supply-chain-advisory
'Supply chain security patterns for dependency management: known-bad version detection, incident response, lockfile auditing, and artifact scanning
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/athola/nm-leyline-supply-chain-advisoryNight Market Skill — ported from claude-night-market/leyline. For the full experience with agents, hooks, and commands, install the Claude Code plugin.
Overview
Supply chain attacks bypass traditional code review by compromising upstream dependencies. This skill provides patterns for detecting, preventing, and responding to compromised packages in Python ecosystems.
When To Use
- After a supply chain advisory is published
- When auditing dependencies for a new or existing project
- During incident response for a suspected compromise
- When adding the SessionStart hook to a project
When NOT To Use
- General CVE triage unrelated to dependency supply chain
- Application-level vulnerability scanning (use a SAST tool)
- License compliance audits (different concern)
Known-Bad Versions Blocklist
The blocklist lives at ${CLAUDE_SKILL_DIR}/known-bad-versions.json.
It is consumed by:
- SessionStart hook — warns per-session when compromised versions detected
make supply-chain-scan— CI/local scanning target- This skill — manual audit guidance
Blocklist Format
{
"package_name": [{
"versions": ["x.y.z"],
"date": "YYYY-MM-DD",
"description": "What the attack did",
"indicators": ["files or patterns to search for"],
"source": "advisory URL",
"severity": "critical|high|medium"
}]
}
Adding a New Entry
- Add the entry to
${CLAUDE_SKILL_DIR}/known-bad-versions.json - Add version exclusions (
!=x.y.z) to affectedpyproject.tomlfiles - Document in
docs/dependency-audit.mdunder Supply Chain Incidents - Run
make supply-chain-scanto verify detection works
Quick Scan Commands
Check all lockfiles on machine for known-bad versions
# Scan uv.lock files for a specific compromised version
grep -r "package_name.*version" --include="uv.lock" /path/to/projects
# Search for malicious artifacts
find /path/to/projects -name "suspicious_file.pth" 2>/dev/null
# Check installed versions in virtualenvs
find /path/to/projects -path "*/.venv/lib/*/PACKAGE*/METADATA" \
-exec grep "^Version:" {} +
Verify lockfile hash integrity
uv.lock includes SHA256 hashes for every package. If a package is
re-published with different content under the same version, uv sync
will fail with a hash mismatch. This is your strongest automatic defense.
Defense Layers
| Layer | Tool | Catches |
|---|---|---|
| Lockfile hashes | uv.lock SHA256 | Tampered re-published versions |
| Version exclusions | pyproject.toml != | Known-bad versions on fresh resolve |
| SessionStart hook | sanctum hook | Per-session warning for compromised deps |
| CI scanning | OSV + Safety | CVE database + advisory matching |
| Artifact scanning | make supply-chain-scan | Malicious files (.pth, scripts) |
Limitations
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-athola-nm-leyline-supply-chain-advisory": {
"enabled": true,
"auto_update": true
}
}
}Related Skills
extract
Analyze a codebase and build a knowledge base of business logic, architecture, data flow, and engineering patterns. The foundation for gauntlet challenges and agent integration
discourse
>- Scan community discussion channels (HN, Lobsters, Reddit, tech blogs) for experience reports and opinions on a topic
synthesize
>- Merge, deduplicate, rank, and format research findings from multiple channels into a coherent report. Use after research agents return their results
workflow-monitor
Detect workflow failures and inefficient patterns, then create GitHub issues for improvement via /fix-workflow
architecture-paradigm-hexagonal
Hexagonal (Ports and Adapters) architecture isolating domain logic from infrastructure