SocketDev · mikolalysenko · Mar 6, 2026 · Mar 6, 2026
diff --git a/skills/socket-dep-patch/SKILL.md b/skills/socket-dep-patch/SKILL.md
@@ -33,7 +33,8 @@ Use `/socket-dep-patch` when you want to fix vulnerabilities without risking bre
 
 ## Prerequisites
 
-No API key is required for `socket-patch apply`. It works on the free tier.
+- No API key is required for `socket-patch`. It works on the free tier.
+- **Dependencies must be installed before patching.** `socket-patch` operates on installed packages (e.g. `node_modules/`). If dependencies are not yet installed, run the project's install command first (e.g. `npm install`, `pnpm install`, `bun install`, `pip install -r requirements.txt`).
 
 ## Step 1: Install socket-patch
 
@@ -53,25 +54,25 @@ Verify installation:
 socket-patch --version
 ```
 
-## Step 2: Scan for Patchable Vulnerabilities
+## Step 2: Scan for Available Patches
 
-Before applying patches, do a dry run to see what would be patched:
+Run `socket-patch scan` to discover which installed packages have Socket patches available. This downloads patch metadata to the `.socket/` folder without modifying any packages.
 
 ```
-socket-patch apply --dry-run
+socket-patch scan
 ```
 
-This shows which packages have Socket patches available without modifying anything.
+Review the output to see which packages have patches available and what vulnerabilities they address.
 
 ## Step 3: Apply Patches
 
-Apply all available patches:
+Apply all patches discovered by `socket-patch scan`:
 
 ```
 socket-patch apply
 ```
 
-This modifies vulnerable packages in-place within `node_modules/` (or the equivalent for other ecosystems) by applying binary-level fixes. No version numbers change in your manifest or lock files.
+This applies patches from the `.socket/` folder to installed packages (e.g. within `node_modules/`). No version numbers change in your manifest or lock files.
 
 After patching, verify the project still works:
 
@@ -81,7 +82,7 @@ After patching, verify the project still works:
 
 ## Step 4: Verify
 
-1. Run `socket-patch apply --dry-run` to confirm all available patches were applied
+1. Run `socket-patch scan` to confirm all available patches were applied
 2. Run the build to ensure nothing breaks
 3. Commit `.socket/manifest.json` to version control to track which patches are applied
 
@@ -96,8 +97,9 @@ To keep patches applied automatically in CI/CD or via postinstall hooks, use the
 ## Error Handling
 
 - **`socket-patch` not found**: Install it using one of the methods in Step 1. For CI, ensure the install step runs before `socket-patch apply`.
-- **No patches available**: This means Socket doesn't have binary patches for the current vulnerabilities. Consider using the `/socket-dep-upgrade` skill to upgrade versions instead.
-- **Build fails after patching**: Run `socket-patch apply --dry-run` to identify which patch caused the issue. Report the failing patch so the user can decide whether to skip it.
+- **"No .socket folder found, skipping patch application"**: Dependencies may not be installed, or `socket-patch scan` was not run first. Ensure dependencies are installed (e.g. `npm install`), then run `socket-patch scan` before `socket-patch apply`.
+- **No patches available**: Run `socket-patch scan` first to check. If scan finds nothing, Socket doesn't have binary patches for the current vulnerabilities. Consider using the `/socket-dep-upgrade` skill to upgrade versions instead.
+- **Build fails after patching**: Run `socket-patch scan` to identify which patches are available, then apply selectively. Report the failing patch so the user can decide whether to skip it.
 - **Permission errors**: Ensure write access to `node_modules/` or the equivalent dependency directory.
 
 ## Tips

diff --git a/skills/socket-fix/SKILL.md b/skills/socket-fix/SKILL.md
@@ -19,13 +19,29 @@ This skill is an **orchestrator**. It does not have its own tools — it delegat
 - The user asks for a safe or conservative dependency repair
 - The user wants to progressively increase aggressiveness (start safe, escalate if needed)
 
+## Prerequisites
+
+This orchestrator delegates to sub-skills with mixed authentication requirements:
+
+- `/socket-dep-cleanup` — **NO** account required
+- `/socket-dep-patch` (`socket-patch apply`) — **NO** account required
+- `/socket-dep-upgrade` (`socket fix`, `socket scan create`) — **account REQUIRED**
+- `/socket-dep-replace` (`socket fix`, `socket scan create`) — **account REQUIRED**
+
+**Without a Socket account**, only Level 1 (Conservative) is fully available, as it uses only cleanup and patches. Levels 2 and 3 use `socket fix` for vulnerability discovery and upgrades, which requires authentication.
+
+If the user does not have a Socket account and requests Level 2 or 3, explain the limitation and either:
+- Help them create an account at https://socket.dev, then proceed
+- Fall back to Level 1 (cleanup + patches only)
+
 ## Step 1: Detect Environment
 
 Before any repair work, identify the project's ecosystem and dependency landscape.
 
 1. **Detect ecosystems** — check for manifest and lock files (`package.json`, `requirements.txt`, `go.mod`, `Cargo.toml`, etc.) to determine which package managers are in use
 2. **Parse dependencies** — read manifest files to build a list of all direct dependencies (production and dev)
 3. **Detect CI** — check for CI/CD configuration (`.github/workflows/`, `.gitlab-ci.yml`, `bitbucket-pipelines.yml`, etc.) to understand the project's build and test infrastructure
+4. **Ensure dependencies are installed** — check for the presence of the dependency directory (`node_modules/`, `vendor/`, etc.). If dependencies are not installed, run the project's install command using the detected package manager (e.g. `npm install`, `pnpm install`, `bun install`). This is required for both patching (Phase 1b) and accurate unused dependency detection (Phase 1a).
 
 Report a brief summary:
 
@@ -36,6 +52,7 @@ Environment detected:
   CI: GitHub Actions (Node 18/20 matrix)
   Build command: npm run build
   Test command: npm test
+  Dependencies installed: yes (node_modules/ present)
 ```
 
 ## Step 2: Select Aggressiveness Level
@@ -78,8 +95,9 @@ For each dependency in the project:
 
 Execute the `/socket-dep-patch` workflow:
 
-1. Run `socket-patch apply --dry-run` to preview available patches
-2. Apply all patches with `socket-patch apply`
+1. Ensure dependencies are installed (should have been verified in Step 1)
+2. Run `socket-patch scan` to discover available patches
+3. Apply all patches with `socket-patch apply`
 3. Build and test to verify nothing broke
 4. Commit the patch manifest (`.socket/manifest.json`)
 
@@ -153,7 +171,8 @@ Aggressive repair. Apply everything possible, skip and continue on individual fa
 
 ### Phase 3c: Patch Everything Remaining
 
-1. Run `socket-patch apply` on everything remaining
+1. Run `socket-patch scan` to discover patches for remaining dependencies
+2. Run `socket-patch apply` to apply all discovered patches
 2. Build and test
 3. Commit patch manifest
 
@@ -196,6 +215,7 @@ Repair Complete (Level 2 — Cautious)
 - **Build/test command unknown**: Ask the user for the correct build and test commands before starting repair.
 - **Socket CLI not available**: Binary patches and `socket fix` require the Socket CLI. Suggest running `/socket-setup` first, or fall back to cleanup-only mode (Phase 1a only).
 - **All upgrades fail in Level 3**: If every upgrade attempt fails, report what was tried and suggest the user investigate manually. The cleanup and patch phases may still have succeeded.
+- **Authentication required**: Levels 2 and 3 use `socket fix` which requires a Socket account and API token. If the user is not authenticated, fall back to Level 1 (cleanup + patches only). To authenticate, run `socket login` or set `SOCKET_CLI_API_TOKEN`. To create an account, visit https://socket.dev.
 - **Network errors**: `socket fix` and `socket-patch` require network access. Check connectivity and retry once before skipping.
 
 ## Tips