← 返回 Skills 市场
747
总下载
0
收藏
2
当前安装
2
版本数
在 OpenClaw 中安装
/install depguard
功能描述
Scan project dependencies for vulnerabilities, license compliance, and generate security or compliance reports using native package manager audits.
使用说明 (SKILL.md)
DepGuard — Dependency Audit & License Compliance
DepGuard scans your project dependencies for known vulnerabilities, license violations, and outdated packages. It uses native package manager audit tools (npm audit, pip-audit, cargo-audit, etc.) and enriches results with license analysis and risk scoring.
Commands
Free Tier (No license required)
depguard scan [directory]
One-shot vulnerability and license scan of your project dependencies.
How to execute:
bash "\x3CSKILL_DIR>/scripts/depguard.sh" scan [directory]
What it does:
- Detects package manager (npm, yarn, pnpm, pip, cargo, go, composer, bundler, maven, gradle)
- Runs native audit commands (npm audit, pip-audit, cargo audit, etc.)
- Parses dependency manifests for license information
- Generates a security report with severity levels
- Lists packages with problematic or unknown licenses
Example usage scenarios:
- "Scan my dependencies for vulnerabilities" → runs
depguard scan . - "Check the licenses of my node modules" → runs
depguard scan . --licenses-only - "Are any of my packages insecure?" → runs
depguard scan
depguard report [directory]
Generate a formatted dependency health report in markdown.
bash "\x3CSKILL_DIR>/scripts/depguard.sh" report [directory]
Pro Tier ($19/user/month — requires DEPGUARD_LICENSE_KEY)
depguard hooks install
Install git hooks that scan dependencies on every commit that modifies lockfiles.
bash "\x3CSKILL_DIR>/scripts/depguard.sh" hooks install
What it does:
- Validates Pro+ license
- Installs lefthook pre-commit hook targeting lockfile changes
- On every commit that modifies package-lock.json, yarn.lock, Cargo.lock, etc.: runs vulnerability scan, blocks commit if critical/high vulns found
depguard hooks uninstall
Remove DepGuard git hooks.
bash "\x3CSKILL_DIR>/scripts/depguard.sh" hooks uninstall
depguard watch [directory]
Continuous monitoring — re-scans on any lockfile change.
bash "\x3CSKILL_DIR>/scripts/depguard.sh" watch [directory]
depguard fix [directory]
Auto-fix vulnerabilities by upgrading to patched versions where available.
bash "\x3CSKILL_DIR>/scripts/depguard.sh" fix [directory]
Team Tier ($39/user/month — requires DEPGUARD_LICENSE_KEY with team tier)
depguard policy [directory]
Enforce a dependency policy: block specific licenses, require minimum versions, deny specific packages.
bash "\x3CSKILL_DIR>/scripts/depguard.sh" policy [directory]
depguard sbom [directory]
Generate a Software Bill of Materials (SBOM) in CycloneDX or SPDX format.
bash "\x3CSKILL_DIR>/scripts/depguard.sh" sbom [directory]
depguard compliance [directory]
Generate a compliance report for auditors — maps licenses to categories (permissive, copyleft, proprietary, unknown).
bash "\x3CSKILL_DIR>/scripts/depguard.sh" compliance [directory]
Supported Package Managers
| Manager | Lockfile | Audit Tool |
|---|---|---|
| npm | package-lock.json | npm audit |
| yarn | yarn.lock | yarn audit |
| pnpm | pnpm-lock.yaml | pnpm audit |
| pip | requirements.txt / Pipfile.lock | pip-audit / safety |
| cargo | Cargo.lock | cargo audit |
| go | go.sum | govulncheck |
| composer | composer.lock | composer audit |
| bundler | Gemfile.lock | bundle audit |
| maven | pom.xml | mvn dependency-check |
| gradle | build.gradle | gradle dependencyCheck |
Configuration
Add to ~/.openclaw/openclaw.json:
{
"skills": {
"entries": {
"depguard": {
"enabled": true,
"apiKey": "YOUR_LICENSE_KEY",
"config": {
"severityThreshold": "high",
"blockedLicenses": ["GPL-3.0", "AGPL-3.0"],
"allowedLicenses": ["MIT", "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "ISC"],
"ignoredVulnerabilities": [],
"autoFix": false,
"sbomFormat": "cyclonedx"
}
}
}
}
}
Important Notes
- Free tier works immediately — no configuration needed
- All scanning happens locally using native package manager audit tools
- License validation is offline — no phone-home
- Falls back to manifest parsing if native audit tools aren't available
- Supports monorepos — scans all workspaces/packages
When to Use DepGuard
The user might say things like:
- "Scan my dependencies for vulnerabilities"
- "Check my package licenses"
- "Are any of my npm packages insecure?"
- "Generate a security audit report"
- "Set up dependency monitoring"
- "Block GPL dependencies in this project"
- "Generate an SBOM"
- "Check if we're compliant with our license policy"
安全使用建议
DepGuard appears coherent for its stated purpose, but review and accept a few behaviors before installing: 1) Hooks: 'depguard hooks install' will edit or create your repository's lefthook.yml and install a pre-commit hook that will source and run the skill's scanner script on relevant commits. This means commit operations can execute the skill's shell code — ensure you trust the skill source and that the skill files remain under your control. 2) License key handling: store DEPGUARD_LICENSE_KEY securely (env var or ~/.openclaw/openclaw.json). The skill decodes the JWT locally (no network calls), but it will read your OpenClaw config file if present (the manifest incorrectly lists 'required config paths: none'). 3) Optional tools: full features use node, python, jq, and native audit tools (npm, pip-audit, cargo-audit, govulncheck). Without those, DepGuard falls back to less-detailed checks. 4) Inspect the scripts (already included) before use; if you don't want hooks to source code from ~/.openclaw/skills/depguard, set DEPGUARD_SKILL_DIR to a controlled location or avoid installing hooks. If you need to be more cautious (e.g., enterprise policy), test the tool in an isolated repo first.
功能分析
Type: OpenClaw Skill
Name: depguard
Version: 1.0.1
The OpenClaw DepGuard skill is classified as benign. It performs dependency auditing, vulnerability scanning, and license compliance checks as advertised. All operations, including scanning, reporting, fixing, and license validation, are designed to run locally without external data exfiltration or 'phone-home' behavior, which is explicitly stated and confirmed by the code. While the skill executes powerful commands (e.g., `npm audit fix`, `git hooks install`) that modify the user's project, these actions are central to its stated purpose and are clearly documented. The shell scripts (`scripts/*.sh`) consistently quote user-provided directory arguments, mitigating direct shell injection risks. There is no evidence of malicious intent, obfuscation, or attempts at unauthorized access or persistence beyond the documented git hooks.
能力评估
Purpose & Capability
The skill name/description (dependency vulnerability & license scanning) matches the code and runtime instructions. Required binaries (git, bash) and the optional brew install of lefthook make sense for installing and running git hooks. The primary credential (DEPGUARD_LICENSE_KEY) is used only to gate Pro/Team features.
Instruction Scope
Runtime instructions run local audit tools (npm audit, pip-audit, cargo-audit, govulncheck, etc.), parse manifests/node_modules for license data, and optionally install lefthook hooks that call the scanner. All actions are local; there are no network 'phone-home' steps in the scripts. Notable: the hooks install writes/edits repository lefthook.yml and configures pre-commit hooks that will source the skill's scanner script from the user's skills directory on each commit — this is expected for continuous monitoring but does mean commits will execute code from the skill directory.
Install Mechanism
Install spec is a single Homebrew formula (lefthook) — a standard package install from a well-known channel. The skill bundle contains shell scripts and a lefthook config; there are no downloads from untrusted URLs or extracted archives in the install spec.
Credentials
The only declared secret is DEPGUARD_LICENSE_KEY and that is used solely to gate Pro/Team features via local JWT decoding. The scripts also read ~/.openclaw/openclaw.json (to find a stored apiKey) even though 'required config paths' was declared as none — this is a minor metadata mismatch. The code optionally uses python, node, or jq when available to parse files; those are optional helpers, not required secrets.
Persistence & Privilege
always:false (no forced always-on). Installing hooks modifies repository lefthook.yml and runs lefthook install to wire pre-commit hooks — appropriate for a tool that blocks commits on bad dependencies, but it does grant the skill the ability to run code during commit operations by sourcing the skill's scanner script (from ~/.openclaw/skills/depguard by default or a DEPGUARD_SKILL_DIR override). Users should accept that repository hook changes will be made when installing Pro hooks.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install depguard - 安装完成后,直接呼叫该 Skill 的名称或使用
/depguard触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
Update URLs to free Cloudflare Pages hosting (depguard.pages.dev)
v1.0.0
Initial release: dependency vulnerability scanning, license compliance, git hook integration, SBOM generation
元数据
常见问题
DepGuard 是什么?
Scan project dependencies for vulnerabilities, license compliance, and generate security or compliance reports using native package manager audits. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 747 次。
如何安装 DepGuard?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install depguard」即可一键安装,无需额外配置。
DepGuard 是免费的吗?
是的,DepGuard 完全免费(开源免费),可自由下载、安装和使用。
DepGuard 支持哪些平台?
DepGuard 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(darwin, linux, win32)。
谁开发了 DepGuard?
由 suhteevah(@suhteevah)开发并维护,当前版本 v1.0.1。
推荐 Skills