← Back to Skills Marketplace
257
Downloads
0
Stars
1
Active Installs
2
Versions
Install in OpenClaw
/install dependency-tracker
Description
每周依赖检查。检查 Node.js、npm 版本和全局包是否有可用更新。触发时机:cron 定时任务或手动调用。
README (SKILL.md)
Dependency Tracker
每周检查项目依赖是否有更新,确保安全和兼容性。
核心流程
- 读取 references/spec.md 获取详细规范
- 检查 Node.js 版本
- 检查 npm 版本
- 检查全局安装的包
- 运行 npm outdated 检查可更新包
- 生成报告并发送
触发时机
- cron 定时任务(建议每周)
- 用户明确要求时
投递规则(必须)
完成报告后,通过消息工具发送。
- 渠道:feishu
- 目标:\x3C飞书群ID或用户ID> 如果报告超过 3800 字符,分成多条消息发送。 每条消息必须语义完整(不断开 URL 或格式)。 如果发送失败,重试一次。如果仍然失败,输出错误——永远不要静默退出。
输出
- 报告位置:
data/exec-logs/dependency-tracker/YYYY-MM-DD.md - 消息推送到飞书群
Usage Guidance
This skill otherwise looks coherent for a dependency-checker, but it requires sending reports to Feishu while declaring no credentials or webhook. Before installing: 1) Confirm how messages will be sent — does your agent already have Feishu integration or will you need to provide a FEISHU_WEBHOOK / FEISHU_TOKEN? The skill should explicitly declare required env vars. 2) Verify you are comfortable with the skill running shell commands (node -v, npm -v, npm list -g, npm outdated) on the host and writing files to data/exec-logs; listing global packages can reveal installed packages. 3) Ask the publisher to clarify the exact delivery mechanism and to add explicit environment variable requirements and error-handling behavior. 4) If you want to limit risk, run the skill in a restricted environment (container or dedicated CI runner) and do not enable it for autonomous runs until you confirm the messaging credentials and delivery implementation. If the agent will use shared Feishu credentials, consider creating a dedicated Feishu webhook/account with limited scope.
Capability Analysis
Type: OpenClaw Skill
Name: dependency-tracker
Version: 1.0.1
The skill utilizes shell commands (e.g., `npm list -g`, `npm outdated`) to collect system environment data and instructs the agent to transmit this information to an external Feishu (Lark) endpoint. While these actions are consistent with the stated purpose of a 'Dependency Tracker' and the commands themselves are non-malicious, the combination of shell execution and network-based data exfiltration of system metadata meets the threshold for a suspicious classification under the provided security criteria (SKILL.md, references/spec.md).
Capability Assessment
Purpose & Capability
The stated purpose (weekly checks of Node.js/npm and global packages) aligns with the listed commands in references/spec.md (node -v, npm -v, npm list -g, npm outdated). However the SKILL.md requires delivering the report to a Feishu channel/ID even though the skill declares no credentials, webhook, or messaging dependency — that delivery requirement is out of band with the declared requirements.
Instruction Scope
Instructions are concrete and scoped to running local shell commands and writing a Markdown report under data/exec-logs/*. The skill reads the included references/spec.md (present). The only out-of-scope element is the unspecified report delivery step: it mandates sending to Feishu but provides no delivery method, tokens, or API endpoints. The skill also requires listing globally installed packages (npm list -g), which legitimately reveals installed package names/versions and could leak environment details.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing will be written or executed by an install step. That is proportionate to the described functionality.
Credentials
The SKILL.md explicitly requires sending messages to Feishu (channel + target ID) but the skill metadata lists no required environment variables or credentials. Either the skill assumes the agent already has Feishu integration (possible) or it silently expects credentials to be supplied elsewhere. This mismatch is a security and operational concern. Additionally, the skill reads/writes local files and lists global npm packages — those actions can expose system package inventory; users should confirm that is acceptable.
Persistence & Privilege
The skill is not always-enabled and does not request persistent or elevated platform privileges. It writes report files under data/exec-logs/* (its own output path) which is normal for a reporting skill.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install dependency-tracker - After installation, invoke the skill by name or use
/dependency-tracker - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
- 更新了飞书消息推送目标描述,现在采用 `<飞书群ID或用户ID>` 占位符以提升通用性。
- 去除报告推送目标中的具体 ID,便于在多环境下复用。
v1.0.0
Initial release of dependency-tracker.
- Weekly checks for updates to Node.js, npm, and globally installed packages.
- Runs npm outdated to identify project dependencies needing updates.
- Generates a detailed report saved to data/exec-logs/dependency-tracker/YYYY-MM-DD.md.
- Sends the report to a specified Feishu group, splitting into multiple messages if needed and retrying on failure.
Metadata
Frequently Asked Questions
What is Dependency Tracker?
每周依赖检查。检查 Node.js、npm 版本和全局包是否有可用更新。触发时机:cron 定时任务或手动调用。 It is an AI Agent Skill for Claude Code / OpenClaw, with 257 downloads so far.
How do I install Dependency Tracker?
Run "/install dependency-tracker" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Dependency Tracker free?
Yes, Dependency Tracker is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Dependency Tracker support?
Dependency Tracker is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Dependency Tracker?
It is built and maintained by AxelHu (@axelhu); the current version is v1.0.1.
More Skills