← Back to Skills Marketplace
tuthan

Dependency Guard

by Hung Vo · GitHub ↗ · v1.0.1 · MIT-0
cross-platform ✓ Security Clean
130
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install dependency-guard
Description
Use when a task adds, upgrades, removes, or reviews software dependencies and the agent should apply a Socket-based supply-chain guardrail before changing ma...
README (SKILL.md)

Dependency Guard

Use this skill when dependency changes are in scope for npm, pnpm, yarn, Python packages, or other package ecosystems supported by Socket.

Prerequisites

  • The socket CLI must be installed and on PATH (npm install -g socket).
  • Authentication is required for CLI-based reviews. See the Authentication section below.

Workflow

  1. Confirm the exact dependency change being proposed.
  2. Check whether the feature can be implemented with the standard library or an existing project dependency.
  3. Prefer MCP depscore if the host agent exposes it.
  4. Otherwise run scripts/check_dependency.sh \x3Cecosystem> \x3Cpackage> [version].
  5. Apply the policy in references/policy.md.
  6. Apply the decision rules in references/decision-matrix.md.
  7. Before making the change, report:
    • why the package is needed
    • whether an existing alternative exists
    • what Socket reported
    • whether install scripts, risky capabilities, or transitive risk are present
  8. If the decision is allow_with_warning, present the warning clearly before making the change. If the decision is block_pending_human_review or block, stop and propose either:
    • a safer dependency
    • a no-dependency implementation
    • explicit human review

Authentication

Three authentication paths are supported, in order of preference:

  1. MCP depscore — no local credentials needed; works through the host agent's MCP connection.
  2. socket login — interactive CLI login; stores auth locally.
    • If your CLI supports it, pressing Enter at the token prompt uses limited public access.
    • To use a private token, paste it at the prompt instead.
  3. SOCKET_SECURITY_API_TOKEN env var — set this for CI or headless environments.

Security: Never paste private tokens into agent prompts. Use the env var or socket login instead.

CI note: GitHub Actions workflows use SOCKET_SECURITY_API_KEY (a separate GitHub-integration key), not SOCKET_SECURITY_API_TOKEN. See examples/github/dependency-guard.yml.

Reporting Contract

Use the short response template in references/examples.md when presenting the package review to the user.

References

  • Read references/policy.md for the canonical guardrail.
  • Read references/decision-matrix.md for allow/block criteria.
  • Read references/examples.md for user-facing review examples.

Notes

  • Keep SKILL.md lean; do not duplicate the full policy here.
  • OpenClaw and ClawHub expect metadata to be a single-line JSON object in frontmatter, so keep the OpenClaw metadata compact.
  • The version field in frontmatter is the single source of truth; use publish_clawhub.sh --bump patch|minor|major to auto-increment.
  • Do not assume system-wide wrapper enforcement or shell-completion setup is desirable; keep CLI setup minimal.
  • If Socket tooling is unavailable, require human review before adding the dependency.
  • Review manifest and lockfile changes together.
Usage Guidance
This skill appears to do what it says: it runs the Socket CLI (or MCP depscore) to produce a dependency review report. Before installing or invoking it: 1) ensure the socket CLI you install is from the official source (npm package 'socket' or your org's vetted binary); 2) prefer using MCP depscore or an environment variable for CI (SOCKET_SECURITY_API_TOKEN) rather than pasting private tokens into interactive prompts; 3) be aware the skill may read repository manifests and write temporary report files under tmp/; 4) note the documentation/examples reference several env vars (SOCKET_SECURITY_API_TOKEN vs SOCKET_SECURITY_API_KEY vs GH_API_TOKEN) — confirm which tokens your environment needs and avoid exposing secrets to untrusted prompts. If those three points are acceptable, the skill is coherent and appropriate for its purpose.
Capability Assessment
Purpose & Capability
The skill is explicitly a Socket-backed dependency review helper and declares the socket CLI as required; that aligns with the description and workflow. Included references and decision logic match the stated goal of approving/blocking dependency changes.
Instruction Scope
Runtime instructions direct the agent to use MCP depscore or the socket CLI and to run the bundled scripts/check_dependency.sh which only invokes the socket CLI and reads local manifests/reports. This is in-scope. Minor note: the SKILL.md and examples reference environment variables (SOCKET_SECURITY_API_TOKEN, SOCKET_SECURITY_API_KEY, GH_API_TOKEN) and interactive `socket login` flows that are optional but sensitive; those env vars are not declared in requires.env.
Install Mechanism
No install spec is provided (instruction-only with a small helper script). The only runtime dependency is the socket CLI, which the skill documents installing via npm; no external downloads or extraction of arbitrary archives occur in the skill bundle.
Credentials
The skill does not require credentials by default, which is proportional. However SKILL.md and examples mention several optional tokens (SOCKET_SECURITY_API_TOKEN for headless CLI auth, SOCKET_SECURITY_API_KEY for GitHub integration, GH_API_TOKEN) — these are reasonable for CI or Socket integration but are not declared in requires.env, and the example uses a different Socket env var name than the SKILL.md. This mismatch is benign but worth noting so users don't accidentally supply secrets in the wrong place.
Persistence & Privilege
The skill is not always-on and does not request system-wide privileges. It does not modify other skills or system settings. It runs a helper script and the socket CLI only when invoked.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install dependency-guard
  3. After installation, invoke the skill by name or use /dependency-guard
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
- Added version field and prerequisites to SKILL.md; updated metadata to declare required `socket` CLI. - Expanded authentication instructions, including explicit support for `SOCKET_SECURITY_API_TOKEN` and GitHub Actions integration. - Removed 12 files: docs, agent configs, helper scripts, and all test scripts. - Simplified repository to essential docs and example workflow.
v1.0.0
Initial release of dependency-guard skill: - Introduces a skill to enforce supply-chain risk checks before changing package dependencies using Socket or MCP `depscore`. - Provides a structured workflow to evaluate, score, and document dependency changes. - Specifies clear allow/block decision rules and reporting requirements. - Includes minimal OpenClaw metadata for compatibility across hosts. - Ensures human review requirement if automated tooling is unavailable.
Metadata
Slug dependency-guard
Version 1.0.1
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 2
Frequently Asked Questions

What is Dependency Guard?

Use when a task adds, upgrades, removes, or reviews software dependencies and the agent should apply a Socket-based supply-chain guardrail before changing ma... It is an AI Agent Skill for Claude Code / OpenClaw, with 130 downloads so far.

How do I install Dependency Guard?

Run "/install dependency-guard" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Dependency Guard free?

Yes, Dependency Guard is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Dependency Guard support?

Dependency Guard is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Dependency Guard?

It is built and maintained by Hung Vo (@tuthan); the current version is v1.0.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments