← 返回 Skills 市场
dependency-license-audit
作者
charlie-morrison
· GitHub ↗
· v1.0.0
· MIT-0
102
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install dependency-license-audit
功能描述
Scan project dependencies for license compatibility issues, GPL contamination, and compliance violations. Supports npm, pip, Go, Rust, and Ruby ecosystems. U...
使用说明 (SKILL.md)
Dependency License Audit
Scan project dependencies for license compatibility issues across multiple ecosystems.
Quick Start
# Basic scan (permissive policy)
python3 scripts/license_audit.py /path/to/project
# Strict enterprise scan with CI exit codes
python3 scripts/license_audit.py /path/to/project --policy permissive --ci --format markdown
# Allow weak copyleft (LGPL, MPL)
python3 scripts/license_audit.py /path/to/project --policy weak-copyleft
# Include transitive deps (npm)
python3 scripts/license_audit.py /path/to/project --include-transitive
# JSON output for tooling
python3 scripts/license_audit.py /path/to/project --format json
Supported Ecosystems
| Ecosystem | Files Parsed | License Source |
|---|---|---|
| npm | package.json, package-lock.json, node_modules/*/package.json | Package metadata |
| pip | requirements.txt, Pipfile, pyproject.toml | Installed package metadata |
| Go | go.mod | Manual/UNKNOWN (no local metadata) |
| Rust | Cargo.toml | Manual/UNKNOWN (no local metadata) |
| Ruby | Gemfile | Manual/UNKNOWN (no local metadata) |
npm and pip auto-detect licenses from installed packages. Go/Rust/Ruby report UNKNOWN unless packages are installed — review manually.
Policies
| Policy | Allows | Use When |
|---|---|---|
permissive (default) |
MIT, Apache-2.0, BSD, ISC, etc. | Proprietary/commercial projects |
weak-copyleft |
+ LGPL, MPL, EPL | Library consumers (dynamic linking) |
any-open |
All OSI-approved | Open-source projects |
custom |
User-defined | Enterprise with specific requirements |
For custom policy setup, see references/custom-policy.md.
Output Formats
text— Human-readable terminal output (default)json— Machine-readable for CI pipelines and toolingmarkdown— Report with tables, suitable for PRs or documentation
CI Exit Codes
With --ci flag:
0— No issues1— Warnings only (unknown licenses)2— Policy violations found
License Classifications
The scanner classifies licenses into categories:
- permissive — MIT, Apache-2.0, BSD, ISC, Unlicense, CC0, etc.
- weak-copyleft — LGPL, MPL, EPL, CDDL (modifications must be shared, but linking is OK)
- strong-copyleft — GPL, AGPL, SSPL (derivative works inherit the license)
- proprietary — UNLICENSED or commercial indicators
- unknown — Not recognized; manual review needed
SPDX expressions (MIT OR Apache-2.0, MIT AND BSD-3-Clause) are evaluated: OR picks most permissive, AND picks most restrictive.
Workflow
- Run audit against project directory
- Review violations and warnings in output
- For each violation, follow the recommendations provided
- Optionally create
.license-policy.jsonfor custom rules - Add
--ciflag to CI pipeline for automated enforcement
安全使用建议
This skill appears to do what it claims: a local license audit using the included Python script. Before installing or running it on sensitive repositories: 1) Inspect the complete scripts/license_audit.py file (the provided snippet was truncated) to confirm there are no network calls, credential reads, or unexpected file writes in the unseen portion. 2) Ensure Python 3 is available (SKILL.md uses `python3` but the skill metadata doesn't declare it). 3) Run the scanner on a copied/test repository or inside a container to avoid accidental data exposure. 4) Note the script has at least one obvious bug/typo in the shown pip parser (an apparent 'Fals' typo) — test it on sample projects first. 5) Review and control any .license-policy.json files and CI artifact handling: policy exceptions skip packages (which may hide problems) and saving reports as CI artifacts may expose dependency details. If you want higher assurance, request the full, untruncated source and a runtime test log before enabling this skill in CI.
功能分析
Type: OpenClaw Skill
Name: dependency-license-audit
Version: 1.0.0
The dependency-license-audit skill is a legitimate utility designed to scan project dependency files (like package.json, requirements.txt, and go.mod) for license compliance. The core logic in scripts/license_audit.py uses standard Python libraries to parse local files and metadata, lacks any network connectivity or data exfiltration capabilities, and contains no evidence of malicious intent or obfuscation.
能力评估
Purpose & Capability
Name, description, SKILL.md usage, and the included Python script all align with a dependency license auditor. Minor mismatch: SKILL.md and quick-start examples run `python3 scripts/license_audit.py` but the skill metadata declares no required binaries; declaring `python3` (or ensuring it exists) would be expected. Otherwise the required files and behaviors are coherent with the stated purpose.
Instruction Scope
The runtime instructions tell the agent to run the included Python script against a project directory and to optionally create/read a .license-policy.json. The script (visible portions) only reads local project files (package.json, package-lock.json, node_modules, requirements.txt, Pipfile, pyproject.toml, go.mod, Cargo.toml, Gemfile) and emits reports/CI exit codes. There are no instructions to read unrelated system files or to transmit results to external endpoints in the parts shown.
Install Mechanism
No install spec is provided and the skill is instruction-only with an included script. There are no downloads or external install URLs. This is low-risk from an install mechanism perspective.
Credentials
The skill requests no environment variables, no credentials, and no config paths outside the project directory. That is proportionate for a local license-scanning tool.
Persistence & Privilege
always is false and the skill does not request elevated or persistent system privileges in the provided files. It does not attempt to modify other skills or global agent configuration in the parts shown.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install dependency-license-audit - 安装完成后,直接呼叫该 Skill 的名称或使用
/dependency-license-audit触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release
元数据
常见问题
dependency-license-audit 是什么?
Scan project dependencies for license compatibility issues, GPL contamination, and compliance violations. Supports npm, pip, Go, Rust, and Ruby ecosystems. U... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 102 次。
如何安装 dependency-license-audit?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install dependency-license-audit」即可一键安装,无需额外配置。
dependency-license-audit 是免费的吗?
是的,dependency-license-audit 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
dependency-license-audit 支持哪些平台?
dependency-license-audit 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 dependency-license-audit?
由 charlie-morrison(@charlie-morrison)开发并维护,当前版本 v1.0.0。
推荐 Skills