← Back to Skills Marketplace
dependency-license-audit
by
charlie-morrison
· GitHub ↗
· v1.0.0
· MIT-0
102
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install dependency-license-audit
Description
Scan project dependencies for license compatibility issues, GPL contamination, and compliance violations. Supports npm, pip, Go, Rust, and Ruby ecosystems. U...
README (SKILL.md)
Dependency License Audit
Scan project dependencies for license compatibility issues across multiple ecosystems.
Quick Start
# Basic scan (permissive policy)
python3 scripts/license_audit.py /path/to/project
# Strict enterprise scan with CI exit codes
python3 scripts/license_audit.py /path/to/project --policy permissive --ci --format markdown
# Allow weak copyleft (LGPL, MPL)
python3 scripts/license_audit.py /path/to/project --policy weak-copyleft
# Include transitive deps (npm)
python3 scripts/license_audit.py /path/to/project --include-transitive
# JSON output for tooling
python3 scripts/license_audit.py /path/to/project --format json
Supported Ecosystems
| Ecosystem | Files Parsed | License Source |
|---|---|---|
| npm | package.json, package-lock.json, node_modules/*/package.json | Package metadata |
| pip | requirements.txt, Pipfile, pyproject.toml | Installed package metadata |
| Go | go.mod | Manual/UNKNOWN (no local metadata) |
| Rust | Cargo.toml | Manual/UNKNOWN (no local metadata) |
| Ruby | Gemfile | Manual/UNKNOWN (no local metadata) |
npm and pip auto-detect licenses from installed packages. Go/Rust/Ruby report UNKNOWN unless packages are installed — review manually.
Policies
| Policy | Allows | Use When |
|---|---|---|
permissive (default) |
MIT, Apache-2.0, BSD, ISC, etc. | Proprietary/commercial projects |
weak-copyleft |
+ LGPL, MPL, EPL | Library consumers (dynamic linking) |
any-open |
All OSI-approved | Open-source projects |
custom |
User-defined | Enterprise with specific requirements |
For custom policy setup, see references/custom-policy.md.
Output Formats
text— Human-readable terminal output (default)json— Machine-readable for CI pipelines and toolingmarkdown— Report with tables, suitable for PRs or documentation
CI Exit Codes
With --ci flag:
0— No issues1— Warnings only (unknown licenses)2— Policy violations found
License Classifications
The scanner classifies licenses into categories:
- permissive — MIT, Apache-2.0, BSD, ISC, Unlicense, CC0, etc.
- weak-copyleft — LGPL, MPL, EPL, CDDL (modifications must be shared, but linking is OK)
- strong-copyleft — GPL, AGPL, SSPL (derivative works inherit the license)
- proprietary — UNLICENSED or commercial indicators
- unknown — Not recognized; manual review needed
SPDX expressions (MIT OR Apache-2.0, MIT AND BSD-3-Clause) are evaluated: OR picks most permissive, AND picks most restrictive.
Workflow
- Run audit against project directory
- Review violations and warnings in output
- For each violation, follow the recommendations provided
- Optionally create
.license-policy.jsonfor custom rules - Add
--ciflag to CI pipeline for automated enforcement
Usage Guidance
This skill appears to do what it claims: a local license audit using the included Python script. Before installing or running it on sensitive repositories: 1) Inspect the complete scripts/license_audit.py file (the provided snippet was truncated) to confirm there are no network calls, credential reads, or unexpected file writes in the unseen portion. 2) Ensure Python 3 is available (SKILL.md uses `python3` but the skill metadata doesn't declare it). 3) Run the scanner on a copied/test repository or inside a container to avoid accidental data exposure. 4) Note the script has at least one obvious bug/typo in the shown pip parser (an apparent 'Fals' typo) — test it on sample projects first. 5) Review and control any .license-policy.json files and CI artifact handling: policy exceptions skip packages (which may hide problems) and saving reports as CI artifacts may expose dependency details. If you want higher assurance, request the full, untruncated source and a runtime test log before enabling this skill in CI.
Capability Analysis
Type: OpenClaw Skill
Name: dependency-license-audit
Version: 1.0.0
The dependency-license-audit skill is a legitimate utility designed to scan project dependency files (like package.json, requirements.txt, and go.mod) for license compliance. The core logic in scripts/license_audit.py uses standard Python libraries to parse local files and metadata, lacks any network connectivity or data exfiltration capabilities, and contains no evidence of malicious intent or obfuscation.
Capability Assessment
Purpose & Capability
Name, description, SKILL.md usage, and the included Python script all align with a dependency license auditor. Minor mismatch: SKILL.md and quick-start examples run `python3 scripts/license_audit.py` but the skill metadata declares no required binaries; declaring `python3` (or ensuring it exists) would be expected. Otherwise the required files and behaviors are coherent with the stated purpose.
Instruction Scope
The runtime instructions tell the agent to run the included Python script against a project directory and to optionally create/read a .license-policy.json. The script (visible portions) only reads local project files (package.json, package-lock.json, node_modules, requirements.txt, Pipfile, pyproject.toml, go.mod, Cargo.toml, Gemfile) and emits reports/CI exit codes. There are no instructions to read unrelated system files or to transmit results to external endpoints in the parts shown.
Install Mechanism
No install spec is provided and the skill is instruction-only with an included script. There are no downloads or external install URLs. This is low-risk from an install mechanism perspective.
Credentials
The skill requests no environment variables, no credentials, and no config paths outside the project directory. That is proportionate for a local license-scanning tool.
Persistence & Privilege
always is false and the skill does not request elevated or persistent system privileges in the provided files. It does not attempt to modify other skills or global agent configuration in the parts shown.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install dependency-license-audit - After installation, invoke the skill by name or use
/dependency-license-audit - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release
Metadata
Frequently Asked Questions
What is dependency-license-audit?
Scan project dependencies for license compatibility issues, GPL contamination, and compliance violations. Supports npm, pip, Go, Rust, and Ruby ecosystems. U... It is an AI Agent Skill for Claude Code / OpenClaw, with 102 downloads so far.
How do I install dependency-license-audit?
Run "/install dependency-license-audit" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is dependency-license-audit free?
Yes, dependency-license-audit is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does dependency-license-audit support?
dependency-license-audit is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created dependency-license-audit?
It is built and maintained by charlie-morrison (@charlie-morrison); the current version is v1.0.0.
More Skills