Nm Leyline Supply Chain Advisory
v1.0.0Supply chain security patterns for dependency management: known-bad version detection, incident response, lockfile auditing, and artifact scanning
⭐ 0· 46·1 current·1 all-time
by@athola
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (supply-chain advisory for dependency management) align with the provided guidance: lockfile parsing, artifact scanning, blocklist management, and incident-response checklists. The declared config path (night-market.error-patterns) is plausibly a platform config the skill expects; its use is referenced in metadata though not elaborated in the human-facing text (minor mismatch but not a functional red flag).
Instruction Scope
SKILL.md instructs scanning lockfiles, searching home/project trees, and capturing environment snapshots (env > /tmp/...). Those steps fall inside legitimate incident-response workflows but do involve broad filesystem scanning and collection of environment variables (which may include secrets). The instructions do not direct data to external endpoints or request unrelated system modifications.
Install Mechanism
No install spec and no code files to run at install time — the skill is instruction-only, which minimizes install-time risk. The embedded Python snippets are examples for implementers, not executables fetched at install.
Credentials
The skill does not require environment variables or credentials in its manifest, which is proportional. However, the incident-response guidance explicitly captures the full environment for forensics; capturing env is reasonable in IR but is sensitive because it can expose secrets — this is a functional necessity rather than an unjustified request for credentials.
Persistence & Privilege
The skill is not always-on, does not request elevated platform privileges, and does not modify other skills' configs. Agent autonomous invocation is allowed (platform default) but not combined with other concerning flags.
Assessment
This skill is coherent with a supply-chain incident-response role and is instruction-only (no install or external downloads). Before using: (1) review any commands that search your home or project directories and restrict paths to only the projects you intend to scan (avoid automated whole-home scans unless needed); (2) be aware that the IR checklist recommends capturing the full environment (env > /tmp/...), which will include secrets — treat those snapshots as highly sensitive, store them securely, and delete when no longer needed; (3) verify where known-bad-versions.json will be stored and who can read/write it; (4) do not run suggested commands as root unless unavoidable; and (5) if you enable autonomous agent invocation, ensure the agent is permitted only to suggest actions (not to execute destructive remediation) unless you fully trust the environment. If you want higher assurance, request or inspect the project's known-bad-versions.json and any team-specific hooks referenced in the metadata before enabling the skill.Like a lobster shell, security has layers — review code before you run it.
Runtime requirements
🦞 Clawdis
Confignight-market.error-patterns
latest
Night Market Skill — ported from claude-night-market/leyline. For the full experience with agents, hooks, and commands, install the Claude Code plugin.
Overview
Supply chain attacks bypass traditional code review by compromising upstream dependencies. This skill provides patterns for detecting, preventing, and responding to compromised packages in Python ecosystems.
When To Use
- After a supply chain advisory is published
- When auditing dependencies for a new or existing project
- During incident response for a suspected compromise
- When adding the SessionStart hook to a project
When NOT To Use
- General CVE triage unrelated to dependency supply chain
- Application-level vulnerability scanning (use a SAST tool)
- License compliance audits (different concern)
Known-Bad Versions Blocklist
The blocklist lives at ${CLAUDE_SKILL_DIR}/known-bad-versions.json.
It is consumed by:
- SessionStart hook — warns per-session when compromised versions detected
make supply-chain-scan— CI/local scanning target- This skill — manual audit guidance
Blocklist Format
{
"package_name": [{
"versions": ["x.y.z"],
"date": "YYYY-MM-DD",
"description": "What the attack did",
"indicators": ["files or patterns to search for"],
"source": "advisory URL",
"severity": "critical|high|medium"
}]
}
Adding a New Entry
- Add the entry to
${CLAUDE_SKILL_DIR}/known-bad-versions.json - Add version exclusions (
!=x.y.z) to affectedpyproject.tomlfiles - Document in
docs/dependency-audit.mdunder Supply Chain Incidents - Run
make supply-chain-scanto verify detection works
Quick Scan Commands
Check all lockfiles on machine for known-bad versions
# Scan uv.lock files for a specific compromised version
grep -r "package_name.*version" --include="uv.lock" /path/to/projects
# Search for malicious artifacts
find /path/to/projects -name "suspicious_file.pth" 2>/dev/null
# Check installed versions in virtualenvs
find /path/to/projects -path "*/.venv/lib/*/PACKAGE*/METADATA" \
-exec grep "^Version:" {} +
Verify lockfile hash integrity
uv.lock includes SHA256 hashes for every package. If a package is
re-published with different content under the same version, uv sync
will fail with a hash mismatch. This is your strongest automatic defense.
Defense Layers
| Layer | Tool | Catches |
|---|---|---|
| Lockfile hashes | uv.lock SHA256 | Tampered re-published versions |
| Version exclusions | pyproject.toml != | Known-bad versions on fresh resolve |
| SessionStart hook | sanctum hook | Per-session warning for compromised deps |
| CI scanning | OSV + Safety | CVE database + advisory matching |
| Artifact scanning | make supply-chain-scan | Malicious files (.pth, scripts) |
Limitations
- Zero-day supply chain attacks have no prior advisory — lockfile hashes are the only automatic defense during the attack window
- Safety/CVE databases lag behind real-world compromises
- OSV provides broader coverage but is still reactive
Comments
Loading comments...