Agent skills: audit, upgrades, triage
Three downloadable skills that teach Claude Code (or any agent) the optimal way to use the DevUpdate.io MCP server: a full dependency audit, safe upgrades, and security triage when no clean fix exists.
The MCP server gives an agent the data: security issues, available upgrades, release-by-release breaking changes. The skills give it the judgement: tested playbooks for turning that data into a complete audit, safe upgrade PRs, and honest risk decisions. Three skills, composable:
| Skill | What it encodes | Use when |
|---|---|---|
devupdate-audit | The full audit: security issues first (by fix_status), then upgrade hygiene, then the unmonitored gap, then a report with receipts. Orchestrates the other two. | "Are we exposed?", periodic health checks, "audit our dependencies" |
devupdate-dependency-upgrades | Wave-based upgrades: verified-critical first (through parents/overrides when blocked), routine batch, majors individually with release details read first. | "Catch us up", upgrade sessions |
devupdate-security-triage | What to do when there's no clean fix: confirm exposure locally, apply the advisory's verbatim workaround, override blocked fixes, vendor-patch or replace, record accepted risk. Treats MAL-* advisories as incidents. | Unfixed CVEs, blocked fixes, malicious packages |
Download #
devupdate-audit · devupdate-dependency-upgrades · devupdate-security-triage. One file each, plain markdown; works with Claude Code, claude.ai projects, and any agent that accepts markdown instructions.
For Claude Code, install them into the repository so every session (including web sessions) picks them up automatically:
for skill in devupdate-audit devupdate-dependency-upgrades devupdate-security-triage; do
mkdir -p .claude/skills/$skill
curl -o .claude/skills/$skill/SKILL.md \
https://devupdate.io/skills/$skill/SKILL.md
doneCommit the files. Claude Code loads skills from .claude/skills/ and
invokes the right one from your ask: "audit our dependencies" routes to
devupdate-audit, which delegates to the other two as needed. Personal
rather than per-repo? Put them in ~/.claude/skills/ instead.
For other clients (Cursor, claude.ai, custom agents), paste a file's contents into the system prompt or project instructions; it's plain markdown with no Claude-specific syntax beyond the frontmatter.
The skills assume the MCP server is connected; set that up first.
How the audit composes #
The short version of the devupdate-audit playbook:
- Establish scope with
get_security_issues+get_upgrades(whose rollup names the dependencies we don't monitor — the audit names its blind spots). - Security issues first, ordered by
fix_status:fix_available→ the upgrades skill takes it (wave 1);fix_blocked→ parent upgrade or override/resolution;fix_unreleased→ the security-triage skill.MAL-*ids skip triage entirely: remove, contain, rotate. - Exposure is confirmed locally. Each issue names its advisory; the agent greps your working tree for the vulnerable API or config before resizing any severity. DevUpdate.io never sees the code; it supplies what to look for, the agent does the looking.
- Upgrade hygiene via the upgrades skill's waves.
- The gap: a native registry audit (
npm audit,pip-audit) scoped to unmonitored dependencies only, since for monitored ones our data is the same OSV/GHSA database, already checked against your pins. - Report with receipts: fixed / mitigated / accepted risk / coverage, every line carrying its advisory or upgrade id so the reader can verify without trusting the report.
Why skills and not just the tools? #
Tool descriptions travel with every request, so they stay terse. The playbooks are the opposite: long, opinionated, and only needed when the agent is actually doing the work. Shipping them as skills means the agent loads exactly the judgement it needs, exactly then, and you can edit your copies to match how your team works (pin Node majors, never auto-take database drivers, route accepted risks into your own register). They're your files once you download them.