← 返回 Skills 市场
957
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install dependency-audit
功能描述
Smart dependency health check — security audit, outdated detection, unused deps, and prioritized update plan
使用说明 (SKILL.md)
dependency-audit — Smart Dependency Health Check
Detect your package manager, run security audits, find outdated and unused dependencies, and generate a prioritized update plan.
Steps
1. Detect Package Manager
Check for these files in the project root:
| File | Ecosystem | Audit Command |
|---|---|---|
package.json |
Node.js (npm/yarn/pnpm) | npm audit |
requirements.txt / pyproject.toml / Pipfile |
Python | pip audit |
Cargo.toml |
Rust | cargo audit |
go.mod |
Go | govulncheck ./... |
Gemfile |
Ruby | bundle audit check |
If multiple are found, audit all of them. If none found, stop and inform the user.
2. Run Security Audit
Node.js:
npm audit --json 2>/dev/null
# Parse: advisories, severity (critical/high/moderate/low), affected package, fix available
Python:
pip audit --format=json 2>/dev/null || pip audit 2>/dev/null
# If pip-audit not installed: pip install pip-audit
Rust:
cargo audit --json 2>/dev/null
# If not installed: cargo install cargo-audit
3. Check for Outdated Packages
Node.js:
npm outdated --json 2>/dev/null
# Shows: current, wanted (semver-compatible), latest
Python:
pip list --outdated --format=json 2>/dev/null
Rust:
cargo outdated -R 2>/dev/null
# If not installed: cargo install cargo-outdated
4. Identify Unused Dependencies
Node.js — use depcheck:
npx depcheck --json 2>/dev/null
This reports unused dependencies and missing dependencies. If npx fails, scan source files manually:
# List all deps from package.json, then grep for imports
# Flag any dep not found in any .js/.ts/.jsx/.tsx file
Python: Scan imports vs installed packages:
# Extract imports from .py files
grep -rh "^import \|^from " --include="*.py" . | sort -u
# Compare against requirements.txt entries
5. Generate Prioritized Update Plan
Organize findings into priority tiers:
## 🔴 Critical — Security Vulnerabilities
| Package | Severity | Current | Fixed In | Command |
|---------|----------|---------|----------|---------|
| lodash | CRITICAL | 4.17.19 | 4.17.21 | `npm install [email protected]` |
## 🟠 High — Breaking Updates Available
| Package | Current | Latest | Breaking Changes |
|---------|---------|--------|-----------------|
| express | 4.18.2 | 5.0.0 | New router API |
## 🟡 Medium — Minor/Patch Updates
| Package | Current | Latest | Command |
|---------|---------|--------|---------|
| axios | 1.5.0 | 1.6.2 | `npm install [email protected]` |
## 🟢 Low — Unused Dependencies
| Package | Action |
|---------|--------|
| moment | `npm uninstall moment` |
6. Provide Safe Update Commands
For batch updates, generate copy-pasteable commands:
# Security fixes (safe — patch updates only)
npm audit fix
# All compatible updates (non-breaking)
npm update
# Specific breaking update (test thoroughly)
npm install [email protected]
For Python:
pip install --upgrade package_name
7. Output Summary
# Dependency Health Report — [project-name]
**Date:** 2025-02-15 | **Ecosystem:** Node.js (npm)
| Category | Count |
|----------|-------|
| 🔴 Security vulnerabilities | 2 |
| 🟠 Major updates available | 3 |
| 🟡 Minor/patch updates | 8 |
| 🟢 Unused dependencies | 1 |
| ✅ Up-to-date | 42 |
Edge Cases
- Lock file conflicts: If
package-lock.jsonis out of sync, runnpm installfirst - Private registries:
npm auditmay fail — suggest--registry=https://registry.npmjs.org - Monorepo: Check each workspace. For npm:
npm audit --workspaces - No internet: Report that audit requires network access
- Audit tool not installed: Provide install command (e.g.,
pip install pip-audit)
Error Handling
| Error | Resolution |
|---|---|
npm audit returns non-zero |
Normal — means vulnerabilities found, parse the output |
pip-audit not found |
pip install pip-audit then retry |
cargo audit not found |
cargo install cargo-audit then retry |
| Network error | Check connectivity; suggest --offline if available |
| Permission denied | Suggest running without sudo; check file ownership |
Built by Clawb (SOVEREIGN) — more skills at [coming soon]
安全使用建议
This skill appears coherent and appropriate for auditing dependencies, but it will run shell commands in your project and may suggest or execute package-manager operations that modify local state (installing audit tools, running `npm audit fix`, `npm update`, etc.). Before running: (1) review and approve generated commands rather than auto-running them; (2) prefer running in an isolated environment (container, VM, or branch) to avoid unintended changes to your system or repo; (3) be aware `npx` executes code fetched from the registry and installing tools (cargo/pip) writes to your home environment; (4) if your project uses private registries or tokens, ensure those credentials are not inadvertently exposed when running commands or when pasting outputs to external services. If you want stricter safety, run the audit manually using the commands the skill generates.
功能分析
Type: OpenClaw Skill
Name: dependency-audit
Version: 1.0.0
The skill is designed to perform a legitimate dependency audit, but it requires and instructs the AI agent to execute a wide range of powerful shell commands (`npm`, `pip`, `cargo`, `npx`, `grep`) with broad file system access (e.g., `grep -rh` to scan all Python files) and network capabilities (for audits and tool installations like `pip install pip-audit`). While these actions are necessary for its stated purpose, the extensive shell execution and file system access capabilities, combined with instructions to install new tools, present a significant attack surface and inherent risk. There is no clear evidence of intentional malicious behavior such as data exfiltration or backdoor installation, but the broad permissions and execution capabilities make it suspicious.
能力评估
Purpose & Capability
Name and description match the runtime instructions: detecting language manifests, running audits (npm/pip/cargo/govulncheck), checking outdated packages, identifying unused deps, and creating update plans. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md instructs the agent to run shell commands in the project root (audit commands, outdated checks, depcheck, grepping source files). It also recommends installing missing audit tools (e.g., `pip install pip-audit`, `cargo install cargo-audit`) and using `npx depcheck` which fetches and executes a package. These actions are within the audit purpose but will execute code, access project files, and may change local state (installing tools, updating lockfiles if the recommended commands are run).
Install Mechanism
This is an instruction-only skill with no install spec or shipped code. The SKILL.md recommends using standard package managers to install audit tooling if absent; that's expected for this functionality and there is no embedded arbitrary download URL or extractor in the skill itself.
Credentials
The skill requests no environment variables, credentials, or config paths. The commands may interact with package registries and local configs (e.g., npm registry settings), but the skill does not declare or demand any secrets.
Persistence & Privilege
always is false and the skill does not request persistent/system-wide privileges. The instructions may cause the user to install CLI tools into their environment if they follow them, but the skill itself does not install or persist code on the agent platform.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install dependency-audit - 安装完成后,直接呼叫该 Skill 的名称或使用
/dependency-audit触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of dependency-audit skill.
- Automatically detects package managers (Node.js, Python, Rust, Go, Ruby) and audits for security issues, outdated, and unused dependencies.
- Produces a prioritized update plan with clear actions for critical vulnerabilities, major, minor updates, and unused dependencies.
- Suggests safe update commands for batch and individual updates.
- Handles edge cases including missing tools, lock file conflicts, monorepos, and connectivity issues.
- Presents a summary report for quick dependency health overview.
元数据
常见问题
Dependency Audit 是什么?
Smart dependency health check — security audit, outdated detection, unused deps, and prioritized update plan. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 957 次。
如何安装 Dependency Audit?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install dependency-audit」即可一键安装,无需额外配置。
Dependency Audit 是免费的吗?
是的,Dependency Audit 完全免费(开源免费),可自由下载、安装和使用。
Dependency Audit 支持哪些平台?
Dependency Audit 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Dependency Audit?
由 Fratua(@fratua)开发并维护,当前版本 v1.0.0。
推荐 Skills