dependency-security-scan
v1.0.0分析 Java、Maven 或 Spring 项目依赖漏洞,验证版本受影响情况,检查传递和内嵌依赖,并生成安全修复建议报告。
⭐ 0· 55·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (Java/Maven/Gradle dependency security scan) matches the SKILL.md and reference files. All required actions (reading pom.xml/build.gradle, running dependency:tree, inspecting JARs, querying vulnerability feeds like OSV) are consistent with that purpose. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
Runtime instructions are explicit and limited to collecting project dependency evidence (lockfiles, dependency trees, build files), running known scanning tools (osv-scanner, grype, trivy, OWASP Dependency-Check), inspecting JAR contents and producing reports. There are no instructions to access unrelated system files, secrets, or to transmit data to unexpected endpoints beyond standard vulnerability feeds (example: api.osv.dev).
Install Mechanism
This is instruction-only with no install spec and no code files to execute. That minimizes install-time risk. The skill references external tools but does not attempt to download or execute code itself.
Credentials
The skill declares no required environment variables, credentials, or config paths. The referenced operations (file reads, CLI tool invocations, optional curl to OSV API) are proportionate to a dependency scanner and do not request unrelated secrets.
Persistence & Privilege
always is false and the skill doesn't request persistent system-level changes or access to other skills' configurations. It relies on ad-hoc commands and local file inspection, which is appropriate for its function.
Assessment
This skill is a documentation-driven procedure for auditing Java dependencies; it appears internally consistent. Before using it, ensure you: (1) run it in a safe environment where reading project files and unpacking JARs is permitted (it inspects pom.xml/build.gradle and may unzip jars); (2) have the referenced CLI tools available (mvn, gradle, osv-scanner, trivy, grype, unzip, jdeps, etc.) or be prepared to install them yourself; (3) understand that the skill may call public vulnerability APIs (e.g., api.osv.dev) — if you need to avoid network calls, run the steps offline with local databases; and (4) verify reports manually (the skill itself emphasizes cross-checking and marking uncertain findings). There are no requests for secrets or elevated privileges in the skill materials.Like a lobster shell, security has layers — review code before you run it.
latestvk979k08qs2hp25029ywf8j5ce584dwdx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.