← Back to Skills Marketplace
957
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install dependency-audit
Description
Smart dependency health check — security audit, outdated detection, unused deps, and prioritized update plan
README (SKILL.md)
dependency-audit — Smart Dependency Health Check
Detect your package manager, run security audits, find outdated and unused dependencies, and generate a prioritized update plan.
Steps
1. Detect Package Manager
Check for these files in the project root:
| File | Ecosystem | Audit Command |
|---|---|---|
package.json |
Node.js (npm/yarn/pnpm) | npm audit |
requirements.txt / pyproject.toml / Pipfile |
Python | pip audit |
Cargo.toml |
Rust | cargo audit |
go.mod |
Go | govulncheck ./... |
Gemfile |
Ruby | bundle audit check |
If multiple are found, audit all of them. If none found, stop and inform the user.
2. Run Security Audit
Node.js:
npm audit --json 2>/dev/null
# Parse: advisories, severity (critical/high/moderate/low), affected package, fix available
Python:
pip audit --format=json 2>/dev/null || pip audit 2>/dev/null
# If pip-audit not installed: pip install pip-audit
Rust:
cargo audit --json 2>/dev/null
# If not installed: cargo install cargo-audit
3. Check for Outdated Packages
Node.js:
npm outdated --json 2>/dev/null
# Shows: current, wanted (semver-compatible), latest
Python:
pip list --outdated --format=json 2>/dev/null
Rust:
cargo outdated -R 2>/dev/null
# If not installed: cargo install cargo-outdated
4. Identify Unused Dependencies
Node.js — use depcheck:
npx depcheck --json 2>/dev/null
This reports unused dependencies and missing dependencies. If npx fails, scan source files manually:
# List all deps from package.json, then grep for imports
# Flag any dep not found in any .js/.ts/.jsx/.tsx file
Python: Scan imports vs installed packages:
# Extract imports from .py files
grep -rh "^import \|^from " --include="*.py" . | sort -u
# Compare against requirements.txt entries
5. Generate Prioritized Update Plan
Organize findings into priority tiers:
## 🔴 Critical — Security Vulnerabilities
| Package | Severity | Current | Fixed In | Command |
|---------|----------|---------|----------|---------|
| lodash | CRITICAL | 4.17.19 | 4.17.21 | `npm install [email protected]` |
## 🟠 High — Breaking Updates Available
| Package | Current | Latest | Breaking Changes |
|---------|---------|--------|-----------------|
| express | 4.18.2 | 5.0.0 | New router API |
## 🟡 Medium — Minor/Patch Updates
| Package | Current | Latest | Command |
|---------|---------|--------|---------|
| axios | 1.5.0 | 1.6.2 | `npm install [email protected]` |
## 🟢 Low — Unused Dependencies
| Package | Action |
|---------|--------|
| moment | `npm uninstall moment` |
6. Provide Safe Update Commands
For batch updates, generate copy-pasteable commands:
# Security fixes (safe — patch updates only)
npm audit fix
# All compatible updates (non-breaking)
npm update
# Specific breaking update (test thoroughly)
npm install [email protected]
For Python:
pip install --upgrade package_name
7. Output Summary
# Dependency Health Report — [project-name]
**Date:** 2025-02-15 | **Ecosystem:** Node.js (npm)
| Category | Count |
|----------|-------|
| 🔴 Security vulnerabilities | 2 |
| 🟠 Major updates available | 3 |
| 🟡 Minor/patch updates | 8 |
| 🟢 Unused dependencies | 1 |
| ✅ Up-to-date | 42 |
Edge Cases
- Lock file conflicts: If
package-lock.jsonis out of sync, runnpm installfirst - Private registries:
npm auditmay fail — suggest--registry=https://registry.npmjs.org - Monorepo: Check each workspace. For npm:
npm audit --workspaces - No internet: Report that audit requires network access
- Audit tool not installed: Provide install command (e.g.,
pip install pip-audit)
Error Handling
| Error | Resolution |
|---|---|
npm audit returns non-zero |
Normal — means vulnerabilities found, parse the output |
pip-audit not found |
pip install pip-audit then retry |
cargo audit not found |
cargo install cargo-audit then retry |
| Network error | Check connectivity; suggest --offline if available |
| Permission denied | Suggest running without sudo; check file ownership |
Built by Clawb (SOVEREIGN) — more skills at [coming soon]
Usage Guidance
This skill appears coherent and appropriate for auditing dependencies, but it will run shell commands in your project and may suggest or execute package-manager operations that modify local state (installing audit tools, running `npm audit fix`, `npm update`, etc.). Before running: (1) review and approve generated commands rather than auto-running them; (2) prefer running in an isolated environment (container, VM, or branch) to avoid unintended changes to your system or repo; (3) be aware `npx` executes code fetched from the registry and installing tools (cargo/pip) writes to your home environment; (4) if your project uses private registries or tokens, ensure those credentials are not inadvertently exposed when running commands or when pasting outputs to external services. If you want stricter safety, run the audit manually using the commands the skill generates.
Capability Analysis
Type: OpenClaw Skill
Name: dependency-audit
Version: 1.0.0
The skill is designed to perform a legitimate dependency audit, but it requires and instructs the AI agent to execute a wide range of powerful shell commands (`npm`, `pip`, `cargo`, `npx`, `grep`) with broad file system access (e.g., `grep -rh` to scan all Python files) and network capabilities (for audits and tool installations like `pip install pip-audit`). While these actions are necessary for its stated purpose, the extensive shell execution and file system access capabilities, combined with instructions to install new tools, present a significant attack surface and inherent risk. There is no clear evidence of intentional malicious behavior such as data exfiltration or backdoor installation, but the broad permissions and execution capabilities make it suspicious.
Capability Assessment
Purpose & Capability
Name and description match the runtime instructions: detecting language manifests, running audits (npm/pip/cargo/govulncheck), checking outdated packages, identifying unused deps, and creating update plans. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md instructs the agent to run shell commands in the project root (audit commands, outdated checks, depcheck, grepping source files). It also recommends installing missing audit tools (e.g., `pip install pip-audit`, `cargo install cargo-audit`) and using `npx depcheck` which fetches and executes a package. These actions are within the audit purpose but will execute code, access project files, and may change local state (installing tools, updating lockfiles if the recommended commands are run).
Install Mechanism
This is an instruction-only skill with no install spec or shipped code. The SKILL.md recommends using standard package managers to install audit tooling if absent; that's expected for this functionality and there is no embedded arbitrary download URL or extractor in the skill itself.
Credentials
The skill requests no environment variables, credentials, or config paths. The commands may interact with package registries and local configs (e.g., npm registry settings), but the skill does not declare or demand any secrets.
Persistence & Privilege
always is false and the skill does not request persistent/system-wide privileges. The instructions may cause the user to install CLI tools into their environment if they follow them, but the skill itself does not install or persist code on the agent platform.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install dependency-audit - After installation, invoke the skill by name or use
/dependency-audit - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of dependency-audit skill.
- Automatically detects package managers (Node.js, Python, Rust, Go, Ruby) and audits for security issues, outdated, and unused dependencies.
- Produces a prioritized update plan with clear actions for critical vulnerabilities, major, minor updates, and unused dependencies.
- Suggests safe update commands for batch and individual updates.
- Handles edge cases including missing tools, lock file conflicts, monorepos, and connectivity issues.
- Presents a summary report for quick dependency health overview.
Metadata
Frequently Asked Questions
What is Dependency Audit?
Smart dependency health check — security audit, outdated detection, unused deps, and prioritized update plan. It is an AI Agent Skill for Claude Code / OpenClaw, with 957 downloads so far.
How do I install Dependency Audit?
Run "/install dependency-audit" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Dependency Audit free?
Yes, Dependency Audit is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Dependency Audit support?
Dependency Audit is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Dependency Audit?
It is built and maintained by Fratua (@fratua); the current version is v1.0.0.
More Skills