← Back to Skills Marketplace
85
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install licenseguard
Description
Open source license compliance scanner — catches copyleft, viral, and problematic licenses in your dependencies before they create legal risk
README (SKILL.md)
LicenseGuard -- Open Source License Compliance Scanner
LicenseGuard scans your dependency manifests for copyleft, viral, and problematic open source licenses before they create legal risk. It detects license declarations across 8 package manager ecosystems (npm, Python, Ruby, Go, Java/Kotlin, Rust, PHP, .NET), classifies risk levels from Critical (copyleft/viral) to Low (permissive), and produces compliance reports with compatibility matrices. All scanning happens locally using pattern matching on manifest files and license text -- no code or dependency data is sent externally.
Commands
Free Tier (No license required)
licenseguard scan [file|directory]
One-shot license compliance scan of dependency manifests.
How to execute:
bash "\x3CSKILL_DIR>/scripts/licenseguard.sh" scan [target]
What it does:
- Accepts a file path or directory (defaults to current directory)
- Auto-detects package managers in use (npm, Python, Ruby, Go, Java, Rust, PHP, .NET)
- Finds all dependency manifest files (package.json, go.mod, Cargo.toml, pom.xml, etc.)
- Parses declared licenses from manifests and lock files
- Searches for LICENSE/COPYING/NOTICE files in dependency directories
- Matches SPDX license identifiers and common license text patterns
- Classifies each dependency license by risk level (Critical/High/Medium/Low/Unknown)
- Flags dependencies with NO declared license (unknown risk)
- Flags dual-licensed packages where one option is copyleft
- Calculates a compliance score (0-100)
- Free tier: limited to scanning up to 5 manifest files
- Exit code 0 if score >= 70, exit code 1 if score \x3C 70 or critical issues found
Example usage scenarios:
- "Scan my project for license issues" -> runs
licenseguard scan . - "Check if my dependencies have copyleft licenses" -> runs
licenseguard scan . - "Are my npm packages license-compliant?" -> runs
licenseguard scan package.json - "Audit the licenses in this Go module" -> runs
licenseguard scan go.mod - "What licenses are in my Rust dependencies?" -> runs
licenseguard scan Cargo.toml
Pro Tier ($19/user/month -- requires LICENSEGUARD_LICENSE_KEY)
licenseguard scan [file|directory] (unlimited)
Full license compliance scan with no manifest file limit.
How to execute:
bash "\x3CSKILL_DIR>/scripts/licenseguard.sh" scan [target]
What it does (beyond free):
- Unlimited manifest file scanning
- Deep license text pattern matching (GPL boilerplate, MIT text, Apache notice)
- Dual-license detection and risk assessment
- Detailed remediation advice per finding
licenseguard hooks install
Install git pre-commit hooks that scan dependency manifests for license issues before every commit.
How to execute:
bash "\x3CSKILL_DIR>/scripts/licenseguard.sh" hooks install
What it does:
- Validates Pro+ license
- Copies lefthook config to project root
- Installs lefthook pre-commit hook
- On every commit: scans staged manifest files for license issues, blocks commit if copyleft/viral licenses detected
licenseguard hooks uninstall
Remove LicenseGuard git hooks.
bash "\x3CSKILL_DIR>/scripts/licenseguard.sh" hooks uninstall
licenseguard report [directory]
Generate a full markdown license compliance report.
bash "\x3CSKILL_DIR>/scripts/licenseguard.sh" report [directory]
What it does:
- Validates Pro+ license
- Runs full scan of the directory
- Generates a formatted markdown report with risk breakdown
- Includes per-dependency findings, compliance score, and remediation steps
- Lists all dependencies grouped by risk level
- Output written to LICENSEGUARD-REPORT.md
licenseguard matrix [directory]
Generate a license compatibility matrix.
bash "\x3CSKILL_DIR>/scripts/licenseguard.sh" matrix [directory]
What it does:
- Validates Pro+ license
- Discovers all unique licenses in the project dependencies
- Produces a compatibility matrix showing which licenses can be combined
- Flags incompatible license combinations (e.g., GPL + proprietary)
- Helps with license selection for your own project
Team Tier ($39/user/month -- requires LICENSEGUARD_LICENSE_KEY with team tier)
licenseguard policy [directory]
Enforce an approved license list.
bash "\x3CSKILL_DIR>/scripts/licenseguard.sh" policy [directory]
What it does:
- Validates Team+ license
- Loads approved license list from ~/.openclaw/openclaw.json (licenseguard.config.approvedLicenses)
- Scans all dependencies and flags any using a license NOT on the approved list
- Produces a pass/fail report for CI/CD gating
- Exit code 0 if all dependencies use approved licenses, 1 otherwise
licenseguard sbom [directory]
Generate a Software Bill of Materials (SBOM).
bash "\x3CSKILL_DIR>/scripts/licenseguard.sh" sbom [directory]
What it does:
- Validates Team+ license
- Discovers all dependencies across all package managers
- Generates a CycloneDX-like SBOM in JSON and markdown formats
- Includes: package name, version, license, risk level, source URL
- Suitable for compliance audits, supply chain security, and regulatory requirements
- Output written to LICENSEGUARD-SBOM.json and LICENSEGUARD-SBOM.md
License Risk Categories
LicenseGuard classifies open source licenses into five risk levels:
| Risk Level | Licenses | Impact |
|---|---|---|
| Critical (Copyleft/Viral) | GPL-2.0, GPL-3.0, AGPL-3.0, SSPL, EUPL | Must open-source your code |
| High (Weak Copyleft) | LGPL-2.1, LGPL-3.0, MPL-2.0, EPL-2.0, CDDL | Must share modifications to the library |
| Medium (Notice Required) | Apache-2.0, BSD-2-Clause, BSD-3-Clause, MIT, ISC | Must include license notice |
| Low (Permissive) | Unlicense, CC0, WTFPL, 0BSD | Minimal restrictions |
| Unknown | NOASSERTION, Custom, Missing | Cannot determine risk -- review manually |
Supported Package Managers
| Ecosystem | Manifest Files | Lock Files |
|---|---|---|
| npm | package.json | package-lock.json, yarn.lock |
| Python | requirements.txt, Pipfile, pyproject.toml, setup.py, setup.cfg | Pipfile.lock |
| Ruby | Gemfile | Gemfile.lock |
| Go | go.mod | go.sum |
| Java/Kotlin | pom.xml, build.gradle, build.gradle.kts | - |
| Rust | Cargo.toml | Cargo.lock |
| PHP | composer.json | composer.lock |
| .NET | *.csproj, packages.config | *.sln |
Detection Methods
- Manifest parsing -- Extract declared licenses from package manager files
- License file scanning -- Search for LICENSE, COPYING, NOTICE files in dependency directories
- SPDX matching -- Match SPDX license identifiers (MIT, Apache-2.0, GPL-3.0-only, etc.)
- Text pattern matching -- Detect common license boilerplate (GPL preamble, MIT text, Apache notice)
- Missing license detection -- Flag dependencies with no license declaration
- Dual-license detection -- Identify packages offering multiple license options (OR expressions)
Configuration
Users can configure LicenseGuard in ~/.openclaw/openclaw.json:
{
"skills": {
"entries": {
"licenseguard": {
"enabled": true,
"apiKey": "YOUR_LICENSE_KEY_HERE",
"config": {
"riskThreshold": "high",
"approvedLicenses": ["MIT", "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "ISC"],
"excludePackages": [],
"excludePatterns": ["**/node_modules/**", "**/vendor/**"],
"reportFormat": "markdown"
}
}
}
}
}
Important Notes
- Free tier works immediately with no configuration (limited to 5 manifest files)
- All scanning happens locally -- no code or dependency data is sent to external servers
- License validation is offline -- no phone-home or network calls
- Zero telemetry -- no usage data, analytics, or tracking
- Pattern matching on manifests + license files, no network calls during scanning
- Git hooks use lefthook which must be installed (see install metadata above)
- Exit codes: 0 = compliant (score >= 70), 1 = issues found (for CI/CD integration)
- Compliance score calculation: starts at 100, deducts points per risk level (Critical: -15, High: -10, Medium: -3, Unknown: -8)
Error Handling
- If lefthook is not installed and user tries
hooks install, prompt to install it - If license key is invalid or expired, show clear message with link to https://licenseguard.pages.dev/renew
- If a manifest file cannot be parsed, warn and continue with other files
- If no manifest files found in target, report clean scan with info message
- If package manager is not recognized, skip with a warning
When to Use LicenseGuard
The user might say things like:
- "Scan for license issues in my dependencies"
- "Check if any of my packages use GPL"
- "Are my npm dependencies license-compliant?"
- "Find copyleft licenses in this project"
- "Generate a license compliance report"
- "Set up license checking on my commits"
- "Create an SBOM for this project"
- "What licenses are my Go dependencies using?"
- "Check license compatibility"
- "Enforce our approved license list"
- "Are there any viral licenses in my Rust crates?"
- "Scan my Python requirements for problematic licenses"
Usage Guidance
LicenseGuard is a local, shell-script-based scanner that appears consistent with its description. Before installing: 1) Know that Pro/Team features require you to provide LICENSEGUARD_LICENSE_KEY (or put apiKey in ~/.openclaw/openclaw.json). 2) The optional hooks install will copy a lefthook config into your repo and run lefthook install — review lefthook.yml before committing. 3) The pre-commit hook sources scripts from $HOME/.openclaw/skills/licenseguard when running, so ensure that directory is trusted and not writable by untrusted users. 4) Scans traverse the provided directory with find (can read many files under the target); avoid running against / or other sensitive roots. 5) There are no obvious network exfiltration calls in the scripts (license validation is JWT-decoded locally), but you should still review the shipped scripts if you have sensitive environment constraints. Overall the package is coherent for its purpose.
Capability Analysis
Type: OpenClaw Skill
Name: licenseguard
Version: 1.0.0
The licenseguard skill is a legitimate utility designed to scan project dependencies for license compliance across eight major ecosystems (npm, Python, Go, Rust, etc.). It operates entirely locally by parsing manifest files and matching license declarations against a comprehensive set of SPDX identifiers and regex patterns defined in scripts/patterns.sh. The skill provides features for generating compliance reports, SBOMs, and installing git pre-commit hooks using the third-party tool 'lefthook'. No evidence of data exfiltration, malicious execution, or unauthorized network activity was found; the code logic is transparent and aligns with the stated purpose of identifying legal risks in open-source dependencies.
Capability Tags
Capability Assessment
Purpose & Capability
Name/description match the implementation: shell scripts parse manifests and license files across multiple ecosystems, classify risk, and offer hook/report/policy/sbom features. Required binaries (git, bash) and the optional lefthook install are appropriate for the stated functionality.
Instruction Scope
Runtime instructions and scripts operate locally and only reference manifest files, license files, and the user's repo. The scanner can walk directories (using find) and will read many files under a provided target directory — expected for this tool but worth noting (scanning '/' would traverse many paths). The hooks install sources analyzer.sh from $HOME/.openclaw/skills/licenseguard, which means the hook executes code from that skill directory on every commit.
Install Mechanism
Install spec only recommends installing the public 'lefthook' brew formula (used for optional pre-commit hooks). No remote arbitrary archive downloads or unusual install locations are used. The skill files themselves are included with the package (shell scripts).
Credentials
Primary credential LICENSEGUARD_LICENSE_KEY is declared and used to unlock Pro/Team features — this is reasonable. The scripts also read ~/.openclaw/openclaw.json for apiKey/config (used by policy feature); that config path is referenced in SKILL.md and code but was not declared in the registry's required config paths. The scripts attempt to use python/node/jq if available to parse configs, but do not require them.
Persistence & Privilege
always is false and model invocation is not disabled. The skill installs a lefthook pre-commit hook into a repository when explicitly requested; this modifies repository-level files (lefthook.yml) as expected for a hooks tool. It does not modify other skills or global agent settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install licenseguard - After installation, invoke the skill by name or use
/licenseguard - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of LicenseGuard – an open source license compliance scanner.
- Scans dependencies for copyleft, viral, and problematic licenses across 8 package manager ecosystems.
- Reports license risk levels (Critical/High/Medium/Low/Unknown) and calculates a compliance score.
- Enforces approved license lists and blocks commits with high-risk licenses (Pro/Team features).
- Generates compliance reports, compatibility matrices, and SBOMs for audit and security.
- All scans run locally; no external data is sent.
Metadata
Frequently Asked Questions
What is licenseguard?
Open source license compliance scanner — catches copyleft, viral, and problematic licenses in your dependencies before they create legal risk. It is an AI Agent Skill for Claude Code / OpenClaw, with 85 downloads so far.
How do I install licenseguard?
Run "/install licenseguard" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is licenseguard free?
Yes, licenseguard is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does licenseguard support?
licenseguard is cross-platform and runs anywhere OpenClaw / Claude Code is available (darwin, linux, win32).
Who created licenseguard?
It is built and maintained by suhteevah (@suhteevah); the current version is v1.0.0.
More Skills