← 返回 Skills 市场
tuthan

Dependency Guard

作者 Hung Vo · GitHub ↗ · v1.0.1 · MIT-0
cross-platform ✓ 安全检测通过
130
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install dependency-guard
功能描述
Use when a task adds, upgrades, removes, or reviews software dependencies and the agent should apply a Socket-based supply-chain guardrail before changing ma...
使用说明 (SKILL.md)

Dependency Guard

Use this skill when dependency changes are in scope for npm, pnpm, yarn, Python packages, or other package ecosystems supported by Socket.

Prerequisites

  • The socket CLI must be installed and on PATH (npm install -g socket).
  • Authentication is required for CLI-based reviews. See the Authentication section below.

Workflow

  1. Confirm the exact dependency change being proposed.
  2. Check whether the feature can be implemented with the standard library or an existing project dependency.
  3. Prefer MCP depscore if the host agent exposes it.
  4. Otherwise run scripts/check_dependency.sh \x3Cecosystem> \x3Cpackage> [version].
  5. Apply the policy in references/policy.md.
  6. Apply the decision rules in references/decision-matrix.md.
  7. Before making the change, report:
    • why the package is needed
    • whether an existing alternative exists
    • what Socket reported
    • whether install scripts, risky capabilities, or transitive risk are present
  8. If the decision is allow_with_warning, present the warning clearly before making the change. If the decision is block_pending_human_review or block, stop and propose either:
    • a safer dependency
    • a no-dependency implementation
    • explicit human review

Authentication

Three authentication paths are supported, in order of preference:

  1. MCP depscore — no local credentials needed; works through the host agent's MCP connection.
  2. socket login — interactive CLI login; stores auth locally.
    • If your CLI supports it, pressing Enter at the token prompt uses limited public access.
    • To use a private token, paste it at the prompt instead.
  3. SOCKET_SECURITY_API_TOKEN env var — set this for CI or headless environments.

Security: Never paste private tokens into agent prompts. Use the env var or socket login instead.

CI note: GitHub Actions workflows use SOCKET_SECURITY_API_KEY (a separate GitHub-integration key), not SOCKET_SECURITY_API_TOKEN. See examples/github/dependency-guard.yml.

Reporting Contract

Use the short response template in references/examples.md when presenting the package review to the user.

References

  • Read references/policy.md for the canonical guardrail.
  • Read references/decision-matrix.md for allow/block criteria.
  • Read references/examples.md for user-facing review examples.

Notes

  • Keep SKILL.md lean; do not duplicate the full policy here.
  • OpenClaw and ClawHub expect metadata to be a single-line JSON object in frontmatter, so keep the OpenClaw metadata compact.
  • The version field in frontmatter is the single source of truth; use publish_clawhub.sh --bump patch|minor|major to auto-increment.
  • Do not assume system-wide wrapper enforcement or shell-completion setup is desirable; keep CLI setup minimal.
  • If Socket tooling is unavailable, require human review before adding the dependency.
  • Review manifest and lockfile changes together.
安全使用建议
This skill appears to do what it says: it runs the Socket CLI (or MCP depscore) to produce a dependency review report. Before installing or invoking it: 1) ensure the socket CLI you install is from the official source (npm package 'socket' or your org's vetted binary); 2) prefer using MCP depscore or an environment variable for CI (SOCKET_SECURITY_API_TOKEN) rather than pasting private tokens into interactive prompts; 3) be aware the skill may read repository manifests and write temporary report files under tmp/; 4) note the documentation/examples reference several env vars (SOCKET_SECURITY_API_TOKEN vs SOCKET_SECURITY_API_KEY vs GH_API_TOKEN) — confirm which tokens your environment needs and avoid exposing secrets to untrusted prompts. If those three points are acceptable, the skill is coherent and appropriate for its purpose.
能力评估
Purpose & Capability
The skill is explicitly a Socket-backed dependency review helper and declares the socket CLI as required; that aligns with the description and workflow. Included references and decision logic match the stated goal of approving/blocking dependency changes.
Instruction Scope
Runtime instructions direct the agent to use MCP depscore or the socket CLI and to run the bundled scripts/check_dependency.sh which only invokes the socket CLI and reads local manifests/reports. This is in-scope. Minor note: the SKILL.md and examples reference environment variables (SOCKET_SECURITY_API_TOKEN, SOCKET_SECURITY_API_KEY, GH_API_TOKEN) and interactive `socket login` flows that are optional but sensitive; those env vars are not declared in requires.env.
Install Mechanism
No install spec is provided (instruction-only with a small helper script). The only runtime dependency is the socket CLI, which the skill documents installing via npm; no external downloads or extraction of arbitrary archives occur in the skill bundle.
Credentials
The skill does not require credentials by default, which is proportional. However SKILL.md and examples mention several optional tokens (SOCKET_SECURITY_API_TOKEN for headless CLI auth, SOCKET_SECURITY_API_KEY for GitHub integration, GH_API_TOKEN) — these are reasonable for CI or Socket integration but are not declared in requires.env, and the example uses a different Socket env var name than the SKILL.md. This mismatch is benign but worth noting so users don't accidentally supply secrets in the wrong place.
Persistence & Privilege
The skill is not always-on and does not request system-wide privileges. It does not modify other skills or system settings. It runs a helper script and the socket CLI only when invoked.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install dependency-guard
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /dependency-guard 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
- Added version field and prerequisites to SKILL.md; updated metadata to declare required `socket` CLI. - Expanded authentication instructions, including explicit support for `SOCKET_SECURITY_API_TOKEN` and GitHub Actions integration. - Removed 12 files: docs, agent configs, helper scripts, and all test scripts. - Simplified repository to essential docs and example workflow.
v1.0.0
Initial release of dependency-guard skill: - Introduces a skill to enforce supply-chain risk checks before changing package dependencies using Socket or MCP `depscore`. - Provides a structured workflow to evaluate, score, and document dependency changes. - Specifies clear allow/block decision rules and reporting requirements. - Includes minimal OpenClaw metadata for compatibility across hosts. - Ensures human review requirement if automated tooling is unavailable.
元数据
Slug dependency-guard
版本 1.0.1
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 2
常见问题

Dependency Guard 是什么?

Use when a task adds, upgrades, removes, or reviews software dependencies and the agent should apply a Socket-based supply-chain guardrail before changing ma... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 130 次。

如何安装 Dependency Guard?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install dependency-guard」即可一键安装,无需额外配置。

Dependency Guard 是免费的吗?

是的,Dependency Guard 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Dependency Guard 支持哪些平台?

Dependency Guard 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Dependency Guard?

由 Hung Vo(@tuthan)开发并维护,当前版本 v1.0.1。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论