Dependency Auditor
v2.1.1Dependency Auditor
⭐ 0· 776·4 current·4 all-time
byAlireza Rezvani@alirezarezvani
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name and description match the included scripts and documentation: the package contains scanner, license checker, and upgrade planner Python scripts and the SKILL.md/README explain scanning local project files and producing reports. The tool does not request unrelated credentials or system config paths.
Instruction Scope
Runtime instructions (SKILL.md/README) direct the agent/user to run the included Python scripts against a specified project path and to produce local report files or integrate into CI. This stays within the stated purpose. Caution: the scripts parse arbitrary project files and (based on visible code) call subprocess; running them against untrusted repositories could execute external tools or shell commands depending on omitted code paths.
Install Mechanism
No install spec is declared (instruction-only), and README claims no external Python dependencies (standard library only). The skill ships as code files which the user must execute; there is no remote download or install URL shown.
Credentials
The skill declares no required environment variables, credentials, or config paths. The functionality (reading manifests/lockfiles) does not justify additional secrets. If you run it in CI you may need tooling (python) and network access for optional checks, but no unexpected credentials are requested.
Persistence & Privilege
Skill is not forced-always and allows user invocation; it does not request persistent presence or attempt to modify other skills or agent-wide settings in the visible materials.
Assessment
This skill appears coherent for auditing dependencies: it reads manifest/lock files, checks a built-in vulnerability DB, and generates reports. Before running it: 1) Review the full source (some files were truncated in the package summary) to confirm there are no network exfiltration calls or dangerous shell usage; 2) Run it in an isolated environment (container or sandbox) on a copy of your repository, not on production hosts; 3) Inspect any subprocess calls or uses of shell=True (search for subprocess.call/ subprocess.run, os.system, Popen) and verify inputs are not constructed from untrusted sources; 4) If you plan CI integration, ensure the runner's permissions are limited and that no secrets are accidentally included in scan outputs or uploaded artifacts. If you want, provide the omitted source sections and I can re-check those specific code paths for hidden network calls or unsafe behavior.Like a lobster shell, security has layers — review code before you run it.
latestvk97c3183kj1w3539kbgarfspm982nhcp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.