← Back to Skills Marketplace
77
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install nm-leyline-supply-chain-advisory
Description
Supply chain security patterns for dependency management: known-bad version detection, incident response, lockfile auditing, and artifact scanning
Usage Guidance
This skill is coherent with a supply-chain incident-response role and is instruction-only (no install or external downloads). Before using: (1) review any commands that search your home or project directories and restrict paths to only the projects you intend to scan (avoid automated whole-home scans unless needed); (2) be aware that the IR checklist recommends capturing the full environment (env > /tmp/...), which will include secrets — treat those snapshots as highly sensitive, store them securely, and delete when no longer needed; (3) verify where known-bad-versions.json will be stored and who can read/write it; (4) do not run suggested commands as root unless unavoidable; and (5) if you enable autonomous agent invocation, ensure the agent is permitted only to suggest actions (not to execute destructive remediation) unless you fully trust the environment. If you want higher assurance, request or inspect the project's known-bad-versions.json and any team-specific hooks referenced in the metadata before enabling the skill.
Capability Assessment
Purpose & Capability
Name/description (supply-chain advisory for dependency management) align with the provided guidance: lockfile parsing, artifact scanning, blocklist management, and incident-response checklists. The declared config path (night-market.error-patterns) is plausibly a platform config the skill expects; its use is referenced in metadata though not elaborated in the human-facing text (minor mismatch but not a functional red flag).
Instruction Scope
SKILL.md instructs scanning lockfiles, searching home/project trees, and capturing environment snapshots (env > /tmp/...). Those steps fall inside legitimate incident-response workflows but do involve broad filesystem scanning and collection of environment variables (which may include secrets). The instructions do not direct data to external endpoints or request unrelated system modifications.
Install Mechanism
No install spec and no code files to run at install time — the skill is instruction-only, which minimizes install-time risk. The embedded Python snippets are examples for implementers, not executables fetched at install.
Credentials
The skill does not require environment variables or credentials in its manifest, which is proportional. However, the incident-response guidance explicitly captures the full environment for forensics; capturing env is reasonable in IR but is sensitive because it can expose secrets — this is a functional necessity rather than an unjustified request for credentials.
Persistence & Privilege
The skill is not always-on, does not request elevated platform privileges, and does not modify other skills' configs. Agent autonomous invocation is allowed (platform default) but not combined with other concerning flags.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install nm-leyline-supply-chain-advisory - After installation, invoke the skill by name or use
/nm-leyline-supply-chain-advisory - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release of the supply-chain-advisory skill.
- Provides patterns for detecting, preventing, and responding to compromised Python dependencies.
- Includes support for known-bad version detection, incident response, lockfile auditing, and artifact scanning.
- Offers guidance for configuring blocklists and responding to supply chain advisories.
- Designed for use after supply chain alerts, during audits, and for incident response.
Metadata
Frequently Asked Questions
What is Nm Leyline Supply Chain Advisory?
Supply chain security patterns for dependency management: known-bad version detection, incident response, lockfile auditing, and artifact scanning. It is an AI Agent Skill for Claude Code / OpenClaw, with 77 downloads so far.
How do I install Nm Leyline Supply Chain Advisory?
Run "/install nm-leyline-supply-chain-advisory" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Nm Leyline Supply Chain Advisory free?
Yes, Nm Leyline Supply Chain Advisory is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Nm Leyline Supply Chain Advisory support?
Nm Leyline Supply Chain Advisory is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Nm Leyline Supply Chain Advisory?
It is built and maintained by athola (@athola); the current version is v1.0.0.
More Skills