← Back to Skills Marketplace
218
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install dep-vuln-scanner
Description
Scan project dependencies for known security vulnerabilities using the OSV.dev API. Supports npm (package.json), Python/pip (requirements.txt), and Go (go.mo...
README (SKILL.md)
Dependency Vulnerability Scanner
Scan project dependencies against the OSV.dev vulnerability database. Zero config, no API keys.
Quick Start
# Scan current directory (auto-detects project type)
python3 scripts/dep_vuln_scan.py .
# Scan a specific project
python3 scripts/dep_vuln_scan.py /path/to/project
# JSON output for CI/CD
python3 scripts/dep_vuln_scan.py . --json
# Scan only npm dependencies
python3 scripts/dep_vuln_scan.py . --ecosystem npm
Supported Ecosystems
| File | Ecosystem |
|---|---|
package.json |
npm |
requirements.txt |
PyPI |
go.mod |
Go |
Multiple files in the same directory are scanned together.
Output
- Color-coded severity: CRITICAL/HIGH (red), MEDIUM (yellow), LOW (green)
- Includes CVE aliases, vulnerability IDs, and descriptions
- Summary with total count and critical/high breakdown
- Exit code 1 if any vulnerabilities found (useful for CI gates)
Flags
--json— Machine-readable JSON output--ecosystem \x3Cname>— Filter by ecosystem (repeatable)
Usage Guidance
The skill appears coherent and limited to scanning dependency files and querying OSV.dev. Before installing or running it: (1) review the included script locally (it is small and readable); (2) run it in a sandbox or CI job first if you have concerns about provenance; (3) be aware it needs outbound HTTPS to api.osv.dev and will silently ignore HTTP/network errors (you may want to run with network logging to confirm correct behavior); (4) because the source/packager metadata and homepage are missing, prefer to run the script from a trusted environment or add it to source control after review.
Capability Analysis
Type: OpenClaw Skill
Name: dep-vuln-scanner
Version: 1.0.0
The skill is a legitimate dependency vulnerability scanner that checks project files (package.json, requirements.txt, go.mod) against the public OSV.dev API. The Python script (scripts/dep_vuln_scan.py) uses standard libraries, contains no obfuscation, and only transmits package names and versions to the official API endpoint (api.osv.dev) without any evidence of data exfiltration or malicious execution.
Capability Assessment
Purpose & Capability
Name/description match the provided script and SKILL.md. The script only parses package.json, requirements.txt, and go.mod and queries the OSV.dev API — exactly what you'd expect for a dependency vulnerability scanner.
Instruction Scope
SKILL.md instructs running the included Python script against a project directory. The runtime instructions and script only read dependency files in the target directory and make HTTPS calls to api.osv.dev. The script does not attempt to read other system files, environment variables, or exfiltrate data to unexpected endpoints. Note: network failures and HTTP errors are silently swallowed by the script, which may hide connectivity problems.
Install Mechanism
No install spec; this is instruction-only with an included Python script. The script uses only Python stdlib (urllib, json, re, etc.) and does not download or install external binaries or packages.
Credentials
The skill requests no environment variables, credentials, or config paths. Network access to the OSV.dev API is required and is proportionate to the stated purpose.
Persistence & Privilege
always:false and no code that modifies system or other skills' configurations. The skill does not request persistent presence or elevated privileges. Autonomous invocation is allowed by platform default but not a concern here by itself.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install dep-vuln-scanner - After installation, invoke the skill by name or use
/dep-vuln-scanner - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of dep-vuln-scanner.
- Scans npm (package.json), Python/pip (requirements.txt), and Go (go.mod) dependencies for known vulnerabilities via the OSV.dev API.
- Zero configuration required and no API key needed.
- Supports color-coded output by severity and includes CVE information.
- Offers JSON output for CI/CD workflows and ecosystem filtering options.
- Returns non-zero exit code if vulnerabilities are found, aiding automated checks.
Metadata
Frequently Asked Questions
What is Dep Vuln Scanner?
Scan project dependencies for known security vulnerabilities using the OSV.dev API. Supports npm (package.json), Python/pip (requirements.txt), and Go (go.mo... It is an AI Agent Skill for Claude Code / OpenClaw, with 218 downloads so far.
How do I install Dep Vuln Scanner?
Run "/install dep-vuln-scanner" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Dep Vuln Scanner free?
Yes, Dep Vuln Scanner is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Dep Vuln Scanner support?
Dep Vuln Scanner is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Dep Vuln Scanner?
It is built and maintained by John Wang (@johnnywang2001); the current version is v1.0.0.
More Skills