← Back to Skills Marketplace
Sbom Generator
by
charlie-morrison
· GitHub ↗
· v1.0.0
· MIT-0
45
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install sbom-generator
Description
Generate Software Bill of Materials (SBOM) in CycloneDX or SPDX format — inventory all dependencies, licenses, vulnerabilities, and supply chain metadata. Re...
Usage Guidance
This skill appears to implement an SBOM generator and inspects repository lockfiles and manifests, which is expected. However:
- The SKILL.md relies on local tools (python3, npm, npm audit, and possibly go/cargo/maven/gradle) but the skill metadata lists no required binaries — ask the publisher to declare required tooling.
- npm audit and similar vulnerability checks may perform network calls to vendor advisory services; run the tool in an environment where network access is acceptable and you trust those services.
- The SKILL.md you provided is truncated at the vulnerability section; request the full SKILL.md and verify there are no steps that read unrelated system files or send data to external endpoints.
- Best practice: run this in a sandbox or on a copy of the repository (read-only when possible), verify it doesn’t require elevated privileges, and ensure necessary tools are installed from trusted sources before invoking.
If the publisher updates the metadata to list the required binaries and clarifies network usage (and you confirm the rest of the instructions are benign), this would reduce the remaining concerns.
Capability Analysis
Type: OpenClaw Skill
Name: sbom-generator
Version: 1.0.0
The sbom-generator skill is a legitimate tool for creating Software Bill of Materials. It uses standard shell commands and Python scripts to parse local package lock files (e.g., package-lock.json, requirements.txt, go.sum) and integrates with official vulnerability scanners like npm audit and govulncheck. No evidence of data exfiltration, malicious execution, or prompt injection was found.
Capability Assessment
Purpose & Capability
The skill's name and description (SBOM generation in CycloneDX/SPDX) align with the actions in SKILL.md: detecting package managers, parsing lockfiles, license analysis, and vulnerability checks. However, the skill metadata declares no required binaries or credentials while the instructions explicitly rely on local tools (python3, npm, possibly go/cargo, npm audit, etc.). The lack of declared tooling is an incoherence: a legitimate SBOM helper should list the tools it needs.
Instruction Scope
The runtime instructions stay within the expected scope: they inspect project files (package-lock.json, requirements.txt, go.sum, Cargo.lock, etc.), parse them, and run local vulnerability/license checks. I saw no instructions to read unrelated system files, access secrets, or exfiltrate data to third-party endpoints. Note: npm audit will contact the npm advisory service (expected for vulnerability checks). The SKILL.md is truncated at the vulnerability step — the remainder could add behavior not visible here.
Install Mechanism
This is an instruction-only skill with no install spec, so nothing will be written to disk by the skill package itself. That is low-risk. Because there is no install step, the skill depends on the agent environment already having the needed tools — which should have been declared.
Credentials
The skill declares no required environment variables or credentials, which is appropriate for a local SBOM tool. However, it does implicitly require local binaries (python3, npm, possibly Go, Rust, Java tooling) and network access for npm audit. The omission of these requirements is a proportionality/coherence concern: the skill asks the runtime to do work requiring tools and network access that are not declared in metadata.
Persistence & Privilege
The skill does not request always:true or any persistent privileges. It's user-invocable and can be invoked autonomously per platform defaults. Nothing in the visible SKILL.md attempts to modify other skills or global agent config.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install sbom-generator - After installation, invoke the skill by name or use
/sbom-generator - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of sbom-generator.
- Generates Software Bill of Materials (SBOM) in CycloneDX or SPDX formats for compliance and security audits.
- Automatically detects popular package managers for multiple languages (Node.js, Python, Go, Rust, Ruby, PHP, Java, .NET).
- Inventories all dependencies, their versions, licenses, and known vulnerabilities.
- Provides detailed license analysis, including copyleft detection and distribution.
- Offers dedicated commands for CycloneDX, SPDX outputs, and a focused license compliance report.
Metadata
Frequently Asked Questions
What is Sbom Generator?
Generate Software Bill of Materials (SBOM) in CycloneDX or SPDX format — inventory all dependencies, licenses, vulnerabilities, and supply chain metadata. Re... It is an AI Agent Skill for Claude Code / OpenClaw, with 45 downloads so far.
How do I install Sbom Generator?
Run "/install sbom-generator" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Sbom Generator free?
Yes, Sbom Generator is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Sbom Generator support?
Sbom Generator is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Sbom Generator?
It is built and maintained by charlie-morrison (@charlie-morrison); the current version is v1.0.0.
More Skills