ClawHub

dependency-license-audit

v1.0.0

Scan project dependencies for license compatibility issues, GPL contamination, and compliance violations. Supports npm, pip, Go, Rust, and Ruby ecosystems. U...

0· 62·0 current·0 all-time
by@charlie-morrison
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name, description, SKILL.md usage, and the included Python script all align with a dependency license auditor. Minor mismatch: SKILL.md and quick-start examples run `python3 scripts/license_audit.py` but the skill metadata declares no required binaries; declaring `python3` (or ensuring it exists) would be expected. Otherwise the required files and behaviors are coherent with the stated purpose.
Instruction Scope
The runtime instructions tell the agent to run the included Python script against a project directory and to optionally create/read a .license-policy.json. The script (visible portions) only reads local project files (package.json, package-lock.json, node_modules, requirements.txt, Pipfile, pyproject.toml, go.mod, Cargo.toml, Gemfile) and emits reports/CI exit codes. There are no instructions to read unrelated system files or to transmit results to external endpoints in the parts shown.
Install Mechanism
No install spec is provided and the skill is instruction-only with an included script. There are no downloads or external install URLs. This is low-risk from an install mechanism perspective.
Credentials
The skill requests no environment variables, no credentials, and no config paths outside the project directory. That is proportionate for a local license-scanning tool.
Persistence & Privilege
always is false and the skill does not request elevated or persistent system privileges in the provided files. It does not attempt to modify other skills or global agent configuration in the parts shown.
Assessment
This skill appears to do what it claims: a local license audit using the included Python script. Before installing or running it on sensitive repositories: 1) Inspect the complete scripts/license_audit.py file (the provided snippet was truncated) to confirm there are no network calls, credential reads, or unexpected file writes in the unseen portion. 2) Ensure Python 3 is available (SKILL.md uses `python3` but the skill metadata doesn't declare it). 3) Run the scanner on a copied/test repository or inside a container to avoid accidental data exposure. 4) Note the script has at least one obvious bug/typo in the shown pip parser (an apparent 'Fals' typo) — test it on sample projects first. 5) Review and control any .license-policy.json files and CI artifact handling: policy exceptions skip packages (which may hide problems) and saving reports as CI artifacts may expose dependency details. If you want higher assurance, request the full, untruncated source and a runtime test log before enabling this skill in CI.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ecckcv7y58tfd3tdexyzrrs84krym

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments