This teaches Claude how to identify and test dependency confusion vulnerabilities across npm, pip, Maven, RubyGems, and other package ecosystems. It walks through the core mechanic (attacker publishes a higher version of an internal package name on a public registry), shows recon commands to check if names are squattable, and provides PoC patterns using DNS callbacks instead of destructive payloads. The guidance is red-team focused but includes defensive controls like scoped packages and lockfile enforcement. Load this when you're auditing manifests for supply chain risk or running authorized exercises against build pipelines. It pairs well with the recon-for-sec skill for initial package enumeration.
npx skills add https://github.com/yaklang/hack-skills --skill dependency-confusion