New Skill: Dependency Auditor

Problem it solves: Raw npm audit / pip-audit output is noisy. Dev-only vulnerabilities, unreachable transitive deps, and withdrawn CVEs create alert fatigue. Teams either ignore all findings or waste hours triaging false positives.

What it does:

• Runs real audit tools across 7 ecosystems (Node.js, Python, Rust, Go, Ruby, Java, .NET)
• Classifies findings into 4 priority tiers: critical-runtime, dev-only, transitive-unreachable, disputed/withdrawn
• Auto-fixes safe version bumps
• Checks license compatibility
• Generates SBOM for compliance
• Detects phantom dependencies in monorepos

Real use case: Run audit my deps on a Node.js project. Raw npm audit shows 47 vulnerabilities. After classification: 2 are critical-runtime (auto-fixed), 5 are dev-only, 12 are unreachable transitive. Noise reduced from 47 to 2 actionable items.

Source code: https://github.com/manja316/claude-dependency-auditor (MIT)

Tested on: Claude Code CLI with Node.js, Python, and Rust projects