ClawHub

Skill Dependency Chain Auditor

v1.0.0

Helps audit transitive skill dependency chains in agent compositions — catching the class of risk where a skill's direct dependencies appear safe but a depen...

0· 388·0 current·0 all-time
by@andyxinweiminicloud
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the requested tools and behavior: auditing transitive dependency chains reasonably requires network access (curl) and analysis tooling (python3). No unrelated binaries, credentials, or config paths are requested.
Instruction Scope
SKILL.md is an instruction-only spec describing inputs and outputs but does not enumerate the data sources/endpoints it will query or how it will obtain audit records. That gives the agent discretion to use curl/python3 to fetch metadata from registries or public directories — expected for this auditor, but verify what registries or endpoints it will contact if you need to limit network access.
Install Mechanism
No install spec and no code files — lowest install risk. The skill is purely instruction-based and does not download or write archives to disk.
Credentials
The skill requests no environment variables, credentials, or config paths. For audits of private/internal registries you would need to supply credentials separately; absence of such variables is coherent for a public-auditing tool.
Persistence & Privilege
always:false and no privileged config modifications. Autonomous invocation is allowed (platform default) but there is no persistent presence or cross-skill config changes requested.
Assessment
This skill appears internally consistent for auditing dependency chains. Before installing, confirm where it will fetch metadata from (public marketplace, vendor APIs, internal registries) and whether you need to provide credentials for private registries — the SKILL.md does not list endpoints or credential requirements. Because it uses curl and python3 at runtime, it will perform network requests and run analysis locally; if you are concerned about data leakage, run it in an environment with restricted network access or provide only limited/ephemeral credentials for private registries. If you need stronger assurance, ask the publisher for the exact data sources and a sample audit run so you can verify the tool's behavior and outputs.

Like a lobster shell, security has layers — review code before you run it.

latestvk9703x2a5rgz556ekm2gz5z8n981p3v9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

⛓️ Clawdis
Binscurl, python3

Comments