dep-audit
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do dependency auditing, but it under-describes some local source access and default file writes, so it deserves review before installation.
Install only if you are comfortable with local audit tools running in your project and contacting their advisory databases. Before use, clarify where report files will be written, avoid running it in sensitive directories unless intended, and review any install or fix commands before approving them.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may approve a scan believing only lockfiles are read, while the Go path can inspect local project packages/source structure.
The Go audit runs govulncheck across all packages under the target directory, which is broader than a lockfile-only dependency read and conflicts with SECURITY.md claims that project source code is never accessed.
RAW=$(cd "$DIR" && run_timeout 60 govulncheck -json ./... 2>/dev/null)
Update the documentation to clearly disclose Go source/package analysis, or change the Go workflow to a mode that only uses dependency metadata if that is the intended behavior.
Running an audit could leave files behind or overwrite same-named files in the working directory without the user explicitly asking for saved output.
The normal audit workflow instructs the agent to write fixed output filenames. This can overwrite existing unified.json or report.md files, while the declared write permission is described as on-request for SBOM generation.
bash <skill_dir>/scripts/aggregate.sh <npm_result.json> <pip_result.json> ... 1>unified.json 2>report.md
Use temporary files by default, ask before writing reports into the project, and avoid fixed filenames unless the user chooses them.
If the user confirms, dependency files or local environments may be changed by commands such as npm audit fix or pip install.
The skill can suggest and potentially run dependency-fix commands, but the artifact explicitly requires user confirmation before mutation.
Ask for explicit confirmation before running ANY fix command. Never batch-run fix commands silently.
Review each proposed fix command, use a branch or backup, and confirm only the changes you want.
Installing missing tools from remote or latest-version sources can run third-party code on the local machine.
The documented SBOM tool install path includes a remote shell installer. It is not shown as automatically executed, but users should recognize the supply-chain implications.
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh \| sh
Install audit tools from trusted package managers where possible, verify installer sources, and pin versions when appropriate.