Skip to content
wyattowalsh/agents | AI Agent Configs
Docs
supply-chain-risk-auditor

supply-chain-risk-auditor

Curated third-party skill source. Run external-skill-auditor before repo promotion.

supply-chain-risk-auditor18 wordsInspect firstinspect-then-install
Curated third-party skill source. Run external-skill-auditor before repo promotion.

Quick Start

Install:

npx skills add trailofbits/skills --skill differential-review --skill agentic-actions-auditor --skill variant-analysis --skill insecure-defaults --skill supply-chain-risk-auditor --skill modern-python -y -g -a antigravity claude-code codex crush cursor gemini-cli github-copilot grok opencode

Use: /supply-chain-risk-auditor

Works with Claude Code, Gemini CLI, OpenCode, and other agentskills.io-compatible agents.

What It Does

Section titled “What It Does”

Generates report on supply-chain threat landscape of direct dependencies (popularity, #maintainers, CVE history, update freq, security contacts). Flags high-risk; suggests alts where known. Uses gh CLI queries. Explicitly does NOT scan source for CVEs/creds. Trail of Bits (Spencer Michaels).

Harness Coverage

Section titled “Harness Coverage”

Targets verified harnesses: antigravity, claude-code, codex, crush, cursor, gemini-cli, github-copilot, grok, opencode.

Portable multi-harness install command:

Terminal window
npx skills add trailofbits/skills --skill differential-review --skill agentic-actions-auditor --skill variant-analysis --skill insecure-defaults --skill supply-chain-risk-auditor --skill modern-python -y -g -a antigravity claude-code codex crush cursor gemini-cli github-copilot grok opencode

Trust / Audit

Section titled “Trust / Audit”

Trust tier: Inspect first (needs-inspection)

Curated status: inspect-then-install

Risk notes: Curated third-party skill source. Run external-skill-auditor before repo promotion.

Entry maintained via authoring + research for compose-external-wave-12; provenance and audit notes are authoritative there (research context is advisory).

Install Prerequisites

Section titled “Install Prerequisites”

Inspect group install cmd. status=inspect-then-install; selector=named.

FieldValue
Source Typecurated-external
Display Sourcetrailofbits/skills
Source Kindgithub
Installabilityportable command
Review Statecurated
Trust Tierneeds-inspection
Target Agentsantigravity, claude-code, codex, crush, cursor, gemini-cli, github-copilot, grok, opencode
Curated catalog entry
docs/src/authoring/skills/supply-chain-risk-auditor.mdx (full SSOT excerpt)
---
name: "supply-chain-risk-auditor"
description: "Curated third-party skill source. Run external-skill-auditor before repo promotion."
title: "Supply Chain Risk Auditor"
source_kind: "curated-external"
source: "trailofbits/skills"
install_source: "trailofbits/skills"
status: "inspect-then-install"
trust_tier: "needs-inspection"
provenance_status: "verified-install-command"
install_command: "npx skills add trailofbits/skills --skill differential-review --skill agentic-actions-auditor --skill variant-analysis --skill insecure-defaults --skill supply-chain-risk-auditor --skill modern-python -y -g -a antigravity claude-code codex crush cursor gemini-cli github-copilot grok opencode"
target_agents: [antigravity, claude-code, codex, crush, cursor, gemini-cli, github-copilot, grok, opencode]
source_url: "https://github.com/trailofbits/skills"
notes: "Curated third-party skill source. Run external-skill-auditor before repo promotion."
risk_notes: "Curated third-party skill source. Run external-skill-auditor before repo promotion."
promotion_policy: "Inspect source, hooks, scripts, credentials, and dedupe before install."
provenance_evidence: "Curated `npx skills add` command with named `--skill` selectors under `inspect-then-install` in config/external-skills.md."
---


{/* GENERATED-AUTHORING: source=config/external-skills.md; entry=supply-chain-risk-auditor; re-run migration to refresh */}


Curated third-party skill source. Run external-skill-auditor before repo promotion.

Install / provenance (from authoring frontmatter + research):

FieldValue
install_commandnpx skills add trailofbits/skills --skill differential-review --skill agentic-actions-auditor --skill variant-analysis --skill insecure-defaults --skill supply-chain-risk-auditor --skill modern-python -y -g -a antigravity claude-code codex crush cursor gemini-cli github-copilot grok opencode
sourcetrailofbits/skills
source_urlhttps://github.com/trailofbits/skills
trust_tierneeds-inspection
curated_statusinspect-then-install
target_agentsantigravity, claude-code, codex, crush, cursor, gemini-cli, github-copilot, grok, opencode

Resources

Section titled “Resources”
Skill Catalog Browse custom and external skills.
CLI Reference Install and manage skills.
Built & designed by shadcn. Ported to Astro Starlight by Adrián UB. The source code is available on GitHub.
Home Start Here Skills Agents MCP CLI

Skills

Catalog Install Custom

Agents

Agents code-reviewer docs-writer orchestrator performance-profiler planner release-manager researcher security-auditor

MCP

MCP Servers mcphub

Hooks

Hooks codex-destructive-shell-guard codex-permission-request-guard codex-post-tool-verify-context codex-protected-file-guard codex-session-start-context codex-stop-truth-gate destructive-shell-guard post-edit-format post-edit-lint prompt-log protected-file-guard research-dangerous-shell-guard research-evidence-ledger research-prompt-triage-context research-readonly-write-guard research-stop-verifier session-start

Harness Config

Harness Config mcp-registry sync-manifest tooling-policy