ClawHub

Skill Deps Doctor

v0.1.0

Cross-platform skill dependency doctor — preflight check for missing binaries, version mismatches, system libraries, CJK fonts, Playwright/Chromium runtime,...

1· 330·0 current·0 all-time
byRange King@rangeking
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description align with the actual requirements and files. Declared required binaries (python3 and the skill-deps-doctor CLI) match the SKILL.md and the provided wrapper script. The wrapper imports a package named skill_deps_doctor and offers pip/GitHub install hints — all coherent for a dependency doctor tool.
Instruction Scope
The SKILL.md instructs the tool to scan skills/*/SKILL.md and project directories (package.json, pyproject.toml, Dockerfile, etc.), probe runtimes (e.g., Chromium via Playwright), run platform checks (ldconfig, fc-list) and optionally generate fix scripts. Those behaviors are expected for a dependency checker, but they mean the tool will read many project files, execute system probes (and potentially launch headless browsers), and can load/execute third-party plugin code. Users should be aware that --probe and plugin features execute code/run binaries on the host.
Install Mechanism
No registry install spec was included, but SKILL.md recommends 'pip install skill-deps-doctor' or installing from a GitHub pip URL; the included wrapper merely prefers vendored code or falls back to the installed package. These are standard Python install mechanisms and not unexpected; no obscure download URLs or archive extraction are present.
Credentials
The skill declares no required environment variables or credentials, which is appropriate. However, the plugin system (Python entry points) and probes mean third-party code could request or use environment data at runtime; the SKILL.md allows reading hint files and project files. This is coherent but worth noting: no secrets are requested up front, but plugins/probes could access environment state.
Persistence & Privilege
The skill is not always-enabled and does not request unusual persistence or elevated privileges. The wrapper script only manipulates sys.path to prefer vendored/repo code and then imports the package; it does not modify other skills or system configuration.
Assessment
This appears to be a legitimate dependency-checker. Before installing or running it: 1) Prefer installing from PyPI or the named GitHub repo and verify the package source; 2) Run it against a non-sensitive copy of your workspace (or inside a container/VM) the first time — --probe will launch headless browsers and run system probes; 3) Do not pipe the generated fix script (fix.sh) directly to a shell — inspect it before executing; 4) If you are concerned about third-party code, use --no-plugins and avoid loading untrusted hints/plugins; 5) If you need higher assurance, review the full upstream package source on PyPI/GitHub to confirm there are no unexpected network endpoints or exfiltration code.

Like a lobster shell, security has layers — review code before you run it.

latestvk97933b2tzk70hezq5x6nr8dy98219m6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧰 Clawdis
Binspython3, skill-deps-doctor

Comments