ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Dependency Health Check

v1.0.0

Multi-ecosystem dependency audit — find outdated, vulnerable, unused, and license-incompatible packages across npm, pip, cargo, go, and composer. Use when as...

0· 39·0 current·0 all-time
by@charlie-morrison

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for charlie-morrison/dependency-health-check.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Dependency Health Check" (charlie-morrison/dependency-health-check) from ClawHub.
Skill page: https://clawhub.ai/charlie-morrison/dependency-health-check
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install dependency-health-check

ClawHub CLI

Package manager switcher

npx clawhub@latest install dependency-health-check
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md implements a multi-ecosystem dependency audit (npm, pip, cargo, go, composer, etc.), which matches the name/description. However, the metadata declares no required binaries or credentials even though the instructions rely heavily on many CLI tools (npm, yarn/pnpm, pip, pip-audit, cargo, cargo-audit, go, composer, npx, jq, trivy, govulncheck, depcheck, pipreqs, pip-licenses, etc.). The omission of required-binaries in metadata is an inconsistency and reduces transparency.
!
Instruction Scope
Runtime instructions tell the agent to run many shell commands that read the repo tree (expected) but also to install and invoke third-party tooling (e.g., 'pip install pipreqs', 'npx depcheck', 'npx license-checker', trivy, govulncheck). Those commands will fetch and execute code from package registries / networks and can modify the runtime environment (global Python packages, npx temporary installs). The instructions also include writes to /tmp and use bash-specific features. While these actions are typical for an audit, they broaden the blast radius and should be explicitly declared and sandboxed.
Install Mechanism
There is no install spec (instruction-only), which minimizes permanent additions to disk. However, the instructions rely on on-demand installs via language package managers (pip, npx) and external scanners (trivy, govulncheck) that will fetch code from the network. This transient install/exec behavior is normal for such a tool but carries higher risk than pure read-only auditing.
Credentials
The skill does not request any environment variables, credentials, or config paths. It reads project files (package manifests) which is appropriate for an audit. No unrelated secrets are requested.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges in metadata. It does not declare modifying other skills or global agent settings.
What to consider before installing
This skill appears to do what it says (a multi-ecosystem dependency audit), but it expects the agent to run many CLI tools and to install or invoke third-party packages (via pip, npx, etc.) at runtime — behavior that can execute code fetched from the network and modify the runtime environment. Before installing or running this skill: (1) require the author to list required binaries/tools in metadata; (2) run audits in an isolated environment (container/VM/CI job) or a Python venv and avoid global installs; (3) inspect/approve any commands that will run package-manager installs (npx/pip) or scanners that pull remote data; (4) prefer running these steps manually or with explicit confirmation prompts rather than giving the skill autonomous execution permission. If you need higher assurance, ask the publisher for a version that vendors the audit tools or documents exact network interactions and install behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk974syeszwtmxbq8ed3kec8hnd85n9qv
39downloads
0stars
1versions
Updated 1d ago
v1.0.0
MIT-0
@charlie-morrison
latest
Download

Dependency Health Check

Audit project dependencies across ecosystems for security, freshness, license compliance, and unused bloat. Produces a prioritized upgrade plan with risk assessment.

Use when: "check our dependencies", "are we up to date", "audit packages", "plan an upgrade", "find unused deps".

Step 1 — Detect Ecosystem

# Auto-detect package managers
ls package.json package-lock.json yarn.lock pnpm-lock.yaml 2>/dev/null   # Node.js
ls requirements.txt Pipfile pyproject.toml setup.py 2>/dev/null           # Python
ls Cargo.toml Cargo.lock 2>/dev/null                                       # Rust
ls go.mod go.sum 2>/dev/null                                               # Go
ls composer.json composer.lock 2>/dev/null                                 # PHP
ls Gemfile Gemfile.lock 2>/dev/null                                        # Ruby

Step 2 — Outdated Packages

Node.js

npm outdated --json 2>/dev/null | jq 'to_entries[] | {name: .key, current: .value.current, wanted: .value.wanted, latest: .value.latest}'
# or
yarn outdated --json 2>/dev/null
pnpm outdated --format json 2>/dev/null

Python

pip list --outdated --format json 2>/dev/null | jq '.[] | {name, version, latest_version}'
# or with pip-audit
pip-audit --format json 2>/dev/null

Rust

cargo outdated -R --format json 2>/dev/null

Go

go list -u -m -json all 2>/dev/null | jq 'select(.Update) | {Path, Version, Update: .Update.Version}'

PHP

composer outdated --format json 2>/dev/null

Step 3 — Vulnerability Scan

# Node.js
npm audit --json 2>/dev/null | jq '.vulnerabilities | to_entries[] | {name: .key, severity: .value.severity, fixAvailable: .value.fixAvailable}'

# Python
pip-audit --format json 2>/dev/null
# or
safety check --json 2>/dev/null

# Rust
cargo audit --json 2>/dev/null

# Go
govulncheck ./... 2>/dev/null

# Universal (if installed)
trivy fs --format json --scanners vuln . 2>/dev/null | jq '.Results[].Vulnerabilities[]? | {PkgName, Severity, Title}'

Step 4 — Unused Dependencies

Node.js

# depcheck finds unused deps
npx depcheck --json 2>/dev/null | jq '{unused: .dependencies, devUnused: .devDependencies, missing: .missing}'

Python

# Check imports vs requirements
pip install pipreqs 2>/dev/null
pipreqs . --print 2>/dev/null > /tmp/actual-imports.txt
diff <(sort requirements.txt | sed 's/[>=<].*//' | tr '[:upper:]' '[:lower:]') \
     <(sort /tmp/actual-imports.txt | sed 's/[>=<].*//' | tr '[:upper:]' '[:lower:]')

Rust

cargo udeps 2>/dev/null  # requires nightly

Step 5 — License Audit

# Node.js
npx license-checker --json 2>/dev/null | jq 'to_entries[] | {pkg: .key, license: .value.licenses}' | head -40

# Python
pip-licenses --format json 2>/dev/null | jq '.[] | {Name, License}'

# Universal
trivy fs --format json --scanners license . 2>/dev/null

Flag: GPL in MIT projects, AGPL in SaaS, unknown/unlicensed packages, dual-license packages.

Step 6 — Risk Assessment

For each outdated dependency, evaluate:

  1. Severity: critical (known CVE) > high (>2 major versions behind) > medium (minor behind) > low (patch behind)
  2. Breaking changes: check the changelog/release notes for breaking changes between current and latest
  3. Usage frequency: grep for imports — a heavily-used dep is riskier to upgrade
  4. Test coverage: if the dep's area has good tests, the upgrade is safer

Output Template

# Dependency Health Report

**Project:** [name]
**Scanned:** [date]
**Ecosystems:** Node.js, Python, etc.

## Summary
- Total dependencies: X
- Outdated: X (Y critical, Z major behind)
- Vulnerabilities: X (Y critical, Z high)
- Unused: X (safe to remove)
- License issues: X

## Critical (fix now)
| Package | Current | Latest | Issue | Risk |
|---------|---------|--------|-------|------|
| lodash | 4.17.20 | 4.17.21 | CVE-2021-23337 (prototype pollution) | High — used in 47 files |

## Recommended Upgrades (this sprint)
| Package | Current | Latest | Breaking Changes | Effort |
|---------|---------|--------|-----------------|--------|
| react | 17.0.2 | 18.3.1 | Yes — concurrent mode, new root API | 2-4 hours |

## Safe Quick Wins (patch updates)
Packages that can be bumped with minimal risk:
- `axios`: 1.6.0 → 1.7.2 (bug fixes only)
- `dotenv`: 16.3.1 → 16.4.5 (no breaking changes)

## Unused (remove)
- `moment` — imported nowhere, replaced by date-fns
- `@types/express` — no Express code found

## License Flags
- `gpl-package@1.0`: GPL-3.0 in MIT project — review compatibility

Upgrade Workflow

After the audit:

  1. Fix critical vulnerabilities first (npm audit fix, pip-audit --fix)
  2. Remove unused dependencies
  3. Batch patch updates into one PR
  4. Plan major upgrades individually with dedicated PRs
  5. Run tests after each upgrade batch

Notes

  • Always run the project's test suite after upgrades
  • For monorepos, audit each workspace separately
  • npm audit fix --force can introduce breaking changes — prefer targeted fixes
  • Check CHANGELOG.md or GitHub releases for each major version jump

Comments

Loading comments...