← Back to Skills Marketplace
qiushuizy

dependency-security-scan

by qiushuizy · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ✓ Security Clean
92
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install java-dependency-security-scan
Description
分析 Java、Maven 或 Spring 项目依赖漏洞,验证版本受影响情况,检查传递和内嵌依赖,并生成安全修复建议报告。
README (SKILL.md)

快速开始

当用户提出以下需求时,使用本 Skill:

场景 示例
扫描项目依赖漏洞 "扫描我的 Spring Boot 项目依赖漏洞"
核实特定依赖 "log4j-core 2.14.1 是否有漏洞?"
分析 CVE 影响 "CVE-2021-44228 对我的项目有什么影响?"
检查传递依赖 "分析项目中 commons-lang3 的依赖路径"
检查 JAR 内嵌依赖 "分析这个第三方 JAR 包里的依赖"
生成安全报告 "生成依赖安全扫描报告"

核心工作流程

收集证据 → 界定范围 → 匹配漏洞 → 输出报告

1. 收集证据(按优先级)

优先级 证据类型 说明
1 lockfile gradle.lockfile、libs.versions.toml
2 dependency:tree mvn dependency:tree / gradlew dependencies
3 构建文件 pom.xml / build.gradle 声明
4 用户输入 依赖清单、扫描报告

2. 界定扫描范围

默认扫描

  • Maven: compileruntime scope
  • Gradle: runtimeClasspathimplementation 配置
  • 第三方 JAR 中实际携带的内嵌依赖

默认排除

  • testtestImplementation 等测试依赖
  • providedcompileOnly 等容器提供依赖

3. 匹配漏洞

确认漏洞需同时满足:

  • ✅ 依赖坐标明确(groupId:artifactId:version)
  • ✅ 版本落入 CVE 公告的受影响范围
  • ✅ 运行时实际生效(非被覆盖/排除)

4. 输出报告

按以下结构输出:

  1. 扫描概况:项目信息、依赖数量、漏洞统计
  2. 漏洞明细:按严重级别分组,包含 CVE、修复版本
  3. 修复方案:优先级排序的具体修复建议
  4. 剩余风险:未验证的假设和不确定性

关键原则

  • 先收集证据,再下结论:优先使用 lockfile 和 dependency:tree
  • 双重验证:扫描器结果只是线索,需人工核实版本和受影响范围
  • 明确不确定性:无法确认的信息要标注"需要验证"或"证据不足"
  • 关注运行时:默认只关注实际进入运行时类路径的依赖

目录

  1. 执行原则与环境 - 证据权重、漏洞匹配标签、严重级别
  2. Maven 项目分析 - Maven 依赖树分析、scope 对照、传递依赖机制
  3. Gradle 项目分析 - Gradle 依赖分析、配置对照、版本目录
  4. 漏洞扫描工具 - OWASP DC、OSV、Grype、Trivy 等工具使用
  5. 命令示例 - 常用命令速查手册
  6. 输出与修复模板 - 报告模板、修复代码示例
  7. 参考与常见问题 - 速查表、FAQ、参考链接
Usage Guidance
This skill is a documentation-driven procedure for auditing Java dependencies; it appears internally consistent. Before using it, ensure you: (1) run it in a safe environment where reading project files and unpacking JARs is permitted (it inspects pom.xml/build.gradle and may unzip jars); (2) have the referenced CLI tools available (mvn, gradle, osv-scanner, trivy, grype, unzip, jdeps, etc.) or be prepared to install them yourself; (3) understand that the skill may call public vulnerability APIs (e.g., api.osv.dev) — if you need to avoid network calls, run the steps offline with local databases; and (4) verify reports manually (the skill itself emphasizes cross-checking and marking uncertain findings). There are no requests for secrets or elevated privileges in the skill materials.
Capability Analysis
Type: OpenClaw Skill Name: java-dependency-security-scan Version: 1.0.0 The skill bundle is a comprehensive and legitimate set of instructions for performing Java dependency security audits. It provides structured workflows for analyzing Maven and Gradle projects, using standard industry tools (OWASP Dependency-Check, OSV, Grype, Trivy), and generating remediation reports. There is no evidence of malicious intent, data exfiltration, or prompt injection attacks; all commands and guidelines are strictly aligned with the stated purpose of security scanning.
Capability Assessment
Purpose & Capability
The name/description (Java/Maven/Gradle dependency security scan) matches the SKILL.md and reference files. All required actions (reading pom.xml/build.gradle, running dependency:tree, inspecting JARs, querying vulnerability feeds like OSV) are consistent with that purpose. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
Runtime instructions are explicit and limited to collecting project dependency evidence (lockfiles, dependency trees, build files), running known scanning tools (osv-scanner, grype, trivy, OWASP Dependency-Check), inspecting JAR contents and producing reports. There are no instructions to access unrelated system files, secrets, or to transmit data to unexpected endpoints beyond standard vulnerability feeds (example: api.osv.dev).
Install Mechanism
This is instruction-only with no install spec and no code files to execute. That minimizes install-time risk. The skill references external tools but does not attempt to download or execute code itself.
Credentials
The skill declares no required environment variables, credentials, or config paths. The referenced operations (file reads, CLI tool invocations, optional curl to OSV API) are proportionate to a dependency scanner and do not request unrelated secrets.
Persistence & Privilege
always is false and the skill doesn't request persistent system-level changes or access to other skills' configurations. It relies on ad-hoc commands and local file inspection, which is appropriate for its function.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install java-dependency-security-scan
  3. After installation, invoke the skill by name or use /java-dependency-security-scan
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release of the java-dependency-security-scan skill. - Supports security risk analysis for dependencies in Java, Maven, and Spring ecosystem projects. - Provides workflows for collecting evidence, defining scan scope, matching vulnerabilities, and generating security reports. - Detailed instructions for common scenarios such as scanning dependencies, verifying affected versions, analyzing CVEs, and auditing embedded JAR dependencies. - Emphasizes evidence-based conclusions, dual confirmation, uncertainty marking, and runtime relevance. - Includes references for principles, Maven/Gradle analysis, scanning tools, command examples, reporting templates, and FAQs.
Metadata
Slug java-dependency-security-scan
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is dependency-security-scan?

分析 Java、Maven 或 Spring 项目依赖漏洞,验证版本受影响情况,检查传递和内嵌依赖,并生成安全修复建议报告。 It is an AI Agent Skill for Claude Code / OpenClaw, with 92 downloads so far.

How do I install dependency-security-scan?

Run "/install java-dependency-security-scan" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is dependency-security-scan free?

Yes, dependency-security-scan is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does dependency-security-scan support?

dependency-security-scan is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created dependency-security-scan?

It is built and maintained by qiushuizy (@qiushuizy); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments