← 返回 Skills 市场

Dependency Tracker

Name: Dependency Tracker
Author: axelhu

作者 AxelHu · GitHub ↗ · v1.0.1 · MIT-0

cross-platform ⚠ suspicious

257

总下载

当前安装

版本数

在 OpenClaw 中安装

/install dependency-tracker

功能描述

每周依赖检查。检查 Node.js、npm 版本和全局包是否有可用更新。触发时机：cron 定时任务或手动调用。

使用说明 (SKILL.md)

Dependency Tracker

每周检查项目依赖是否有更新，确保安全和兼容性。

核心流程

读取 references/spec.md 获取详细规范
检查 Node.js 版本
检查 npm 版本
检查全局安装的包
运行 npm outdated 检查可更新包
生成报告并发送

触发时机

cron 定时任务（建议每周）
用户明确要求时

投递规则（必须）

完成报告后，通过消息工具发送。

渠道：feishu
目标：\x3C飞书群ID或用户ID> 如果报告超过 3800 字符，分成多条消息发送。每条消息必须语义完整（不断开 URL 或格式）。如果发送失败，重试一次。如果仍然失败，输出错误——永远不要静默退出。

输出

报告位置：data/exec-logs/dependency-tracker/YYYY-MM-DD.md
消息推送到飞书群

安全使用建议

This skill otherwise looks coherent for a dependency-checker, but it requires sending reports to Feishu while declaring no credentials or webhook. Before installing: 1) Confirm how messages will be sent — does your agent already have Feishu integration or will you need to provide a FEISHU_WEBHOOK / FEISHU_TOKEN? The skill should explicitly declare required env vars. 2) Verify you are comfortable with the skill running shell commands (node -v, npm -v, npm list -g, npm outdated) on the host and writing files to data/exec-logs; listing global packages can reveal installed packages. 3) Ask the publisher to clarify the exact delivery mechanism and to add explicit environment variable requirements and error-handling behavior. 4) If you want to limit risk, run the skill in a restricted environment (container or dedicated CI runner) and do not enable it for autonomous runs until you confirm the messaging credentials and delivery implementation. If the agent will use shared Feishu credentials, consider creating a dedicated Feishu webhook/account with limited scope.

功能分析

Type: OpenClaw Skill Name: dependency-tracker Version: 1.0.1 The skill utilizes shell commands (e.g., `npm list -g`, `npm outdated`) to collect system environment data and instructs the agent to transmit this information to an external Feishu (Lark) endpoint. While these actions are consistent with the stated purpose of a 'Dependency Tracker' and the commands themselves are non-malicious, the combination of shell execution and network-based data exfiltration of system metadata meets the threshold for a suspicious classification under the provided security criteria (SKILL.md, references/spec.md).

能力评估

ℹ Purpose & Capability

The stated purpose (weekly checks of Node.js/npm and global packages) aligns with the listed commands in references/spec.md (node -v, npm -v, npm list -g, npm outdated). However the SKILL.md requires delivering the report to a Feishu channel/ID even though the skill declares no credentials, webhook, or messaging dependency — that delivery requirement is out of band with the declared requirements.

ℹ Instruction Scope

Instructions are concrete and scoped to running local shell commands and writing a Markdown report under data/exec-logs/*. The skill reads the included references/spec.md (present). The only out-of-scope element is the unspecified report delivery step: it mandates sending to Feishu but provides no delivery method, tokens, or API endpoints. The skill also requires listing globally installed packages (npm list -g), which legitimately reveals installed package names/versions and could leak environment details.

✓ Install Mechanism

This is an instruction-only skill with no install spec and no code files, so nothing will be written or executed by an install step. That is proportionate to the described functionality.

⚠ Credentials

The SKILL.md explicitly requires sending messages to Feishu (channel + target ID) but the skill metadata lists no required environment variables or credentials. Either the skill assumes the agent already has Feishu integration (possible) or it silently expects credentials to be supplied elsewhere. This mismatch is a security and operational concern. Additionally, the skill reads/writes local files and lists global npm packages — those actions can expose system package inventory; users should confirm that is acceptable.

✓ Persistence & Privilege

The skill is not always-enabled and does not request persistent or elevated platform privileges. It writes report files under data/exec-logs/* (its own output path) which is normal for a reporting skill.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install dependency-tracker
安装完成后，直接呼叫该 Skill 的名称或使用 /dependency-tracker 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.1

- 更新了飞书消息推送目标描述，现在采用 `<飞书群ID或用户ID>` 占位符以提升通用性。 - 去除报告推送目标中的具体 ID，便于在多环境下复用。

v1.0.0

Initial release of dependency-tracker. - Weekly checks for updates to Node.js, npm, and globally installed packages. - Runs npm outdated to identify project dependencies needing updates. - Generates a detailed report saved to data/exec-logs/dependency-tracker/YYYY-MM-DD.md. - Sends the report to a specified Feishu group, splitting into multiple messages if needed and retrying on failure.

元数据

Slug dependency-tracker

版本 1.0.1

许可证 MIT-0

累计安装 1

当前安装数 1

历史版本数 2

常见问题