← Back to Skills Marketplace
Skill Dependency Chain Auditor
by
andyxinweiminicloud
· GitHub ↗
· v1.0.0
426
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install skill-dependency-chain-auditor
Description
Helps audit transitive skill dependency chains in agent compositions — catching the class of risk where a skill's direct dependencies appear safe but a depen...
Usage Guidance
This skill appears internally consistent for auditing dependency chains. Before installing, confirm where it will fetch metadata from (public marketplace, vendor APIs, internal registries) and whether you need to provide credentials for private registries — the SKILL.md does not list endpoints or credential requirements. Because it uses curl and python3 at runtime, it will perform network requests and run analysis locally; if you are concerned about data leakage, run it in an environment with restricted network access or provide only limited/ephemeral credentials for private registries. If you need stronger assurance, ask the publisher for the exact data sources and a sample audit run so you can verify the tool's behavior and outputs.
Capability Analysis
Type: OpenClaw Skill
Name: skill-dependency-chain-auditor
Version: 1.0.0
The skill bundle describes a 'skill-dependency-chain-auditor' designed to identify vulnerabilities in transitive skill dependencies. The `SKILL.md` clearly outlines its purpose, how it works, and the types of risks it aims to detect (e.g., undeclared network capabilities, unpinned versions, trust degradation). It requires `curl` and `python3`, which are plausible tools for fetching and processing skill metadata in an auditing context. There is no evidence of prompt injection attempts against the AI agent, nor any indication of malicious intent such as data exfiltration, unauthorized execution, or persistence mechanisms. The skill's documentation consistently focuses on identifying and mitigating security risks in *other* skills, not performing them itself.
Capability Assessment
Purpose & Capability
Name/description match the requested tools and behavior: auditing transitive dependency chains reasonably requires network access (curl) and analysis tooling (python3). No unrelated binaries, credentials, or config paths are requested.
Instruction Scope
SKILL.md is an instruction-only spec describing inputs and outputs but does not enumerate the data sources/endpoints it will query or how it will obtain audit records. That gives the agent discretion to use curl/python3 to fetch metadata from registries or public directories — expected for this auditor, but verify what registries or endpoints it will contact if you need to limit network access.
Install Mechanism
No install spec and no code files — lowest install risk. The skill is purely instruction-based and does not download or write archives to disk.
Credentials
The skill requests no environment variables, credentials, or config paths. For audits of private/internal registries you would need to supply credentials separately; absence of such variables is coherent for a public-auditing tool.
Persistence & Privilege
always:false and no privileged config modifications. Autonomous invocation is allowed (platform default) but there is no persistent presence or cross-skill config changes requested.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install skill-dependency-chain-auditor - After installation, invoke the skill by name or use
/skill-dependency-chain-auditor - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of skill-dependency-chain-auditor.
- Audits transitive dependency chains for agent skills, exposing hidden vulnerabilities.
- Detects trust gradients, version pinning issues, and shared/circular/diamond dependency patterns.
- Provides full inventory of transitive dependencies with trust level assessments.
- Analyzes aggregated capabilities and flags undeclared permission propagation.
- Outputs a detailed audit report with actionable recommendations and a chain integrity verdict.
Metadata
Frequently Asked Questions
What is Skill Dependency Chain Auditor?
Helps audit transitive skill dependency chains in agent compositions — catching the class of risk where a skill's direct dependencies appear safe but a depen... It is an AI Agent Skill for Claude Code / OpenClaw, with 426 downloads so far.
How do I install Skill Dependency Chain Auditor?
Run "/install skill-dependency-chain-auditor" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Skill Dependency Chain Auditor free?
Yes, Skill Dependency Chain Auditor is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Skill Dependency Chain Auditor support?
Skill Dependency Chain Auditor is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Skill Dependency Chain Auditor?
It is built and maintained by andyxinweiminicloud (@andyxinweiminicloud); the current version is v1.0.0.
More Skills