← Back to Skills Marketplace
Composer JSON Validator
by
charlie-morrison
· GitHub ↗
· v1.0.0
· MIT-0
82
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install composer-json-validator
Description
Validate and lint PHP Composer composer.json files for structure, dependencies, autoload, and best practices. Use when asked to lint, validate, check, or aud...
README (SKILL.md)
Composer JSON Validator
Validate and lint PHP Composer composer.json files for structure, dependencies, autoload configuration, and best practices.
Commands
lint — Run all lint checks
python3 scripts/composer_json_validator.py lint composer.json
python3 scripts/composer_json_validator.py lint composer.json --strict
python3 scripts/composer_json_validator.py lint composer.json --format json
python3 scripts/composer_json_validator.py lint composer.json --format markdown
dependencies — Inspect require/require-dev
python3 scripts/composer_json_validator.py dependencies composer.json
python3 scripts/composer_json_validator.py dependencies composer.json --format json
scripts — Inspect scripts section
python3 scripts/composer_json_validator.py scripts composer.json
python3 scripts/composer_json_validator.py scripts composer.json --format markdown
validate — Full validation (structure + lint + summary)
python3 scripts/composer_json_validator.py validate composer.json
python3 scripts/composer_json_validator.py validate composer.json --strict --format json
Flags
| Flag | Description |
|---|---|
--strict |
Exit code 1 on warnings (CI-friendly) |
--format text |
Human-readable output (default) |
--format json |
Machine-readable JSON |
--format markdown |
Markdown report |
Lint Rules (22 checks)
Structure (5)
- Valid JSON syntax
- Required fields:
name,description,type - Valid package name format (
vendor/package) - Valid
typevalue (library,project,metapackage,composer-plugin) licensefield present and valid SPDX identifier
Dependencies (6)
- No duplicate packages across
requireandrequire-dev - Version constraints use valid operators (
^,~,>=, etc.) - No dev-only packages in
require(phpunit, mockery, etc.) - No wildcard
*versions - PHP version constraint present in
require ext-*dependencies are explicit (not*)
Autoload (4)
- PSR-4 autoload defined
- Namespace ends with
\\(PSR-4 convention) - No duplicate namespaces across autoload entries
autoload-devseparate fromautoload
Best Practices (7)
scriptssection present- No
post-install-cmd/post-update-cmdexecuting arbitrary URLs config.sort-packagesenabledminimum-stabilityexplicit when notstableprefer-stableset whenminimum-stabilityis notstable- No hardcoded absolute paths in autoload
- All repository URLs use HTTPS
Exit Codes
| Code | Meaning |
|---|---|
| 0 | No errors (warnings allowed unless --strict) |
| 1 | Errors found (or warnings in --strict mode) |
| 2 | Invalid arguments / file not found |
Example Output
composer.json lint results
==========================
[ERROR] name: Package name must match vendor/package format
[WARN] dependencies: phpunit/phpunit found in require (should be in require-dev)
[WARN] autoload: config.sort-packages not enabled
[INFO] scripts: scripts section present
Summary: 1 error(s), 2 warning(s), 1 info
Usage Guidance
This skill appears internally consistent: its description, SKILL.md, and the included Python script (so far) match a composer.json linter. Before installing or running it, open and review the entire scripts/composer_json_validator.py file yourself (or have someone you trust do so) to confirm it does not: (1) call out to the network (requests/curl/wget/subprocess), (2) execute arbitrary shell commands, (3) read unrelated files or environment variables, or (4) write files outside a safe working directory. If you cannot review the full script, run it in an isolated sandbox/container with only the composer.json you want to lint. Also note the skill listing mentions a $49 price in STATUS.md — verify licensing and payment expectations before publishing or paying.
Capability Analysis
Type: OpenClaw Skill
Name: composer-json-validator
Version: 1.0.0
The skill is a legitimate utility for validating and linting PHP Composer 'composer.json' files. The Python script (scripts/composer_json_validator.py) performs static analysis on the JSON structure, dependencies, and autoload configurations without executing external commands or making network requests. It includes security-focused checks, such as Rule 17 which detects potential 'curl' or 'wget' execution within the analyzed file's scripts section, demonstrating a defensive design rather than malicious intent.
Capability Tags
Capability Assessment
Purpose & Capability
Name, description, SKILL.md usage examples, and the included script all align: the skill is a composer.json linter and the runtime instructions call the bundled Python script against a composer.json file. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md only instructs running the bundled script (python3 scripts/composer_json_validator.py) with the target composer.json and flags for format/strictness. It does not ask the agent to read arbitrary system files, environment variables, or post data to external endpoints in the instructions.
Install Mechanism
There is no install spec (instruction-only invocation of a bundled script). Nothing will be downloaded or written to disk beyond the existing packaged files. This is low-risk relative to remote-install behaviors.
Credentials
The skill declares no required environment variables or credentials, which is proportionate. The bundled script appears to read only the composer.json file passed on the command line. However, the Python source was truncated in the provided bundle listing, so it is not possible to confirm it does not access environment variables, other files, or network resources.
Persistence & Privilege
The skill does not request always: true and has no install-time actions declared that would persist or modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) — note this is normal but means the skill could be run without direct user prompting if the agent chooses to.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install composer-json-validator - After installation, invoke the skill by name or use
/composer-json-validator - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release
Metadata
Frequently Asked Questions
What is Composer JSON Validator?
Validate and lint PHP Composer composer.json files for structure, dependencies, autoload, and best practices. Use when asked to lint, validate, check, or aud... It is an AI Agent Skill for Claude Code / OpenClaw, with 82 downloads so far.
How do I install Composer JSON Validator?
Run "/install composer-json-validator" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Composer JSON Validator free?
Yes, Composer JSON Validator is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Composer JSON Validator support?
Composer JSON Validator is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Composer JSON Validator?
It is built and maintained by charlie-morrison (@charlie-morrison); the current version is v1.0.0.
More Skills