meterian/security-audit

Use for dependency security audits and compliance checks. Use when auditing project dependencies for vulnerabilities, answering "is [library] [version] safe?" questions, or remediating vulnerable libraries. Also activates automatically when the user opens or modifies a manifest file (package.json, package-lock.json, yarn.lock, pnpm-lock.yaml, requirements.txt, pom.xml, Cargo.toml, go.mod, Gemfile, composer.json, build.gradle, *.csproj, pubspec.yaml, conanfile.txt, conanfile.py, project.clj, deps.edn, Package.swift, pubspec.lock, Package.resolved, Gemfile.lock, poetry.lock, uv.lock, Cargo.lock, composer.lock).

1.83x

Quality

90%

Does it follow best practices?

Impact

99%

1.83x

Average score across 8 eval scenarios

Securityby

Passed

No known issues

name:: security-audit
description:: Activate for ANY dependency audit, vulnerability scan, package safety check, pre-deployment/compliance security review, or any request to assess, verify, or provide evidence of the security of third-party packages or libraries — including 'is [library] [version] safe?' queries and remediation of insecure packages. Uses the Meterian CLI (npx @meterian/cli) for cross-language, unified dependency scanning with a shared advisory database covering Node.js, Python, Java, Rust, Go, Ruby, .NET, PHP, Dart, and more. Also activates automatically when the user opens or modifies a manifest file (package.json, package-lock.json, yarn.lock, pnpm-lock.yaml, requirements.txt, pom.xml, Cargo.toml, go.mod, Gemfile, composer.json, build.gradle, *.csproj, pubspec.yaml, conanfile.txt, conanfile.py, project.clj, deps.edn, Package.swift, pubspec.lock, Package.resolved, Gemfile.lock, poetry.lock, uv.lock, Cargo.lock, composer.lock).
metadata:: {"short-description":"Audit dependencies/packages for vulnerabilities and get remediation advice","version":"1.0.12"}

Meterian Security Audit

Name: meterian/security-audit
Rating: 96.3 (1 reviews)
Author: meterian

You have access to the Meterian CLI (@meterian/cli). Always invoke it via npx @meterian/cli (not a bare meterian command) — this ensures cross-language support and access to the full Meterian advisory database.

Language Parameter Reference

Always use the following mapping to determine the language parameter:

Manifest file	language
`package.json`, `package-lock.json`, `yarn.lock`, `pnpm-lock.yaml`	`nodejs`
`requirements.txt`, `Pipfile`, `pyproject.toml`, `poetry.lock`, `uv.lock`	`python`
`pom.xml`	`java`
`build.gradle`, `build.gradle.kts`	`java`
`Cargo.toml`, `Cargo.lock`	`rust`
`composer.json`, `composer.lock`	`php`
`Gemfile`, `Gemfile.lock`	`ruby`
`go.mod`, `go.sum`	`golang`
`*.csproj`	`dotnet`
`conanfile.txt`, `conanfile.py`	`cpp`
`pubspec.yaml`, `pubspec.lock`	`dart`
`project.clj`, `deps.edn`	`clojure`
`Package.swift`, `Package.resolved`	`swift`

Mode A — Full Dependency Audit

When asked to audit, scan, or check all dependencies:

Find all manifest files in the workspace using Glob (search for the filenames in the Language Parameter Reference table above)
Extract dependencies with their pinned versions:
- If a lock file is available, extract all dependencies from it (direct and transitive) — lock files contain the full resolved dependency tree
- If no lock file is available, extract direct dependencies from the manifest; use the minimum bound of any version range as the version to check
Build a JSON array of {language, name, version} objects and pipe it to the CLI:

echo '<json-array>' | npx @meterian/cli check

The CLI returns a compact JSON report. Present results in one single table — one row per vulnerability — using exactly these five column headers: Package, Version, Severity, ID, Safe Versions. Do not split information across multiple tables. Include a summary line in exactly this format: X vulnerabilities found across Y packages (Z clean).

## Meterian Security Audit Report

| Package | Version | Severity | ID | Safe Versions |
|---------|---------|----------|----|---------------|
| lodash  | 4.17.15 | HIGH     | CVE-2021-23337 | 4.17.21 |
...

X vulnerabilities found across Y packages (Z clean).

If vulnerable is empty, output: "✅ No vulnerabilities detected across N packages."

After presenting the report, if vulnerabilities were found:
- Offer remediation (see Mode C below)
- Ask if the user would like to run a reachability analysis to determine which vulnerabilities are actually exploitable in their codebase.
  - If yes → invoke the reachability-analysis skill, including the list of vulnerable packages (name, version, CVE ID) in the invocation prompt
  - If no → end the audit flow
If no vulnerabilities were found, the audit is complete — do not propose reachability analysis.

Mode B — Ad-hoc Security Query

When asked "is [library] [version] safe?" or similar:

Identify the library name and version from the question
Determine the language from context (file open in editor, explicit mention, or ask the user)
Run:

npx @meterian/cli advisories get <language> <name> <version>

Report findings inline: list each advisory with its severity, id, and description

Mode C — Remediation

For each vulnerable dependency:

The check output already contains safeVersions — an array ordered [latestPatch, latestMinor, latestMajor] (nulls excluded). Select the first (least-disruptive) entry.
Determine the bump level:
- Patch: apply automatically
- Minor or Major: show the proposed change and ask for confirmation before applying

Update the version in the manifest file and/or run the ecosystem's install command (e.g. npm install lodash@4.17.21, cargo update -p <crate>, pip install <pkg>==<ver>).

After applying all fixes, re-run the full audit (Mode A). If new vulnerabilities are found, repeat the remediation cycle. If all are clean, output: "✅ All packages are now clean."

evals

SKILL.md

tile.json