← 返回 Skills 市场
Dependency Health Check
作者
charlie-morrison
· GitHub ↗
· v1.0.0
· MIT-0
48
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install dependency-health-check
功能描述
Multi-ecosystem dependency audit — find outdated, vulnerable, unused, and license-incompatible packages across npm, pip, cargo, go, and composer. Use when as...
使用说明 (SKILL.md)
Dependency Health Check
Audit project dependencies across ecosystems for security, freshness, license compliance, and unused bloat. Produces a prioritized upgrade plan with risk assessment.
Use when: "check our dependencies", "are we up to date", "audit packages", "plan an upgrade", "find unused deps".
Step 1 — Detect Ecosystem
# Auto-detect package managers
ls package.json package-lock.json yarn.lock pnpm-lock.yaml 2>/dev/null # Node.js
ls requirements.txt Pipfile pyproject.toml setup.py 2>/dev/null # Python
ls Cargo.toml Cargo.lock 2>/dev/null # Rust
ls go.mod go.sum 2>/dev/null # Go
ls composer.json composer.lock 2>/dev/null # PHP
ls Gemfile Gemfile.lock 2>/dev/null # Ruby
Step 2 — Outdated Packages
Node.js
npm outdated --json 2>/dev/null | jq 'to_entries[] | {name: .key, current: .value.current, wanted: .value.wanted, latest: .value.latest}'
# or
yarn outdated --json 2>/dev/null
pnpm outdated --format json 2>/dev/null
Python
pip list --outdated --format json 2>/dev/null | jq '.[] | {name, version, latest_version}'
# or with pip-audit
pip-audit --format json 2>/dev/null
Rust
cargo outdated -R --format json 2>/dev/null
Go
go list -u -m -json all 2>/dev/null | jq 'select(.Update) | {Path, Version, Update: .Update.Version}'
PHP
composer outdated --format json 2>/dev/null
Step 3 — Vulnerability Scan
# Node.js
npm audit --json 2>/dev/null | jq '.vulnerabilities | to_entries[] | {name: .key, severity: .value.severity, fixAvailable: .value.fixAvailable}'
# Python
pip-audit --format json 2>/dev/null
# or
safety check --json 2>/dev/null
# Rust
cargo audit --json 2>/dev/null
# Go
govulncheck ./... 2>/dev/null
# Universal (if installed)
trivy fs --format json --scanners vuln . 2>/dev/null | jq '.Results[].Vulnerabilities[]? | {PkgName, Severity, Title}'
Step 4 — Unused Dependencies
Node.js
# depcheck finds unused deps
npx depcheck --json 2>/dev/null | jq '{unused: .dependencies, devUnused: .devDependencies, missing: .missing}'
Python
# Check imports vs requirements
pip install pipreqs 2>/dev/null
pipreqs . --print 2>/dev/null > /tmp/actual-imports.txt
diff \x3C(sort requirements.txt | sed 's/[>=\x3C].*//' | tr '[:upper:]' '[:lower:]') \
\x3C(sort /tmp/actual-imports.txt | sed 's/[>=\x3C].*//' | tr '[:upper:]' '[:lower:]')
Rust
cargo udeps 2>/dev/null # requires nightly
Step 5 — License Audit
# Node.js
npx license-checker --json 2>/dev/null | jq 'to_entries[] | {pkg: .key, license: .value.licenses}' | head -40
# Python
pip-licenses --format json 2>/dev/null | jq '.[] | {Name, License}'
# Universal
trivy fs --format json --scanners license . 2>/dev/null
Flag: GPL in MIT projects, AGPL in SaaS, unknown/unlicensed packages, dual-license packages.
Step 6 — Risk Assessment
For each outdated dependency, evaluate:
- Severity: critical (known CVE) > high (>2 major versions behind) > medium (minor behind) > low (patch behind)
- Breaking changes: check the changelog/release notes for breaking changes between current and latest
- Usage frequency: grep for imports — a heavily-used dep is riskier to upgrade
- Test coverage: if the dep's area has good tests, the upgrade is safer
Output Template
# Dependency Health Report
**Project:** [name]
**Scanned:** [date]
**Ecosystems:** Node.js, Python, etc.
## Summary
- Total dependencies: X
- Outdated: X (Y critical, Z major behind)
- Vulnerabilities: X (Y critical, Z high)
- Unused: X (safe to remove)
- License issues: X
## Critical (fix now)
| Package | Current | Latest | Issue | Risk |
|---------|---------|--------|-------|------|
| lodash | 4.17.20 | 4.17.21 | CVE-2021-23337 (prototype pollution) | High — used in 47 files |
## Recommended Upgrades (this sprint)
| Package | Current | Latest | Breaking Changes | Effort |
|---------|---------|--------|-----------------|--------|
| react | 17.0.2 | 18.3.1 | Yes — concurrent mode, new root API | 2-4 hours |
## Safe Quick Wins (patch updates)
Packages that can be bumped with minimal risk:
- `axios`: 1.6.0 → 1.7.2 (bug fixes only)
- `dotenv`: 16.3.1 → 16.4.5 (no breaking changes)
## Unused (remove)
- `moment` — imported nowhere, replaced by date-fns
- `@types/express` — no Express code found
## License Flags
- `[email protected]`: GPL-3.0 in MIT project — review compatibility
Upgrade Workflow
After the audit:
- Fix critical vulnerabilities first (
npm audit fix,pip-audit --fix) - Remove unused dependencies
- Batch patch updates into one PR
- Plan major upgrades individually with dedicated PRs
- Run tests after each upgrade batch
Notes
- Always run the project's test suite after upgrades
- For monorepos, audit each workspace separately
npm audit fix --forcecan introduce breaking changes — prefer targeted fixes- Check
CHANGELOG.mdor GitHub releases for each major version jump
安全使用建议
This skill appears to do what it says (a multi-ecosystem dependency audit), but it expects the agent to run many CLI tools and to install or invoke third-party packages (via pip, npx, etc.) at runtime — behavior that can execute code fetched from the network and modify the runtime environment. Before installing or running this skill: (1) require the author to list required binaries/tools in metadata; (2) run audits in an isolated environment (container/VM/CI job) or a Python venv and avoid global installs; (3) inspect/approve any commands that will run package-manager installs (npx/pip) or scanners that pull remote data; (4) prefer running these steps manually or with explicit confirmation prompts rather than giving the skill autonomous execution permission. If you need higher assurance, ask the publisher for a version that vendors the audit tools or documents exact network interactions and install behavior.
功能分析
Type: OpenClaw Skill
Name: dependency-health-check
Version: 1.0.0
The dependency-health-check skill is a legitimate utility for auditing project dependencies across multiple ecosystems (Node.js, Python, Rust, Go, PHP). It uses standard industry tools such as npm audit, pip-audit, cargo audit, and trivy to identify vulnerabilities, outdated packages, and license compliance issues. The instructions in SKILL.md are transparent, align perfectly with the stated purpose, and contain no evidence of data exfiltration, persistence mechanisms, or malicious command execution.
能力评估
Purpose & Capability
The SKILL.md implements a multi-ecosystem dependency audit (npm, pip, cargo, go, composer, etc.), which matches the name/description. However, the metadata declares no required binaries or credentials even though the instructions rely heavily on many CLI tools (npm, yarn/pnpm, pip, pip-audit, cargo, cargo-audit, go, composer, npx, jq, trivy, govulncheck, depcheck, pipreqs, pip-licenses, etc.). The omission of required-binaries in metadata is an inconsistency and reduces transparency.
Instruction Scope
Runtime instructions tell the agent to run many shell commands that read the repo tree (expected) but also to install and invoke third-party tooling (e.g., 'pip install pipreqs', 'npx depcheck', 'npx license-checker', trivy, govulncheck). Those commands will fetch and execute code from package registries / networks and can modify the runtime environment (global Python packages, npx temporary installs). The instructions also include writes to /tmp and use bash-specific features. While these actions are typical for an audit, they broaden the blast radius and should be explicitly declared and sandboxed.
Install Mechanism
There is no install spec (instruction-only), which minimizes permanent additions to disk. However, the instructions rely on on-demand installs via language package managers (pip, npx) and external scanners (trivy, govulncheck) that will fetch code from the network. This transient install/exec behavior is normal for such a tool but carries higher risk than pure read-only auditing.
Credentials
The skill does not request any environment variables, credentials, or config paths. It reads project files (package manifests) which is appropriate for an audit. No unrelated secrets are requested.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges in metadata. It does not declare modifying other skills or global agent settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install dependency-health-check - 安装完成后,直接呼叫该 Skill 的名称或使用
/dependency-health-check触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: multi-ecosystem dependency audit for outdated, vulnerable, unused, and license-incompatible packages
元数据
常见问题
Dependency Health Check 是什么?
Multi-ecosystem dependency audit — find outdated, vulnerable, unused, and license-incompatible packages across npm, pip, cargo, go, and composer. Use when as... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 48 次。
如何安装 Dependency Health Check?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install dependency-health-check」即可一键安装,无需额外配置。
Dependency Health Check 是免费的吗?
是的,Dependency Health Check 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Dependency Health Check 支持哪些平台?
Dependency Health Check 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Dependency Health Check?
由 charlie-morrison(@charlie-morrison)开发并维护,当前版本 v1.0.0。
推荐 Skills