agent security skill risk: medium

Supply Chain Attack Simulation Detector

The prompt instructs a model to simulate and detect software supply chain attacks on Python packages by computing Levenshtein distances for typosquatting, checking dependency confu…

Policy sensitive
Human review
External action: medium

SKILL 4 files · 2 folders

SKILL.md

Download

---
name: performing-supply-chain-attack-simulation
description: "Simulate and detect software supply chain attacks including typosquatting detection via Levenshtein distance,"
---
# Performing Supply Chain Attack Simulation

## Overview

Software supply chain attacks exploit trust in package registries through typosquatting (registering names similar to popular packages), dependency confusion (publishing higher-version public packages matching private names), and compromised package distribution. This skill detects these attack vectors by computing Levenshtein distance between package names and popular PyPI packages, verifying package integrity via SHA-256 hash comparison, scanning for known CVEs with pip-audit, and testing dependency resolution order for confusion vulnerabilities.


## When to Use

- When conducting security assessments that involve performing supply chain attack simulation
- When following incident response procedures for related security events
- When performing scheduled security testing or auditing activities
- When validating security controls through hands-on testing

## Prerequisites

- Python 3.9+ with `pip-audit`, `Levenshtein`, `requests`
- Access to PyPI JSON API (https://pypi.org/pypi/{package}/json)
- Network access for package metadata retrieval


> **Legal Notice:** This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.

## Key Detection Areas

1. **Typosquatting** — compare package names against top PyPI packages using edit distance thresholds
2. **Dependency confusion** — check if internal package names exist on public PyPI with higher version numbers
3. **Hash verification** — download packages and verify SHA-256 digests match published hashes
4. **Vulnerability scanning** — audit installed packages against OSV and PyPA advisory databases
5. **Metadata anomalies** — flag packages with suspicious author emails, missing homepages, or very recent first upload dates

## Output

JSON report with risk scores per package, detected attack vectors, hash verification results, and CVE findings.

REQUIRED CONTEXT

package names to analyze

TOOLS REQUIRED

pypi_api
pip_audit

EXPECTED OUTPUT

Format

json

Schema

json · risk scores per package, detected attack vectors, hash verification results, CVE findings

Constraints

include risk scores per package
include detected attack vectors
include hash verification results
include CVE findings

CAVEATS

Dependencies

Python 3.9+ with pip-audit, Levenshtein, requests
Access to PyPI JSON API (https://pypi.org/pypi/{package}/json)
Network access for package metadata retrieval

Missing context

Target package names or list of packages to analyze
Risk scoring formula or thresholds

Ambiguities

Does not specify exact Levenshtein distance threshold value(s).
Does not detail the exact JSON schema or fields for the output report.

QUALITY

OVERALL: 0.72
CLARITY: 0.85
SPECIFICITY: 0.70
REUSABILITY: 0.65
COMPLETENESS: 0.75

IMPROVEMENT SUGGESTIONS

Add a numbered step-by-step procedure section for executing the simulation.
Specify concrete numeric thresholds (e.g., Levenshtein distance ≤ 2) and the exact output JSON schema.

USAGE

Copy the prompt above and paste it into your AI of choice — Claude, ChatGPT, Gemini, or anywhere else you're working. Replace any placeholder sections with your own context, then ask for the output.