DepGuard
v1.0.1Scan project dependencies for vulnerabilities, license compliance, and generate security or compliance reports using native package manager audits.
⭐ 0· 697·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill name/description (dependency vulnerability & license scanning) matches the code and runtime instructions. Required binaries (git, bash) and the optional brew install of lefthook make sense for installing and running git hooks. The primary credential (DEPGUARD_LICENSE_KEY) is used only to gate Pro/Team features.
Instruction Scope
Runtime instructions run local audit tools (npm audit, pip-audit, cargo-audit, govulncheck, etc.), parse manifests/node_modules for license data, and optionally install lefthook hooks that call the scanner. All actions are local; there are no network 'phone-home' steps in the scripts. Notable: the hooks install writes/edits repository lefthook.yml and configures pre-commit hooks that will source the skill's scanner script from the user's skills directory on each commit — this is expected for continuous monitoring but does mean commits will execute code from the skill directory.
Install Mechanism
Install spec is a single Homebrew formula (lefthook) — a standard package install from a well-known channel. The skill bundle contains shell scripts and a lefthook config; there are no downloads from untrusted URLs or extracted archives in the install spec.
Credentials
The only declared secret is DEPGUARD_LICENSE_KEY and that is used solely to gate Pro/Team features via local JWT decoding. The scripts also read ~/.openclaw/openclaw.json (to find a stored apiKey) even though 'required config paths' was declared as none — this is a minor metadata mismatch. The code optionally uses python, node, or jq when available to parse files; those are optional helpers, not required secrets.
Persistence & Privilege
always:false (no forced always-on). Installing hooks modifies repository lefthook.yml and runs lefthook install to wire pre-commit hooks — appropriate for a tool that blocks commits on bad dependencies, but it does grant the skill the ability to run code during commit operations by sourcing the skill's scanner script (from ~/.openclaw/skills/depguard by default or a DEPGUARD_SKILL_DIR override). Users should accept that repository hook changes will be made when installing Pro hooks.
Assessment
DepGuard appears coherent for its stated purpose, but review and accept a few behaviors before installing: 1) Hooks: 'depguard hooks install' will edit or create your repository's lefthook.yml and install a pre-commit hook that will source and run the skill's scanner script on relevant commits. This means commit operations can execute the skill's shell code — ensure you trust the skill source and that the skill files remain under your control. 2) License key handling: store DEPGUARD_LICENSE_KEY securely (env var or ~/.openclaw/openclaw.json). The skill decodes the JWT locally (no network calls), but it will read your OpenClaw config file if present (the manifest incorrectly lists 'required config paths: none'). 3) Optional tools: full features use node, python, jq, and native audit tools (npm, pip-audit, cargo-audit, govulncheck). Without those, DepGuard falls back to less-detailed checks. 4) Inspect the scripts (already included) before use; if you don't want hooks to source code from ~/.openclaw/skills/depguard, set DEPGUARD_SKILL_DIR to a controlled location or avoid installing hooks. If you need to be more cautious (e.g., enterprise policy), test the tool in an isolated repo first.Like a lobster shell, security has layers — review code before you run it.
latestvk97a0da82616dsg54yb3zvddmn8151jf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🛡️ Clawdis
OSmacOS · Linux · Windows
Binsgit, bash
Primary envDEPGUARD_LICENSE_KEY
Install
Install lefthook (git hooks manager)
Bins: lefthook
brew install lefthook