Which programming ecosystems does this skill support?

It features automated data gathering for npm (Node.js), PyPI (Python), Cargo (Rust), and Go, but the manual framework can be applied to any programming language or package manager.

What metrics does it use to evaluate a library?

The skill analyzes 10 key signals: maintenance activity, security posture, community health, documentation quality, dependency footprint, production adoption, license compatibility, API stability, funding, and ecosystem momentum.

Does it require external API keys?

While it can gather data using standard web tools, it is most effective when allowed to use the GitHub API and ecosystem-specific CLI tools to pull real-time maintenance data.

How does the recommendation system work?

It provides a weighted score and categorizes dependencies into three states: ADOPT (safe to use), EVALUATE FURTHER (proceed with caution), or AVOID (high risk/blockers found).

Can it detect malicious packages?

Yes, the skill is programmed to look for specific red flags such as typosquatting, suspicious ownership transfers, and post-install scripts that make unauthorized network calls.

Dependency Evaluator

Name: Dependency Evaluator
Author: princespaghetti

byprincespaghetti

Seguridad y Pruebas

Evaluates the health and risk of programming dependencies through a systematic 10-signal analysis to prevent technical debt and security vulnerabilities.

Acerca de

The Dependency Evaluator skill provides a rigorous framework for assessing third-party libraries before they are integrated into a project. By analyzing critical factors such as maintenance activity, security posture, license compatibility, and community health, it helps developers make informed decisions about their software supply chain. It goes beyond surface-level metrics like GitHub stars to provide a deep, evidence-based assessment across major ecosystems including npm, PyPI, Cargo, and Go, ultimately delivering a clear recommendation to adopt, evaluate further, or avoid a package.

Características Principales

Detection of critical red flags including typosquatting and supply chain risks.
Standardized scoring reports with weighted criticality for different project types.
Automated data gathering scripts for npm, PyPI, Cargo, and Go ecosystems.
0 GitHub stars
Multi-signal evaluation framework covering security, maintenance, and license compliance.
Comparison logic to evaluate alternative libraries for the same use case.

Casos de Uso

Vetting new packages before adding them to a production codebase.
Auditing existing project dependencies for maintenance or security rot.
Identifying the safest and most stable alternative among multiple library options.

Acerca de

Características Principales

Detection of critical red flags including typosquatting and supply chain risks.
Standardized scoring reports with weighted criticality for different project types.
Automated data gathering scripts for npm, PyPI, Cargo, and Go ecosystems.
0 GitHub stars
Multi-signal evaluation framework covering security, maintenance, and license compliance.
Comparison logic to evaluate alternative libraries for the same use case.

Casos de Uso

Vetting new packages before adding them to a production codebase.
Auditing existing project dependencies for maintenance or security rot.
Identifying the safest and most stable alternative among multiple library options.