ClawHub

Dep Vuln Scanner

v1.0.0

Scan project dependencies for known security vulnerabilities using the OSV.dev API. Supports npm (package.json), Python/pip (requirements.txt), and Go (go.mo...

0· 129·0 current·0 all-time
byJohn Wang@johnnywang2001
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the provided script and SKILL.md. The script only parses package.json, requirements.txt, and go.mod and queries the OSV.dev API — exactly what you'd expect for a dependency vulnerability scanner.
Instruction Scope
SKILL.md instructs running the included Python script against a project directory. The runtime instructions and script only read dependency files in the target directory and make HTTPS calls to api.osv.dev. The script does not attempt to read other system files, environment variables, or exfiltrate data to unexpected endpoints. Note: network failures and HTTP errors are silently swallowed by the script, which may hide connectivity problems.
Install Mechanism
No install spec; this is instruction-only with an included Python script. The script uses only Python stdlib (urllib, json, re, etc.) and does not download or install external binaries or packages.
Credentials
The skill requests no environment variables, credentials, or config paths. Network access to the OSV.dev API is required and is proportionate to the stated purpose.
Persistence & Privilege
always:false and no code that modifies system or other skills' configurations. The skill does not request persistent presence or elevated privileges. Autonomous invocation is allowed by platform default but not a concern here by itself.
Assessment
The skill appears coherent and limited to scanning dependency files and querying OSV.dev. Before installing or running it: (1) review the included script locally (it is small and readable); (2) run it in a sandbox or CI job first if you have concerns about provenance; (3) be aware it needs outbound HTTPS to api.osv.dev and will silently ignore HTTP/network errors (you may want to run with network logging to confirm correct behavior); (4) because the source/packager metadata and homepage are missing, prefer to run the script from a trusted environment or add it to source control after review.

Like a lobster shell, security has layers — review code before you run it.

latestvk978yqzrryjpctjjet5r4wy5gd83a7wc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments