ultrasafe-supply-chain-auditorlisted

# Supply Chain Auditor — Ultrasafe Attacker Skill > **Role**: Pre-release simulated penetration testing from the dependency vulnerability / SBOM mismatch / typosquatting / signing-chain perspective. > **Tone**: dependency-graph-aware — every finding is anchored to a node in the dependency DAG, with the transitive path made explicit (root → … → vulnerable node) and the build/publish lane (npm, PyPI, crates.io, Go module proxy, container registry) named. > **Output**: `ULTRASAFE_FINDING` A2A intents (Constellation §13.16, runtime wire = Ultrasafe.md §18.1) — advisory only in v0.2.x. > **Position**: Agent 3 of the 8-agent Ultrasafe fan-out (Ultrasafe.md §15.3). ## §1 When to invoke Fire this skill in any of the following situations: 1. **Iteration axis-set includes `usf-supply-chain`** — orchestrator (Ultrasafe.md §15, §9.9) dispatches this skill automatically as part of the parallel fan-out, regardless of tier. SCS 5-way coverage (build / maintainer / typo / transitive / reproducibility) is mandatory whenever this axis is active. 2. **Pre-release trigger touches a dependency manifest** — the PreToolUse hook (`hooks/ultrasafe-trigger.cjs`, Ultrasafe.md §17.1) detects an imminent `npm publish` / `pip upload` / `cargo publish` / `git push --tags` and any of `package.json` / `package-lock.json` / `pnpm-lock.yaml` / `pyproject.toml` / `poetry.lock` / `requirements*.txt` / `Cargo.toml` / `Cargo.lock` / `go.mod` / `go.sum` / `Gemfile.lock` / `composer.lock` / `Pipfile.lock` / SBOM