulnerabilities, business logic flaws, authentication issues behind login walls, or anything requiring source code access. It’s limited to publicly accessible client-side information.