ClawHub

Dependency Guard

v1.0.1

Use when a task adds, upgrades, removes, or reviews software dependencies and the agent should apply a Socket-based supply-chain guardrail before changing ma...

0· 60·0 current·0 all-time
byHung Vo@tuthan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is explicitly a Socket-backed dependency review helper and declares the socket CLI as required; that aligns with the description and workflow. Included references and decision logic match the stated goal of approving/blocking dependency changes.
Instruction Scope
Runtime instructions direct the agent to use MCP depscore or the socket CLI and to run the bundled scripts/check_dependency.sh which only invokes the socket CLI and reads local manifests/reports. This is in-scope. Minor note: the SKILL.md and examples reference environment variables (SOCKET_SECURITY_API_TOKEN, SOCKET_SECURITY_API_KEY, GH_API_TOKEN) and interactive `socket login` flows that are optional but sensitive; those env vars are not declared in requires.env.
Install Mechanism
No install spec is provided (instruction-only with a small helper script). The only runtime dependency is the socket CLI, which the skill documents installing via npm; no external downloads or extraction of arbitrary archives occur in the skill bundle.
Credentials
The skill does not require credentials by default, which is proportional. However SKILL.md and examples mention several optional tokens (SOCKET_SECURITY_API_TOKEN for headless CLI auth, SOCKET_SECURITY_API_KEY for GitHub integration, GH_API_TOKEN) — these are reasonable for CI or Socket integration but are not declared in requires.env, and the example uses a different Socket env var name than the SKILL.md. This mismatch is benign but worth noting so users don't accidentally supply secrets in the wrong place.
Persistence & Privilege
The skill is not always-on and does not request system-wide privileges. It does not modify other skills or system settings. It runs a helper script and the socket CLI only when invoked.
Assessment
This skill appears to do what it says: it runs the Socket CLI (or MCP depscore) to produce a dependency review report. Before installing or invoking it: 1) ensure the socket CLI you install is from the official source (npm package 'socket' or your org's vetted binary); 2) prefer using MCP depscore or an environment variable for CI (SOCKET_SECURITY_API_TOKEN) rather than pasting private tokens into interactive prompts; 3) be aware the skill may read repository manifests and write temporary report files under tmp/; 4) note the documentation/examples reference several env vars (SOCKET_SECURITY_API_TOKEN vs SOCKET_SECURITY_API_KEY vs GH_API_TOKEN) — confirm which tokens your environment needs and avoid exposing secrets to untrusted prompts. If those three points are acceptable, the skill is coherent and appropriate for its purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bza71c990vj1svbpy8m2as98434q4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛡️ Clawdis
Binssocket

Comments