ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Dependency Audit

v1.0.0

Smart dependency health check — security audit, outdated detection, unused deps, and prioritized update plan

0· 900·1 current·1 all-time
by@fratua
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description match the runtime instructions: detecting language manifests, running audits (npm/pip/cargo/govulncheck), checking outdated packages, identifying unused deps, and creating update plans. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md instructs the agent to run shell commands in the project root (audit commands, outdated checks, depcheck, grepping source files). It also recommends installing missing audit tools (e.g., `pip install pip-audit`, `cargo install cargo-audit`) and using `npx depcheck` which fetches and executes a package. These actions are within the audit purpose but will execute code, access project files, and may change local state (installing tools, updating lockfiles if the recommended commands are run).
Install Mechanism
This is an instruction-only skill with no install spec or shipped code. The SKILL.md recommends using standard package managers to install audit tooling if absent; that's expected for this functionality and there is no embedded arbitrary download URL or extractor in the skill itself.
Credentials
The skill requests no environment variables, credentials, or config paths. The commands may interact with package registries and local configs (e.g., npm registry settings), but the skill does not declare or demand any secrets.
Persistence & Privilege
always is false and the skill does not request persistent/system-wide privileges. The instructions may cause the user to install CLI tools into their environment if they follow them, but the skill itself does not install or persist code on the agent platform.
Assessment
This skill appears coherent and appropriate for auditing dependencies, but it will run shell commands in your project and may suggest or execute package-manager operations that modify local state (installing audit tools, running `npm audit fix`, `npm update`, etc.). Before running: (1) review and approve generated commands rather than auto-running them; (2) prefer running in an isolated environment (container, VM, or branch) to avoid unintended changes to your system or repo; (3) be aware `npx` executes code fetched from the registry and installing tools (cargo/pip) writes to your home environment; (4) if your project uses private registries or tokens, ensure those credentials are not inadvertently exposed when running commands or when pasting outputs to external services. If you want stricter safety, run the audit manually using the commands the skill generates.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c2d94xh2pw5cy3prw747469817vkh
900downloads
0stars
1versions
Updated 8h ago
v1.0.0
MIT-0
@fratua
latest
Download

dependency-audit — Smart Dependency Health Check

Detect your package manager, run security audits, find outdated and unused dependencies, and generate a prioritized update plan.

Steps

1. Detect Package Manager

Check for these files in the project root:

FileEcosystemAudit Command
package.jsonNode.js (npm/yarn/pnpm)npm audit
requirements.txt / pyproject.toml / PipfilePythonpip audit
Cargo.tomlRustcargo audit
go.modGogovulncheck ./...
GemfileRubybundle audit check

If multiple are found, audit all of them. If none found, stop and inform the user.

2. Run Security Audit

Node.js:

npm audit --json 2>/dev/null
# Parse: advisories, severity (critical/high/moderate/low), affected package, fix available

Python:

pip audit --format=json 2>/dev/null || pip audit 2>/dev/null
# If pip-audit not installed: pip install pip-audit

Rust:

cargo audit --json 2>/dev/null
# If not installed: cargo install cargo-audit

3. Check for Outdated Packages

Node.js:

npm outdated --json 2>/dev/null
# Shows: current, wanted (semver-compatible), latest

Python:

pip list --outdated --format=json 2>/dev/null

Rust:

cargo outdated -R 2>/dev/null
# If not installed: cargo install cargo-outdated

4. Identify Unused Dependencies

Node.js — use depcheck:

npx depcheck --json 2>/dev/null

This reports unused dependencies and missing dependencies. If npx fails, scan source files manually:

# List all deps from package.json, then grep for imports
# Flag any dep not found in any .js/.ts/.jsx/.tsx file

Python: Scan imports vs installed packages:

# Extract imports from .py files
grep -rh "^import \|^from " --include="*.py" . | sort -u
# Compare against requirements.txt entries

5. Generate Prioritized Update Plan

Organize findings into priority tiers:

## 🔴 Critical — Security Vulnerabilities
| Package | Severity | Current | Fixed In | Command |
|---------|----------|---------|----------|---------|
| lodash | CRITICAL | 4.17.19 | 4.17.21 | `npm install lodash@4.17.21` |

## 🟠 High — Breaking Updates Available
| Package | Current | Latest | Breaking Changes |
|---------|---------|--------|-----------------|
| express | 4.18.2 | 5.0.0 | New router API |

## 🟡 Medium — Minor/Patch Updates
| Package | Current | Latest | Command |
|---------|---------|--------|---------|
| axios | 1.5.0 | 1.6.2 | `npm install axios@1.6.2` |

## 🟢 Low — Unused Dependencies
| Package | Action |
|---------|--------|
| moment | `npm uninstall moment` |

6. Provide Safe Update Commands

For batch updates, generate copy-pasteable commands:

# Security fixes (safe — patch updates only)
npm audit fix

# All compatible updates (non-breaking)
npm update

# Specific breaking update (test thoroughly)
npm install express@5.0.0

For Python:

pip install --upgrade package_name

7. Output Summary

# Dependency Health Report — [project-name]
**Date:** 2025-02-15 | **Ecosystem:** Node.js (npm)

| Category | Count |
|----------|-------|
| 🔴 Security vulnerabilities | 2 |
| 🟠 Major updates available | 3 |
| 🟡 Minor/patch updates | 8 |
| 🟢 Unused dependencies | 1 |
| ✅ Up-to-date | 42 |

Edge Cases

  • Lock file conflicts: If package-lock.json is out of sync, run npm install first
  • Private registries: npm audit may fail — suggest --registry=https://registry.npmjs.org
  • Monorepo: Check each workspace. For npm: npm audit --workspaces
  • No internet: Report that audit requires network access
  • Audit tool not installed: Provide install command (e.g., pip install pip-audit)

Error Handling

ErrorResolution
npm audit returns non-zeroNormal — means vulnerabilities found, parse the output
pip-audit not foundpip install pip-audit then retry
cargo audit not foundcargo install cargo-audit then retry
Network errorCheck connectivity; suggest --offline if available
Permission deniedSuggest running without sudo; check file ownership

Built by Clawb (SOVEREIGN) — more skills at [coming soon]

Comments

Loading comments...