Guide for conducting comprehensive web dependency security scans to identify outdated libraries, CVEs, and security misconfigurations. Use when analyzing deployed websites for dependency vulnerabilities.
View on GitHubcharlesjones-dev/claude-code-plugins-dev
ai-security
plugins/ai-security/skills/security-dependency-scanning/SKILL.md
January 21, 2026
Select agents to install to:
npx add-skill https://github.com/charlesjones-dev/claude-code-plugins-dev/blob/main/plugins/ai-security/skills/security-dependency-scanning/SKILL.md -a claude-code --skill security-dependency-scanningInstallation paths:
.claude/skills/security-dependency-scanning/# Web Dependency Security Scanning Skill This skill provides expert guidance for scanning deployed websites to identify outdated dependencies, known vulnerabilities (CVEs), insecure configurations, and missing security controls. ## When to Use This Skill Invoke this skill when: - Scanning a deployed website for outdated libraries and frameworks - Identifying CVEs in frontend dependencies (jQuery, React, Vue, Bootstrap, etc.) - Detecting CMS versions and known vulnerabilities (WordPress, Drupal, Umbraco, Sitecore, etc.) - Auditing HTTP security headers and configurations - Performing third-party website security assessments - Conducting pre-acquisition technical due diligence - Analyzing supply chain security risks in web applications - Evaluating client-side dependency security without source code access ## Required Tools **๐จ CRITICAL: Tool Requirements for Website Scanning ๐จ** You MUST use ONLY these tools to fetch and analyze websites: - โ **WebFetch tool** - Primary method for fetching HTML and HTTP headers - โ **curl** (via Bash tool) - Alternative method: `curl -i https://example.com` You MUST NOT use these tools: - โ **Playwright** or any MCP browser automation tools - โ **Any browser-based tools** (mcp__playwright__browser_navigate, etc.) - โ **Any other MCP web browsing tools** **Why This Matters**: - HTTP security headers (Content-Security-Policy, HSTS, X-Frame-Options, etc.) are ONLY available via raw HTTP responses - Playwright and browser tools **cannot access** these critical security headers - Using browser tools will result in **incomplete and inaccurate security header analysis** - WebFetch and curl provide the raw HTTP response headers required for comprehensive security auditing **If you use Playwright or browser tools, the security scan will be incomplete and the report will be invalid.** ## Core Web Security Expertise ### 1. Frontend Library Detection To identify JavaScript and CSS libraries, analyze: - **CDN URL Patterns**: Extract