ClawHub
Skill flagged — review recommended

ClawHub Security found sensitive or high-impact capabilities. Review the scan results before using.

DepGuard

Dependency audit, vulnerability scanning, and license compliance. Free vuln check + paid continuous monitoring via git hooks.

Audits

Suspicious
ClawScanSuspicious

Agentic behavior and permission review.

Static analysisPass

Pattern checks against bundled files.

VirusTotalPass

Multi-engine malware detections and file reputation.

Install

openclaw skills install depguard

DepGuard — Dependency Audit & License Compliance

DepGuard scans your project dependencies for known vulnerabilities, license violations, and outdated packages. It uses native package manager audit tools (npm audit, pip-audit, cargo-audit, etc.) and enriches results with license analysis and risk scoring.

Commands

Free Tier (No license required)

depguard scan [directory]

One-shot vulnerability and license scan of your project dependencies.

How to execute:

bash "<SKILL_DIR>/scripts/depguard.sh" scan [directory]

What it does:

  1. Detects package manager (npm, yarn, pnpm, pip, cargo, go, composer, bundler, maven, gradle)
  2. Runs native audit commands (npm audit, pip-audit, cargo audit, etc.)
  3. Parses dependency manifests for license information
  4. Generates a security report with severity levels
  5. Lists packages with problematic or unknown licenses

Example usage scenarios:

  • "Scan my dependencies for vulnerabilities" → runs depguard scan .
  • "Check the licenses of my node modules" → runs depguard scan . --licenses-only
  • "Are any of my packages insecure?" → runs depguard scan

depguard report [directory]

Generate a formatted dependency health report in markdown.

bash "<SKILL_DIR>/scripts/depguard.sh" report [directory]

Pro Tier ($19/user/month — requires DEPGUARD_LICENSE_KEY)

depguard hooks install

Install git hooks that scan dependencies on every commit that modifies lockfiles.

bash "<SKILL_DIR>/scripts/depguard.sh" hooks install

What it does:

  1. Validates Pro+ license
  2. Installs lefthook pre-commit hook targeting lockfile changes
  3. On every commit that modifies package-lock.json, yarn.lock, Cargo.lock, etc.: runs vulnerability scan, blocks commit if critical/high vulns found

depguard hooks uninstall

Remove DepGuard git hooks.

bash "<SKILL_DIR>/scripts/depguard.sh" hooks uninstall

depguard watch [directory]

Continuous monitoring — re-scans on any lockfile change.

bash "<SKILL_DIR>/scripts/depguard.sh" watch [directory]

depguard fix [directory]

Auto-fix vulnerabilities by upgrading to patched versions where available.

bash "<SKILL_DIR>/scripts/depguard.sh" fix [directory]

Team Tier ($39/user/month — requires DEPGUARD_LICENSE_KEY with team tier)

depguard policy [directory]

Enforce a dependency policy: block specific licenses, require minimum versions, deny specific packages.

bash "<SKILL_DIR>/scripts/depguard.sh" policy [directory]

depguard sbom [directory]

Generate a Software Bill of Materials (SBOM) in CycloneDX or SPDX format.

bash "<SKILL_DIR>/scripts/depguard.sh" sbom [directory]

depguard compliance [directory]

Generate a compliance report for auditors — maps licenses to categories (permissive, copyleft, proprietary, unknown).

bash "<SKILL_DIR>/scripts/depguard.sh" compliance [directory]

Supported Package Managers

ManagerLockfileAudit Tool
npmpackage-lock.jsonnpm audit
yarnyarn.lockyarn audit
pnpmpnpm-lock.yamlpnpm audit
piprequirements.txt / Pipfile.lockpip-audit / safety
cargoCargo.lockcargo audit
gogo.sumgovulncheck
composercomposer.lockcomposer audit
bundlerGemfile.lockbundle audit
mavenpom.xmlmvn dependency-check
gradlebuild.gradlegradle dependencyCheck

Configuration

Add to ~/.openclaw/openclaw.json:

{
  "skills": {
    "entries": {
      "depguard": {
        "enabled": true,
        "apiKey": "YOUR_LICENSE_KEY",
        "config": {
          "severityThreshold": "high",
          "blockedLicenses": ["GPL-3.0", "AGPL-3.0"],
          "allowedLicenses": ["MIT", "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "ISC"],
          "ignoredVulnerabilities": [],
          "autoFix": false,
          "sbomFormat": "cyclonedx"
        }
      }
    }
  }
}

Important Notes

  • Free tier works immediately — no configuration needed
  • All scanning happens locally using native package manager audit tools
  • License validation is offline — no phone-home
  • Falls back to manifest parsing if native audit tools aren't available
  • Supports monorepos — scans all workspaces/packages

When to Use DepGuard

The user might say things like:

  • "Scan my dependencies for vulnerabilities"
  • "Check my package licenses"
  • "Are any of my npm packages insecure?"
  • "Generate a security audit report"
  • "Set up dependency monitoring"
  • "Block GPL dependencies in this project"
  • "Generate an SBOM"
  • "Check if we're compliant with our license policy"