← Back to Skills Marketplace
747
Downloads
0
Stars
2
Active Installs
2
Versions
Install in OpenClaw
/install depguard
Description
Scan project dependencies for vulnerabilities, license compliance, and generate security or compliance reports using native package manager audits.
README (SKILL.md)
DepGuard — Dependency Audit & License Compliance
DepGuard scans your project dependencies for known vulnerabilities, license violations, and outdated packages. It uses native package manager audit tools (npm audit, pip-audit, cargo-audit, etc.) and enriches results with license analysis and risk scoring.
Commands
Free Tier (No license required)
depguard scan [directory]
One-shot vulnerability and license scan of your project dependencies.
How to execute:
bash "\x3CSKILL_DIR>/scripts/depguard.sh" scan [directory]
What it does:
- Detects package manager (npm, yarn, pnpm, pip, cargo, go, composer, bundler, maven, gradle)
- Runs native audit commands (npm audit, pip-audit, cargo audit, etc.)
- Parses dependency manifests for license information
- Generates a security report with severity levels
- Lists packages with problematic or unknown licenses
Example usage scenarios:
- "Scan my dependencies for vulnerabilities" → runs
depguard scan . - "Check the licenses of my node modules" → runs
depguard scan . --licenses-only - "Are any of my packages insecure?" → runs
depguard scan
depguard report [directory]
Generate a formatted dependency health report in markdown.
bash "\x3CSKILL_DIR>/scripts/depguard.sh" report [directory]
Pro Tier ($19/user/month — requires DEPGUARD_LICENSE_KEY)
depguard hooks install
Install git hooks that scan dependencies on every commit that modifies lockfiles.
bash "\x3CSKILL_DIR>/scripts/depguard.sh" hooks install
What it does:
- Validates Pro+ license
- Installs lefthook pre-commit hook targeting lockfile changes
- On every commit that modifies package-lock.json, yarn.lock, Cargo.lock, etc.: runs vulnerability scan, blocks commit if critical/high vulns found
depguard hooks uninstall
Remove DepGuard git hooks.
bash "\x3CSKILL_DIR>/scripts/depguard.sh" hooks uninstall
depguard watch [directory]
Continuous monitoring — re-scans on any lockfile change.
bash "\x3CSKILL_DIR>/scripts/depguard.sh" watch [directory]
depguard fix [directory]
Auto-fix vulnerabilities by upgrading to patched versions where available.
bash "\x3CSKILL_DIR>/scripts/depguard.sh" fix [directory]
Team Tier ($39/user/month — requires DEPGUARD_LICENSE_KEY with team tier)
depguard policy [directory]
Enforce a dependency policy: block specific licenses, require minimum versions, deny specific packages.
bash "\x3CSKILL_DIR>/scripts/depguard.sh" policy [directory]
depguard sbom [directory]
Generate a Software Bill of Materials (SBOM) in CycloneDX or SPDX format.
bash "\x3CSKILL_DIR>/scripts/depguard.sh" sbom [directory]
depguard compliance [directory]
Generate a compliance report for auditors — maps licenses to categories (permissive, copyleft, proprietary, unknown).
bash "\x3CSKILL_DIR>/scripts/depguard.sh" compliance [directory]
Supported Package Managers
| Manager | Lockfile | Audit Tool |
|---|---|---|
| npm | package-lock.json | npm audit |
| yarn | yarn.lock | yarn audit |
| pnpm | pnpm-lock.yaml | pnpm audit |
| pip | requirements.txt / Pipfile.lock | pip-audit / safety |
| cargo | Cargo.lock | cargo audit |
| go | go.sum | govulncheck |
| composer | composer.lock | composer audit |
| bundler | Gemfile.lock | bundle audit |
| maven | pom.xml | mvn dependency-check |
| gradle | build.gradle | gradle dependencyCheck |
Configuration
Add to ~/.openclaw/openclaw.json:
{
"skills": {
"entries": {
"depguard": {
"enabled": true,
"apiKey": "YOUR_LICENSE_KEY",
"config": {
"severityThreshold": "high",
"blockedLicenses": ["GPL-3.0", "AGPL-3.0"],
"allowedLicenses": ["MIT", "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "ISC"],
"ignoredVulnerabilities": [],
"autoFix": false,
"sbomFormat": "cyclonedx"
}
}
}
}
}
Important Notes
- Free tier works immediately — no configuration needed
- All scanning happens locally using native package manager audit tools
- License validation is offline — no phone-home
- Falls back to manifest parsing if native audit tools aren't available
- Supports monorepos — scans all workspaces/packages
When to Use DepGuard
The user might say things like:
- "Scan my dependencies for vulnerabilities"
- "Check my package licenses"
- "Are any of my npm packages insecure?"
- "Generate a security audit report"
- "Set up dependency monitoring"
- "Block GPL dependencies in this project"
- "Generate an SBOM"
- "Check if we're compliant with our license policy"
Usage Guidance
DepGuard appears coherent for its stated purpose, but review and accept a few behaviors before installing: 1) Hooks: 'depguard hooks install' will edit or create your repository's lefthook.yml and install a pre-commit hook that will source and run the skill's scanner script on relevant commits. This means commit operations can execute the skill's shell code — ensure you trust the skill source and that the skill files remain under your control. 2) License key handling: store DEPGUARD_LICENSE_KEY securely (env var or ~/.openclaw/openclaw.json). The skill decodes the JWT locally (no network calls), but it will read your OpenClaw config file if present (the manifest incorrectly lists 'required config paths: none'). 3) Optional tools: full features use node, python, jq, and native audit tools (npm, pip-audit, cargo-audit, govulncheck). Without those, DepGuard falls back to less-detailed checks. 4) Inspect the scripts (already included) before use; if you don't want hooks to source code from ~/.openclaw/skills/depguard, set DEPGUARD_SKILL_DIR to a controlled location or avoid installing hooks. If you need to be more cautious (e.g., enterprise policy), test the tool in an isolated repo first.
Capability Analysis
Type: OpenClaw Skill
Name: depguard
Version: 1.0.1
The OpenClaw DepGuard skill is classified as benign. It performs dependency auditing, vulnerability scanning, and license compliance checks as advertised. All operations, including scanning, reporting, fixing, and license validation, are designed to run locally without external data exfiltration or 'phone-home' behavior, which is explicitly stated and confirmed by the code. While the skill executes powerful commands (e.g., `npm audit fix`, `git hooks install`) that modify the user's project, these actions are central to its stated purpose and are clearly documented. The shell scripts (`scripts/*.sh`) consistently quote user-provided directory arguments, mitigating direct shell injection risks. There is no evidence of malicious intent, obfuscation, or attempts at unauthorized access or persistence beyond the documented git hooks.
Capability Assessment
Purpose & Capability
The skill name/description (dependency vulnerability & license scanning) matches the code and runtime instructions. Required binaries (git, bash) and the optional brew install of lefthook make sense for installing and running git hooks. The primary credential (DEPGUARD_LICENSE_KEY) is used only to gate Pro/Team features.
Instruction Scope
Runtime instructions run local audit tools (npm audit, pip-audit, cargo-audit, govulncheck, etc.), parse manifests/node_modules for license data, and optionally install lefthook hooks that call the scanner. All actions are local; there are no network 'phone-home' steps in the scripts. Notable: the hooks install writes/edits repository lefthook.yml and configures pre-commit hooks that will source the skill's scanner script from the user's skills directory on each commit — this is expected for continuous monitoring but does mean commits will execute code from the skill directory.
Install Mechanism
Install spec is a single Homebrew formula (lefthook) — a standard package install from a well-known channel. The skill bundle contains shell scripts and a lefthook config; there are no downloads from untrusted URLs or extracted archives in the install spec.
Credentials
The only declared secret is DEPGUARD_LICENSE_KEY and that is used solely to gate Pro/Team features via local JWT decoding. The scripts also read ~/.openclaw/openclaw.json (to find a stored apiKey) even though 'required config paths' was declared as none — this is a minor metadata mismatch. The code optionally uses python, node, or jq when available to parse files; those are optional helpers, not required secrets.
Persistence & Privilege
always:false (no forced always-on). Installing hooks modifies repository lefthook.yml and runs lefthook install to wire pre-commit hooks — appropriate for a tool that blocks commits on bad dependencies, but it does grant the skill the ability to run code during commit operations by sourcing the skill's scanner script (from ~/.openclaw/skills/depguard by default or a DEPGUARD_SKILL_DIR override). Users should accept that repository hook changes will be made when installing Pro hooks.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install depguard - After installation, invoke the skill by name or use
/depguard - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
Update URLs to free Cloudflare Pages hosting (depguard.pages.dev)
v1.0.0
Initial release: dependency vulnerability scanning, license compliance, git hook integration, SBOM generation
Metadata
Frequently Asked Questions
What is DepGuard?
Scan project dependencies for vulnerabilities, license compliance, and generate security or compliance reports using native package manager audits. It is an AI Agent Skill for Claude Code / OpenClaw, with 747 downloads so far.
How do I install DepGuard?
Run "/install depguard" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is DepGuard free?
Yes, DepGuard is completely free (open-source). You can download, install and use it at no cost.
Which platforms does DepGuard support?
DepGuard is cross-platform and runs anywhere OpenClaw / Claude Code is available (darwin, linux, win32).
Who created DepGuard?
It is built and maintained by suhteevah (@suhteevah); the current version is v1.0.1.
More Skills