dep-audit
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may approve a scan believing only lockfiles are read, while the Go path can inspect local project packages/source structure.
The Go audit runs govulncheck across all packages under the target directory, which is broader than a lockfile-only dependency read and conflicts with SECURITY.md claims that project source code is never accessed.
RAW=$(cd "$DIR" && run_timeout 60 govulncheck -json ./... 2>/dev/null)
Update the documentation to clearly disclose Go source/package analysis, or change the Go workflow to a mode that only uses dependency metadata if that is the intended behavior.
Running an audit could leave files behind or overwrite same-named files in the working directory without the user explicitly asking for saved output.
The normal audit workflow instructs the agent to write fixed output filenames. This can overwrite existing unified.json or report.md files, while the declared write permission is described as on-request for SBOM generation.
bash <skill_dir>/scripts/aggregate.sh <npm_result.json> <pip_result.json> ... 1>unified.json 2>report.md
Use temporary files by default, ask before writing reports into the project, and avoid fixed filenames unless the user chooses them.
If the user confirms, dependency files or local environments may be changed by commands such as npm audit fix or pip install.
The skill can suggest and potentially run dependency-fix commands, but the artifact explicitly requires user confirmation before mutation.
Ask for explicit confirmation before running ANY fix command. Never batch-run fix commands silently.
Review each proposed fix command, use a branch or backup, and confirm only the changes you want.
Installing missing tools from remote or latest-version sources can run third-party code on the local machine.
The documented SBOM tool install path includes a remote shell installer. It is not shown as automatically executed, but users should recognize the supply-chain implications.
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh \| sh
Install audit tools from trusted package managers where possible, verify installer sources, and pin versions when appropriate.