← Back to Skills Marketplace
Dependency Health Check
by
charlie-morrison
· GitHub ↗
· v1.0.0
· MIT-0
48
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install dependency-health-check
Description
Multi-ecosystem dependency audit — find outdated, vulnerable, unused, and license-incompatible packages across npm, pip, cargo, go, and composer. Use when as...
README (SKILL.md)
Dependency Health Check
Audit project dependencies across ecosystems for security, freshness, license compliance, and unused bloat. Produces a prioritized upgrade plan with risk assessment.
Use when: "check our dependencies", "are we up to date", "audit packages", "plan an upgrade", "find unused deps".
Step 1 — Detect Ecosystem
# Auto-detect package managers
ls package.json package-lock.json yarn.lock pnpm-lock.yaml 2>/dev/null # Node.js
ls requirements.txt Pipfile pyproject.toml setup.py 2>/dev/null # Python
ls Cargo.toml Cargo.lock 2>/dev/null # Rust
ls go.mod go.sum 2>/dev/null # Go
ls composer.json composer.lock 2>/dev/null # PHP
ls Gemfile Gemfile.lock 2>/dev/null # Ruby
Step 2 — Outdated Packages
Node.js
npm outdated --json 2>/dev/null | jq 'to_entries[] | {name: .key, current: .value.current, wanted: .value.wanted, latest: .value.latest}'
# or
yarn outdated --json 2>/dev/null
pnpm outdated --format json 2>/dev/null
Python
pip list --outdated --format json 2>/dev/null | jq '.[] | {name, version, latest_version}'
# or with pip-audit
pip-audit --format json 2>/dev/null
Rust
cargo outdated -R --format json 2>/dev/null
Go
go list -u -m -json all 2>/dev/null | jq 'select(.Update) | {Path, Version, Update: .Update.Version}'
PHP
composer outdated --format json 2>/dev/null
Step 3 — Vulnerability Scan
# Node.js
npm audit --json 2>/dev/null | jq '.vulnerabilities | to_entries[] | {name: .key, severity: .value.severity, fixAvailable: .value.fixAvailable}'
# Python
pip-audit --format json 2>/dev/null
# or
safety check --json 2>/dev/null
# Rust
cargo audit --json 2>/dev/null
# Go
govulncheck ./... 2>/dev/null
# Universal (if installed)
trivy fs --format json --scanners vuln . 2>/dev/null | jq '.Results[].Vulnerabilities[]? | {PkgName, Severity, Title}'
Step 4 — Unused Dependencies
Node.js
# depcheck finds unused deps
npx depcheck --json 2>/dev/null | jq '{unused: .dependencies, devUnused: .devDependencies, missing: .missing}'
Python
# Check imports vs requirements
pip install pipreqs 2>/dev/null
pipreqs . --print 2>/dev/null > /tmp/actual-imports.txt
diff \x3C(sort requirements.txt | sed 's/[>=\x3C].*//' | tr '[:upper:]' '[:lower:]') \
\x3C(sort /tmp/actual-imports.txt | sed 's/[>=\x3C].*//' | tr '[:upper:]' '[:lower:]')
Rust
cargo udeps 2>/dev/null # requires nightly
Step 5 — License Audit
# Node.js
npx license-checker --json 2>/dev/null | jq 'to_entries[] | {pkg: .key, license: .value.licenses}' | head -40
# Python
pip-licenses --format json 2>/dev/null | jq '.[] | {Name, License}'
# Universal
trivy fs --format json --scanners license . 2>/dev/null
Flag: GPL in MIT projects, AGPL in SaaS, unknown/unlicensed packages, dual-license packages.
Step 6 — Risk Assessment
For each outdated dependency, evaluate:
- Severity: critical (known CVE) > high (>2 major versions behind) > medium (minor behind) > low (patch behind)
- Breaking changes: check the changelog/release notes for breaking changes between current and latest
- Usage frequency: grep for imports — a heavily-used dep is riskier to upgrade
- Test coverage: if the dep's area has good tests, the upgrade is safer
Output Template
# Dependency Health Report
**Project:** [name]
**Scanned:** [date]
**Ecosystems:** Node.js, Python, etc.
## Summary
- Total dependencies: X
- Outdated: X (Y critical, Z major behind)
- Vulnerabilities: X (Y critical, Z high)
- Unused: X (safe to remove)
- License issues: X
## Critical (fix now)
| Package | Current | Latest | Issue | Risk |
|---------|---------|--------|-------|------|
| lodash | 4.17.20 | 4.17.21 | CVE-2021-23337 (prototype pollution) | High — used in 47 files |
## Recommended Upgrades (this sprint)
| Package | Current | Latest | Breaking Changes | Effort |
|---------|---------|--------|-----------------|--------|
| react | 17.0.2 | 18.3.1 | Yes — concurrent mode, new root API | 2-4 hours |
## Safe Quick Wins (patch updates)
Packages that can be bumped with minimal risk:
- `axios`: 1.6.0 → 1.7.2 (bug fixes only)
- `dotenv`: 16.3.1 → 16.4.5 (no breaking changes)
## Unused (remove)
- `moment` — imported nowhere, replaced by date-fns
- `@types/express` — no Express code found
## License Flags
- `[email protected]`: GPL-3.0 in MIT project — review compatibility
Upgrade Workflow
After the audit:
- Fix critical vulnerabilities first (
npm audit fix,pip-audit --fix) - Remove unused dependencies
- Batch patch updates into one PR
- Plan major upgrades individually with dedicated PRs
- Run tests after each upgrade batch
Notes
- Always run the project's test suite after upgrades
- For monorepos, audit each workspace separately
npm audit fix --forcecan introduce breaking changes — prefer targeted fixes- Check
CHANGELOG.mdor GitHub releases for each major version jump
Usage Guidance
This skill appears to do what it says (a multi-ecosystem dependency audit), but it expects the agent to run many CLI tools and to install or invoke third-party packages (via pip, npx, etc.) at runtime — behavior that can execute code fetched from the network and modify the runtime environment. Before installing or running this skill: (1) require the author to list required binaries/tools in metadata; (2) run audits in an isolated environment (container/VM/CI job) or a Python venv and avoid global installs; (3) inspect/approve any commands that will run package-manager installs (npx/pip) or scanners that pull remote data; (4) prefer running these steps manually or with explicit confirmation prompts rather than giving the skill autonomous execution permission. If you need higher assurance, ask the publisher for a version that vendors the audit tools or documents exact network interactions and install behavior.
Capability Analysis
Type: OpenClaw Skill
Name: dependency-health-check
Version: 1.0.0
The dependency-health-check skill is a legitimate utility for auditing project dependencies across multiple ecosystems (Node.js, Python, Rust, Go, PHP). It uses standard industry tools such as npm audit, pip-audit, cargo audit, and trivy to identify vulnerabilities, outdated packages, and license compliance issues. The instructions in SKILL.md are transparent, align perfectly with the stated purpose, and contain no evidence of data exfiltration, persistence mechanisms, or malicious command execution.
Capability Assessment
Purpose & Capability
The SKILL.md implements a multi-ecosystem dependency audit (npm, pip, cargo, go, composer, etc.), which matches the name/description. However, the metadata declares no required binaries or credentials even though the instructions rely heavily on many CLI tools (npm, yarn/pnpm, pip, pip-audit, cargo, cargo-audit, go, composer, npx, jq, trivy, govulncheck, depcheck, pipreqs, pip-licenses, etc.). The omission of required-binaries in metadata is an inconsistency and reduces transparency.
Instruction Scope
Runtime instructions tell the agent to run many shell commands that read the repo tree (expected) but also to install and invoke third-party tooling (e.g., 'pip install pipreqs', 'npx depcheck', 'npx license-checker', trivy, govulncheck). Those commands will fetch and execute code from package registries / networks and can modify the runtime environment (global Python packages, npx temporary installs). The instructions also include writes to /tmp and use bash-specific features. While these actions are typical for an audit, they broaden the blast radius and should be explicitly declared and sandboxed.
Install Mechanism
There is no install spec (instruction-only), which minimizes permanent additions to disk. However, the instructions rely on on-demand installs via language package managers (pip, npx) and external scanners (trivy, govulncheck) that will fetch code from the network. This transient install/exec behavior is normal for such a tool but carries higher risk than pure read-only auditing.
Credentials
The skill does not request any environment variables, credentials, or config paths. It reads project files (package manifests) which is appropriate for an audit. No unrelated secrets are requested.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges in metadata. It does not declare modifying other skills or global agent settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install dependency-health-check - After installation, invoke the skill by name or use
/dependency-health-check - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: multi-ecosystem dependency audit for outdated, vulnerable, unused, and license-incompatible packages
Metadata
Frequently Asked Questions
What is Dependency Health Check?
Multi-ecosystem dependency audit — find outdated, vulnerable, unused, and license-incompatible packages across npm, pip, cargo, go, and composer. Use when as... It is an AI Agent Skill for Claude Code / OpenClaw, with 48 downloads so far.
How do I install Dependency Health Check?
Run "/install dependency-health-check" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Dependency Health Check free?
Yes, Dependency Health Check is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Dependency Health Check support?
Dependency Health Check is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Dependency Health Check?
It is built and maintained by charlie-morrison (@charlie-morrison); the current version is v1.0.0.
More Skills