With generative AI and coding agents, we're producing code at unprecedented speed while accumulating dependencies to match. Evidence now shows AI doesn't just suggest dependencies: it hallucinates ones that don't exist. In this case, a package called "huggingface-cli" was downloaded thousands of times, including by teams at Alibaba, before anyone realized it was completely fictitious. Each hallucinated package name becomes a supply chain vulnerability waiting to be exploited, with attackers racing to register them before developers discover the mistake.
But hallucinations are just one risk in this acceleration of code generation. Even with legitimate packages, the speed creates problems. In the past, platform and security teams could influence dependency choices through documentation, approved lists, or code reviews. With AI generating suggestions instantly, those touchpoints disappear. The productivity gains are undeniable, but we're now accumulating unmaintained dependencies, vulnerable transitive packages, and license incompatibilities with minimal oversight, far faster than security teams can audit them after the fact.
As I discussed in my last post, governance teams can scale by making machine-readable guidance available to AI agents. Instead of catching dependency problems in CI/CD after code is written, we can validate packages at the moment they're suggested. The dependency-evaluator skill I built implements this approach. It embeds systematic dependency evaluation directly into Claude Code's workflow, creating that critical checkpoint between AI suggestion and developer acceptance. While I created this for Claude, the pattern can easily be applied to other competing tools.
How the Skill Works: Automatic and In-Flow
Traditional dependency evaluation requires developers to remember commands like npm audit, manual research, and security checks. The dependency-evaluator skill activates automatically when Claude detects dependency-related questions, keeping developers in flow. This works through Claude Code's skills feature. The skill's description tells Claude when to activate based on conversation context:
Evaluates whether a programming language dependency should be used by analyzing maintenance activity, security posture, community health, documentation quality, dependency footprint, production adoption, license compatibility, API stability, and funding sustainability. Use when users are considering adding a new dependency, evaluating an existing dependency, or asking about package/library recommendations.
When a developer asks, "Should I use axios for HTTP requests?" or "Add JWT authentication," Claude recognizes the context and automatically runs the necessary evaluation. No commands to remember, no workflow interruption—just systematic analysis at the moment it's needed.
Once invoked, the skill evaluates the package and returns a structured assessment:
## Dependency Evaluation: <package-name>
### Summary
[2-3 sentence overall assessment with recommendation]
**Recommendation**: [ADOPT / EVALUATE FURTHER / AVOID]
**Risk Level**: [Low / Medium / High]
**Blockers Found**: [Yes/No]
### Blockers (if any)
[List any dealbreaker issues - these override all scores]
- ⛔ [Blocker description with specific evidence]
### Evaluation Scores
| Signal | Score | Weight | Notes |
|--------|-------|--------|-------|
| Maintenance | X/5 | [H/M/L] | [specific evidence with dates/versions] |
| Security | X/5 | [H/M/L] | [specific evidence] |
| Community | X/5 | [H/M/L] | [specific evidence] |
| Documentation | X/5 | [H/M/L] | [specific evidence] |
| Dependency Footprint | X/5 | [H/M/L] | [specific evidence] |
| Production Adoption | X/5 | [H/M/L] | [specific evidence] |
| License | X/5 | [H/M/L] | [specific evidence] |
| API Stability | X/5 | [H/M/L] | [specific evidence] |
| Funding/Sustainability | X/5 | [H/M/L] | [specific evidence] |
| Ecosystem Momentum | X/5 | [H/M/L] | [specific evidence] |
**Weighted Score**: X/50 (adjusted for dependency criticality)
### Key Findings
#### Strengths
- [Specific strength with evidence]
- [Specific strength with evidence]
#### Concerns
- [Specific concern with evidence]
- [Specific concern with evidence]
### Alternatives Considered
[If applicable, mention alternatives worth evaluating]
### Recommendation Details
[Detailed reasoning for the recommendation with specific evidence]
### If You Proceed (for ADOPT recommendations)
[Specific advice tailored to risks found]
- Version pinning strategy
- Monitoring recommendations
- Specific precautions based on identified concerns
The skill provides this analysis in under a minute, offering systematic evaluation at the moment developers need it, not after problems reach production. View the full skill implementation and example evaluations showing how the skill assesses packages across different risk scenarios.
Beyond Dependencies: A Pattern for Embedding Expertise
Skills like this provide actionable ways for security teams to influence development decisions in the age of generative AI. With economic headwinds and calls for more productivity with existing headcounts, machine-readable guidance lets even a single security engineer embed expertise directly into AI-assisted workflows at scale.
The dependency-evaluator skill is one example, but this pattern extends to any domain where you need to guide AI suggestions with organizational knowledge: API design standards, cloud resource configuration, authentication patterns, or infrastructure choices. What will you build to embed your expertise into AI-assisted development?
Top comments (0)