Dependency Audit
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only dependency audit skill is purpose-aligned, but it may run package-manager commands, install audit helpers, and contact package registries, so users should review commands before use.
This skill appears safe to install as an instruction-only audit helper. Before running its suggested commands, use a clean working tree, avoid sudo, review any dependency-changing commands, and be careful when auditing projects that use private registries or private package names.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If these commands are run without review, they could change project dependencies or affect builds.
The skill includes commands that can modify dependency files or installed packages, but it frames them as commands to provide to the user rather than automatic actions.
For batch updates, generate copy-pasteable commands: ... `npm audit fix` ... `npm update` ... `npm install express@5.0.0`
Treat update and fix commands as suggestions; review diffs, use version control, and test before applying them.
Running unpinned helper tools can pull current registry versions, which may change over time or be affected by upstream supply-chain issues.
The instructions may install or run helper tools from package registries without version pinning. This is purpose-aligned, but it relies on external package provenance.
`npx depcheck --json` ... `pip install pip-audit` ... `cargo install cargo-audit`
Prefer trusted environments, pin tool versions where practical, and review package sources before installing helpers.
Dependency names, versions, or private package metadata may be exposed to configured or public registry services during audit commands.
The audit workflow may contact external package registries or security-audit providers, and the public-registry suggestion is notable for projects using private packages.
`No internet`: Report that audit requires network access ... `Private registries`: `npm audit` may fail — suggest `--registry=https://registry.npmjs.org`
For private projects, confirm which registry or audit endpoint will receive dependency metadata before running network-backed audit commands.