Dependency Health Check

Automated security audit and health check for software dependencies across polyglot projects.

Install
cmdop skills install agensi-dependency-health-check

Dependency Health Check is a skill published by agensi that automates security and maintenance auditing of a project’s dependency tree across polyglot codebases. It detects the package managers present in a project, extracts dependency versions from manifests, and cross-references them against security advisories to surface known CVEs and vulnerabilities using local ecosystem tools and internal reference tables.

Beyond security, the skill flags packages that are deprecated or have not received an update in over 12 months, identifying what the description calls “ghost” packages that represent quiet maintenance risk. It also detects version drift, meaning production dependencies that have fallen behind major or minor upstream releases, and checks environment integrity by finding version conflicts across manifests and identifying missing lockfiles.

The skill covers nine package ecosystems: npm, yarn, and pnpm for Node.js; pip and poetry for Python; Go modules; Cargo for Rust; Bundler for Ruby; and Maven for Java. Results are delivered as a structured, multi-tier health report that groups findings by severity so developers can prioritize remediation. The skill applies a deterministic classification framework rather than freeform analysis, which means findings are consistent across runs. It is a skill, not an MCP server, so it has no exposed network tools and does not require environment variable configuration.

Use cases

  • Audit a monorepo for known CVEs before a production release
  • Identify unmaintained dependencies that have not been updated in over 12 months
  • Detect version conflicts between package manifests in a polyglot project
  • Find missing lockfiles that could introduce non-deterministic builds
  • Check version drift to see how far behind major or minor releases production packages have fallen
  • Generate a prioritized maintenance report to reduce dependency-related technical debt

When to use it

  • The project uses one or more of the supported ecosystems: npm, yarn, pnpm, pip, poetry, Go modules, Cargo, Bundler, or Maven
  • A structured, repeatable dependency audit is needed across a polyglot codebase
  • Security findings need to be consistently classified rather than heuristically summarized
  • Pre-release checks require a multi-tier health report covering security, maintenance status, and environment integrity

When not to use it

  • The project uses a package ecosystem not in the supported list, such as NuGet (.NET) or CocoaPods (Swift/Objective-C)
  • Real-time or continuous monitoring of a live environment is required, as this is an on-demand skill rather than a persistent service
  • Direct remediation or automated dependency upgrades are needed, since the skill reports findings but does not apply fixes
  • An MCP server with callable network tools is required; this capability exposes no such tools