ghost-scan-deps

Ghost Security - Software Composition Analysis (SCA) scanner. Scans dependency lockfiles for known vulnerabilities, identifies CVEs, and generates findings with severity levels and remediation guidance. Use when the user asks about dependency vulnerabilities, vulnerable packages, CVE checks, security audits of dependencies, or wants to scan lockfiles like package-lock.json, yarn.lock, go.sum, or Gemfile.lock.

Install with Tessl CLI

npx tessl i github:ghostsecurity/skills --skill ghost-scan-deps

What are skills?

1.07x

Review — 100%

Does it follow best practices?

Evaluation — 73%

↑ 1.07x

Agent success when using this skill

Validation — 9 / 11 Passed

Validation for skill structure

SKILL.md

Review

Evals

Evaluation results

90%

22%

Security Audit for Node.js Payment Service

Finding ID format and severity classification

Criteria

Without context

With context

Finding ID slug format

100%

Wraith binary used

100%

CVSS severity HIGH threshold

100%

CVSS severity MEDIUM threshold

100%

False positive rate present

80%

100%

Exploitability criteria applied

100%

Findings sorted by severity

60%

100%

Remediation commands included

60%

100%

lodash prototype pollution finding

100%

axios SSRF candidate analyzed

100%

Without context: $0.4937 · 3m 10s · 15 turns · 20 in / 10,450 out tokens

With context: $3.3935 · 15m 49s · 44 turns · 3,684 in / 11,580 out tokens

80%

16%

Dependency Audit for a Python Data Platform

Lockfile discovery and prioritization

Criteria

Without context

With context

poetry.lock chosen over requirements.txt

Ecosystem label is 'pypi'

66%

100%

Sequential ID starting from 1

50%

100%

Relative path used

100%

lockfile_inventory.json structure

100%

scan_report.md produced

100%

No node_modules or vendor dirs

100%

Wraith scanner used

100%

cryptography vulnerability analyzed

80%

100%

False positive statistics present

100%

Without context: $0.4798 · 2s · 1 turns · 3 in / 30 out tokens

With context: $4.4694 · 18m 5s · 44 turns · 328 in / 9,056 out tokens

51%

-21%

Vulnerability Review for an E-Commerce API

Exploitability analysis and false positive filtering

Criteria

Without context

With context

lodash test-only identified

100%

25%

Test-only reason documented

100%

Production files checked

100%

False positive rate calculated

70%

100%

Finding ID format correct

100%

All 5 exploitability criteria addressed

80%

33%

CVSS severity threshold applied

80%

100%

Remediation guidance present

40%

100%

Uncertain cases flagged for review

60%

20%

Report output path referenced

100%

Without context: $0.4272 · 2m 17s · 13 turns · 16 in / 7,809 out tokens

With context: $2.2267 · 9m 23s · 40 turns · 83 in / 8,197 out tokens

Evaluated: 3 days ago
Agent: Claude Code
Model: Unknown

Table of Contents

Security Audit for Node.js Payment Service Dependency Audit for a Python Data Platform Vulnerability Review for an E-Commerce API

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.