← 返回 Skills 市场
Dep Radar
作者
Tarun Khatri
· GitHub ↗
· v2.3.0
· MIT-0
100
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install depradar
功能描述
Dependency breaking-change radar. Use this skill when the user wants to check for breaking changes, outdated dependencies, upgrade risks, or migration issues...
使用说明 (SKILL.md)
\r \r
/depradar\r
\r
Scan your project's dependencies for breaking changes, find which files in YOUR codebase will break, and surface community reports from GitHub, Stack Overflow, Reddit, and Hacker News — all in one command.\r \r ---\r \r
What This Skill Does\r
\r
/depradar is a dependency intelligence tool that goes far beyond npm outdated or pip list --outdated. When you run it:\r
\r
- Reads your dependency files —
package.json,requirements.txt,pyproject.toml,go.mod,Cargo.toml,Gemfile,pom.xml, and more\r - Checks every registry — npm, PyPI, GitHub Releases, crates.io, Maven Central — for new versions\r
- Extracts breaking changes — parses release notes and CHANGELOGs using section-header detection, Conventional Commits (
feat!:,BREAKING CHANGE:), and keyword heuristics\r - Scans YOUR codebase — Python: full AST analysis (high confidence). JS/TS: import-tracking regex with package context (medium confidence) + optional true AST via Node.js if available (high confidence). Other languages: grep fallback\r
- Searches the community — GitHub Issues, Stack Overflow, Reddit, and Hacker News for migration pain reports\r
- Scores and ranks — severity × recency × codebase impact × community pain (0-100 scale)\r
- Delivers an actionable report — tells you what broke, where it broke in your code, and what others did to fix it\r \r ---\r \r
Invocation\r
\r
/depradar # Scan current project, all production deps\r
/depradar stripe openai # Check only these specific packages\r
/depradar --all # Include devDependencies / dev extras\r
/depradar --quick # 60s timeout, top 5 packages by severity\r
/depradar --deep # 300s, exhaustive community search\r
/depradar --days=7 # Changes in last 7 days (default: 30)\r
/depradar --refresh # Bypass 6-hour cache, force fresh data\r
/depradar --emit=json # Output: compact (default) | json | md | context\r
/depradar --emit=md # Save full markdown report to ~/Documents/DepRadar/\r
/depradar --diagnose # Show API key status + test validity\r
/depradar --mock # Use fixtures (testing, no network calls)\r
/depradar --no-scan # Skip codebase impact scan (faster)\r
/depradar --no-community # Skip community signal search\r
/depradar --save # Auto-save markdown report\r
/depradar --save-dir=PATH # Save report to custom directory\r
/depradar --path=PATH # Scan a different project directory\r
/depradar --verbose # Show detailed per-step progress\r
/depradar --fail-on-breaking # Exit code 1 if breaking changes found (CI/CD)\r
/depradar --min-score=N # Only show packages with score >= N (default: 0)\r
/depradar --notify=slack://WEBHOOK # Send report to Slack webhook\r
/depradar --notify=file:///PATH # Write JSON report to file\r
/depradar --show-ignored # Show packages suppressed by .depradar-ignore\r
/depradar --version # Show version\r
```\r
\r
---\r
\r
## Step-by-Step Instructions for Claude\r
\r
This section describes exactly how Claude should execute this skill. Follow each step in order.\r
\r
---\r
\r
### Step 0: Understand What the User Wants\r
\r
Before running anything, parse the invocation to understand:\r
\r
**Package filtering:** If the user named specific packages (e.g., `/depradar stripe openai`), note these. The script will filter to only those packages.\r
\r
**Flag mapping:**\r
- `--quick` → `--depth=quick` (60s timeout, top 5 packages)\r
- `--deep` → `--depth=deep` (300s timeout, exhaustive)\r
- `--days=N` → look back N days for new releases (default: 30)\r
- `--refresh` → bypass cache\r
- `--no-scan` → skip codebase impact scan\r
- `--no-community` → skip community signal search\r
- `--emit=FORMAT` → output format (compact, json, md, context)\r
- `--save` → save markdown to ~/Documents/DepRadar/\r
- `--diagnose` → show config status and exit\r
- `--mock` → use fixture data, no network calls\r
\r
**User intent signals:** If the user says "check if openai is broken" — that means `/depradar openai`. If they say "what needs updating in this project" — that's `/depradar`. If they say "why is my stripe code failing after update" — that's `/depradar stripe --deep`.\r
\r
---\r
\r
### Step 1: Locate the Script\r
\r
The skill's main Python script is at:\r
```\r
{SKILL_ROOT}/scripts/depradar.py\r
```\r
\r
Where `{SKILL_ROOT}` is the directory containing this `SKILL.md` file.\r
\r
To find `SKILL_ROOT` dynamically:\r
```bash\r
SKILL_ROOT="$(dirname "$(realpath "${BASH_SOURCE[0]:-$0}")")"\r
```\r
\r
If Claude is running this directly (not via bash), find the skill root by looking for the directory that contains both `SKILL.md` and `scripts/depradar.py`.\r
\r
The typical installed locations are:\r
- `~/.claude/skills/depradar-skill/` (Claude Code)\r
- `~/.codex/skills/depradar-skill/` (OpenAI Codex)\r
- `~/.agents/skills/depradar-skill/` (generic)\r
\r
---\r
\r
### Step 2: Check Prerequisites\r
\r
Before running, verify Python 3.8+ is available:\r
```bash\r
python3 --version\r
```\r
\r
If Python is not available, tell the user:\r
> "Python 3.8+ is required. Please install it from python.org or via your package manager."\r
\r
No external pip packages are required — the skill uses only Python stdlib.\r
\r
---\r
\r
### Step 3: Run the Script\r
\r
**Basic invocation:**\r
```bash\r
cd "{PROJECT_ROOT}" && python3 "{SKILL_ROOT}/scripts/depradar.py" {ARGS}\r
```\r
\r
**Important:** Always `cd` to the project root first. The script uses the current working directory to find dependency files and scan the codebase.\r
\r
**Examples:**\r
\r
Run with default settings:\r
```bash\r
cd /path/to/project && python3 ~/.claude/skills/depradar-skill/scripts/depradar.py\r
```\r
\r
Check specific packages only:\r
```bash\r
cd /path/to/project && python3 ~/.claude/skills/depradar-skill/scripts/depradar.py stripe openai\r
```\r
\r
Quick scan with JSON output:\r
```bash\r
cd /path/to/project && python3 ~/.claude/skills/depradar-skill/scripts/depradar.py --quick --emit=json\r
```\r
\r
Show config status:\r
```bash\r
python3 ~/.claude/skills/depradar-skill/scripts/depradar.py --diagnose\r
```\r
\r
Test with mock data (no network):\r
```bash\r
cd /path/to/project && python3 ~/.claude/skills/depradar-skill/scripts/depradar.py --mock\r
```\r
\r
---\r
\r
### Step 4: Parse the Output\r
\r
The script outputs to stdout. The output format depends on `--emit`:\r
\r
**`compact` (default):** Human-readable terminal output. Parse it by looking for:\r
- Lines starting with `### ` → package name + version bump\r
- Lines containing `**Impact:**` → codebase impact count\r
- Lines starting with ` -` under `**Impact:**` → file:line references\r
- Lines starting with ` N.` under `**Breaking changes:**` → individual breaking changes\r
- Lines under `**Community signals:**` → external reports\r
\r
**`json`:** Full machine-readable JSON. The structure is `DepRadarReport`:\r
```json\r
{\r
"project_path": "/path/to/project",\r
"packages_scanned": 23,\r
"packages_with_breaking_changes": [\r
{\r
"id": "P1",\r
"package": "stripe",\r
"current_version": "7.0.0",\r
"latest_version": "8.0.0",\r
"semver_type": "major",\r
"has_breaking_changes": true,\r
"score": 87,\r
"breaking_changes": [...],\r
"impact_locations": [...],\r
"impact_confidence": "high"\r
}\r
],\r
"packages_with_minor_updates": [...],\r
"packages_current": ["axios", "lodash", ...],\r
"github_issues": [...],\r
"stackoverflow": [...],\r
"reddit": [...],\r
"hackernews": [...],\r
"from_cache": false,\r
"cache_age_hours": null,\r
"depth": "default",\r
"days_window": 30\r
}\r
```\r
\r
**`context`:** Minimal snippet for passing to other skills or continuing a conversation.\r
\r
**`md`:** Full markdown — best for saving to file.\r
\r
---\r
\r
### Step 5: Synthesize and Present to the User\r
\r
After the script completes, Claude should present the findings in a clear, actionable way. Follow these principles:\r
\r
**Lead with the action items.** The user needs to know: "Do I need to update anything? Will it break my code? How hard is the migration?"\r
\r
**Structure your response:**\r
\r
1. **One-line summary** — "Found 2 packages with breaking changes affecting 7 files in your codebase."\r
\r
2. **For each breaking package** (in score order):\r
- Package name, current → latest version, days since release\r
- Files in their codebase that will break (from `impact_locations`)\r
- What specifically changed (from `breaking_changes`)\r
- Migration guidance (from `migration_note` fields or community signals)\r
- Community pain level (how many others hit this)\r
\r
3. **Minor updates table** — brief, just show what's available\r
\r
4. **Follow-up offers** — see Step 6\r
\r
**What to emphasize:**\r
- Impact locations in THEIR code (most actionable)\r
- Packages with score > 70 (high priority)\r
- Migration notes from the release notes\r
- StackOverflow questions that are ANSWERED (solved problems)\r
- GitHub issues that are CLOSED (resolved)\r
\r
**What to de-emphasize:**\r
- Packages not found in registry (usually private packages)\r
- Community signals for packages with score \x3C 30\r
- Minor/patch updates unless they contain security fixes\r
\r
**Tone:** Be specific, not alarming. "stripe v8 removed `webhooks.constructEvent()` — replace it with `webhooks.verify()` on line 47 of `src/payments/webhook.ts`" is much better than "Breaking changes detected!"\r
\r
---\r
\r
### Step 6: Offer Follow-up Actions\r
\r
After presenting the report, always offer one or more of these follow-up actions:\r
\r
**For packages with breaking changes:**\r
- "Would you like me to help you migrate `src/payments/webhook.ts` from `stripe.webhooks.constructEvent()` to the new API?"\r
- "I can show you the diff between stripe v7 and v8 for the methods you're using."\r
- "Want me to run `npm update stripe` and then fix the breaking usages automatically?"\r
\r
**For the full report:**\r
- "Shall I save this as a markdown report to `~/Documents/DepRadar/`? Run `/depradar --emit=md`."\r
- "Want me to create a GitHub issue tracking these breaking changes?"\r
- "I can add `/* TODO: migrate stripe v8 */` comments to the affected lines."\r
\r
**For configuration:**\r
- "Add `GITHUB_TOKEN` to `~/.config/depradar/.env` to get 80x more GitHub API requests and better issue search."\r
- "Add `SCRAPECREATORS_API_KEY` to enable Reddit community signal search."\r
\r
---\r
\r
### Step 7: Handle Errors Gracefully\r
\r
**No dependency files found:**\r
> "No dependency files found in `{PROJECT_ROOT}`. Make sure you're in your project root directory. Supported files: `package.json`, `requirements.txt`, `pyproject.toml`, `go.mod`, `Cargo.toml`, `Gemfile`, `pom.xml`."\r
\r
**All packages up to date:**\r
> "All {N} dependencies are up to date — no action needed."\r
\r
**GitHub rate limit (60/hour without token):**\r
> "GitHub API rate limit reached. Add `GITHUB_TOKEN` to `~/.config/depradar/.env` for 5,000 requests/hour. Run `/depradar --diagnose` to check your config."\r
\r
**Script not found:**\r
> "Could not find `depradar.py`. Make sure the skill is installed: copy the `depradar-skill/` directory to `~/.claude/skills/`. Run `bash ~/.claude/skills/depradar-skill/scripts/sync.sh` to install."\r
\r
**Python not found:**\r
> "Python 3.8+ is required. Install from python.org or via: `brew install python3` (Mac) / `sudo apt install python3` (Linux)."\r
\r
**Cache is stale:**\r
> "Using cached results from {N} hours ago. Run `/depradar --refresh` to fetch fresh data."\r
\r
---\r
\r
## Configuration\r
\r
`/depradar` works out of the box with no configuration. API keys unlock additional sources and higher rate limits.\r
\r
### Config File Location\r
\r
Create either of:\r
- `.claude/depradar.env` — project-level (check this into `.gitignore`)\r
- `~/.config/depradar/.env` — global (applies to all projects)\r
\r
### API Keys Reference\r
\r
| Key | Purpose | Without Key | With Key |\r
|-----|---------|------------|---------|\r
| `GITHUB_TOKEN` | GitHub Releases + Issues | 60 req/hr | 5,000 req/hr |\r
| `SCRAPECREATORS_API_KEY` | Reddit search | ❌ disabled | ✅ enabled |\r
| `XAI_API_KEY` | X/Twitter via Grok | ❌ disabled | ✅ enabled |\r
| `AUTH_TOKEN` + `CT0` | X/Twitter via cookies | ❌ disabled | ✅ enabled |\r
| `STACKOVERFLOW_API_KEY` | Stack Overflow | 300/day | 10,000/day |\r
\r
### Example Config File\r
\r
```bash\r
# ~/.config/depradar/.env\r
\r
# Strongly recommended — free at github.com/settings/tokens\r
# Scopes needed: (none — public repos only)\r
GITHUB_TOKEN=ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\r
\r
# From scrapecreators.com — enables Reddit community signals\r
SCRAPECREATORS_API_KEY=sc_xxxxxxxxxxxx\r
\r
# From x.ai — enables X/Twitter signals\r
XAI_API_KEY=xai_xxxxxxxxxxxx\r
\r
# From stackapps.com — 33x rate limit increase for Stack Overflow\r
STACKOVERFLOW_API_KEY=xxxxxxxxxxxx\r
```\r
\r
### Suppressing Known-Safe Breaking Changes\r
\r
Create a `.depradar-ignore` file in your project root to suppress evaluated breaking changes:\r
\r
```\r
# .depradar-ignore\r
# Format: package[@version] # optional reason comment\r
chalk@5 # ESM-only, evaluated 2026-03-27 — only used in CLI output\r
dotenv@17 # uses config() only, unchanged API\r
stripe # all versions suppressed (use with care)\r
```\r
\r
- `chalk@5` — suppresses chalk at any 5.x.x version\r
- `[email protected]` — exact version only\r
- `chalk` — suppress all versions (use carefully)\r
\r
A global ignore file at `~/.config/depradar/ignore` applies to all projects.\r
Run `--show-ignored` to see what's being suppressed.\r
\r
---\r
\r
### Zero-Config Coverage\r
\r
Without any API keys, `/depradar` still covers:\r
- ✅ All dependency file parsing (local, no network)\r
- ✅ npm Registry (no auth required, very high rate limits)\r
- ✅ PyPI API (no auth required)\r
- ✅ crates.io API (no auth required)\r
- ✅ Maven Central (no auth required)\r
- ✅ GitHub Releases (60 req/hr — enough for 10-15 packages)\r
- ✅ GitHub Issues search (60 req/hr shared with above)\r
- ✅ Stack Overflow (300/day — limited but functional)\r
- ✅ Hacker News (historical data, no auth)\r
- ❌ Reddit (requires SCRAPECREATORS_API_KEY)\r
- ❌ X/Twitter (requires XAI_API_KEY or cookies)\r
\r
**Zero-config covers ~80% of the skill's value.**\r
\r
---\r
\r
## Dependency File Support\r
\r
| File | Ecosystem | Notes |\r
|------|-----------|-------|\r
| `package.json` | npm | Production deps; add `--all` for devDependencies |\r
| `package-lock.json` | npm | Exact locked versions (v2/v3 format) |\r
| `yarn.lock` | npm | Exact locked versions (v1 format) |\r
| `pnpm-lock.yaml` | npm | Exact locked versions (v5/v6/v8 format) |\r
| `requirements.txt` | PyPI | Handles `==`, `>=`, `~=`, `!=` specifiers |\r
| `pyproject.toml` | PyPI | PEP 621 `[project].dependencies` |\r
| `Pipfile` | PyPI | Pipenv format |\r
| `setup.cfg` | PyPI | Legacy `install_requires` and `extras_require` |\r
| `go.mod` | Go | Standard Go modules |\r
| `Cargo.toml` | Rust/crates.io | Standard Cargo format |\r
| `Gemfile` | Ruby/rubygems | Handles `gem` directives |\r
| `pom.xml` | Java/Maven | `\x3Cdependency>` elements |\r
\r
The script searches from the current directory upward to the git root, collecting all dep files found.\r
\r
---\r
\r
## Scoring System\r
\r
Every package and community signal is scored 0-100.\r
\r
### Package Score (Breaking Changes)\r
\r
```\r
score = 0.35 × severity + 0.25 × recency + 0.30 × impact + 0.10 × community\r
```\r
\r
**Severity** (based on change_type):\r
| Change Type | Score |\r
|-------------|-------|\r
| `removed` | 100 |\r
| `renamed` | 80 |\r
| `signature_changed` | 70 |\r
| `behavior_changed` | 60 |\r
| `type_changed` | 50 |\r
| `deprecated` | 40 |\r
| `other` | 30 |\r
\r
**Recency** (days since release):\r
| Age | Score |\r
|-----|-------|\r
| 0-7 days | 100 |\r
| 8-14 days | 85 |\r
| 15-30 days | 65 |\r
| 31-60 days | 40 |\r
| 61-90 days | 25 |\r
| 91+ days | 10 |\r
\r
**Impact** (YOUR codebase):\r
| Detection | Score |\r
|-----------|-------|\r
| High-confidence (AST) | 100 |\r
| Med-confidence (grep) | 70 |\r
| Low-confidence | 40 |\r
| Not scanned | 50 |\r
| Not found after scan | 10 |\r
\r
**Community pain:**\r
```\r
community = min(100, log1p(weighted_pain_signals) × 12)\r
```\r
Where `weighted_pain_signals` sums `quality_weight` for each signal (closed+answered=2.0, closed=1.5, open+no comments=0.8). Only signals mentioning the same major version are counted (version-range filtered).\r
\r
**Two-phase scoring:** Community signals (GitHub Issues, SO, Reddit, HN) are fetched in parallel AFTER the initial registry scan. The final score is calculated once all signals are available. Minor/patch releases are also checked for breaking changes — if found, they are flagged with a SEMVER VIOLATION badge.\r
\r
**Staleness bonus:** If a breaking change has been available >30 days and you haven't upgraded, the urgency score increases (0-40 bonus points). Packages with 90+ day-old unaddressed breaking changes get a ⚡ STALE badge.\r
\r
### Interpreting Scores\r
\r
| Score | Meaning |\r
|-------|---------|\r
| 80-100 | 🔴 Critical — breaking change directly hits your code, recently released, widely reported |\r
| 60-79 | 🟠 High — significant breaking change, likely affects your code |\r
| 40-59 | 🟡 Medium — breaking change in this major, but impact uncertain |\r
| 20-39 | 🟢 Low — older or obscure breaking change |\r
| 0-19 | ⚪ Minimal — very minor or unconfirmed |\r
\r
---\r
\r
## Output Formats\r
\r
### compact (default)\r
\r
Best for reading in the terminal. Shows:\r
- Package summary header with scan stats\r
- Breaking packages section with full details\r
- Minor updates table (capped at 10)\r
- Up-to-date count\r
- Registry errors\r
\r
### json\r
\r
Full machine-readable JSON dump of the `DepRadarReport` dataclass. Use this when:\r
- Passing results to another script or tool\r
- Building automation pipelines\r
- Debugging the skill\r
\r
### md\r
\r
Full markdown report. Suitable for:\r
- Saving to a file: `/depradar --emit=md` auto-saves to `~/Documents/DepRadar/`\r
- Pasting into GitHub issues or PRs\r
- Sharing with a team\r
\r
### context\r
\r
Minimal snippet for Claude-to-Claude passing. Use this when:\r
- Another skill needs to know about breaking changes\r
- You want to reference the results without the full report\r
\r
---\r
\r
## Depth Profiles\r
\r
| Flag | Timeout | Packages | Community depth | Use case |\r
|------|---------|----------|-----------------|---------|\r
| `--quick` | 60s | Top 5 by severity | Minimal | CI/CD, quick check |\r
| (default) | 180s | All | Standard | Regular use |\r
| `--deep` | 300s | All | Exhaustive | Before a major release |\r
\r
---\r
\r
## Caching\r
\r
Results are cached to avoid hammering APIs:\r
- Reports: 6-hour TTL (`~/.cache/depradar/reports/`)\r
- Registry data: 6-hour TTL\r
- Community signals: 24-hour TTL\r
- Codebase scan: 1-hour TTL\r
\r
Use `--refresh` to bypass all caches.\r
\r
The cache key includes a project path hash to prevent cache collisions across different projects with the same packages. Registry data (package info) is project-agnostic and shared; scan/report caches are project-specific.\r
\r
---\r
\r
## Examples\r
\r
### Example 1: Default scan of a Node.js project\r
\r
```\r
/depradar\r
```\r
\r
Claude runs:\r
```bash\r
cd /current/project && python3 ~/.claude/skills/depradar-skill/scripts/depradar.py\r
```\r
\r
Expected output includes:\r
- How many packages were scanned (from `package.json`)\r
- Any major version bumps with breaking changes\r
- File:line impact in the project\r
- Community reports\r
\r
---\r
\r
### Example 2: Check a specific package before upgrading\r
\r
User: "Is it safe to upgrade stripe to v8?"\r
\r
Claude runs:\r
```bash\r
cd /current/project && python3 ~/.claude/skills/depradar-skill/scripts/depradar.py stripe --deep\r
```\r
\r
Then synthesizes the result into:\r
- What changed in stripe v8 that will break things\r
- Which files in the project will be affected\r
- Community reports on migration difficulty\r
- Concrete migration steps\r
\r
---\r
\r
### Example 3: CI/CD integration — check before deploy\r
\r
User: "Add depradar to my CI pipeline"\r
\r
Claude suggests adding to `.github/workflows/ci.yml`:\r
```yaml\r
- name: Check for breaking dependency changes\r
run: |\r
python3 ~/.claude/skills/depradar-skill/scripts/depradar.py \\r
--quick --emit=json --no-community \\r
| python3 -c "\r
import json, sys\r
report = json.load(sys.stdin)\r
breaking = report['packages_with_breaking_changes']\r
if breaking:\r
print(f'BREAKING: {len(breaking)} packages have breaking changes')\r
for pkg in breaking:\r
print(f' - {pkg[\"package\"]}: {pkg[\"current_version\"]} → {pkg[\"latest_version\"]}')\r
sys.exit(1)\r
print('All dependencies OK')\r
"\r
```\r
\r
---\r
\r
### Example 4: Check config\r
\r
```\r
/depradar --diagnose\r
```\r
\r
Claude runs:\r
```bash\r
python3 ~/.claude/skills/depradar-skill/scripts/depradar.py --diagnose\r
```\r
\r
Output shows which API keys are configured and what coverage they unlock.\r
\r
---\r
\r
### Example 5: Save full report\r
\r
```\r
/depradar --emit=md\r
```\r
\r
Claude runs:\r
```bash\r
cd /current/project && python3 ~/.claude/skills/depradar-skill/scripts/depradar.py --emit=md\r
```\r
\r
The script saves `~/Documents/DepRadar/myproject-2026-03-27.md` and prints the path.\r
\r
---\r
\r
### Example 6: Check multiple ecosystems at once\r
\r
In a project with both `package.json` and `requirements.txt`:\r
```\r
/depradar\r
```\r
\r
The script auto-detects both files, combines the dependency list, checks npm + PyPI registries in parallel, and presents a unified report.\r
\r
---\r
\r
### Example 7: Use context mode for chaining with other skills\r
\r
```\r
/depradar --emit=context\r
```\r
\r
Output is a compact snippet like:\r
```\r
[/depradar context — 2 breaking change(s) detected]\r
\r
• stripe 7.0.0→8.0.0 (major)\r
- removed: stripe.webhooks.constructEvent — Method removed\r
- Impact: 2 file(s) in your codebase\r
\r
• openai 0.28.0→1.35.0 (major)\r
- removed: openai.Completion.create — Class removed in v1\r
- Impact: 5 file(s) in your codebase\r
```\r
\r
Claude can then use this context to automatically open the affected files and propose migrations.\r
\r
---\r
\r
## Troubleshooting\r
\r
### "No dependency files found"\r
\r
Make sure you're in the project root:\r
```bash\r
ls package.json requirements.txt pyproject.toml go.mod Cargo.toml\r
```\r
\r
Pass the project path explicitly:\r
```bash\r
/depradar --path=/path/to/project\r
```\r
\r
### "GitHub API rate limit"\r
\r
Without a token, GitHub allows 60 requests/hour. Each package needs 1-3 requests.\r
\r
Fix: Add `GITHUB_TOKEN` to `~/.config/depradar/.env`:\r
```bash\r
echo "GITHUB_TOKEN=ghp_yourtoken" >> ~/.config/depradar/.env\r
```\r
\r
Get a token at: github.com/settings/tokens (no scopes needed for public repos)\r
\r
### Results look stale\r
\r
The 6-hour cache might be serving old results. Force refresh:\r
```bash\r
/depradar --refresh\r
```\r
\r
### A package shows as "not found"\r
\r
This happens for:\r
- Private/internal packages (not on public registries)\r
- Packages with non-standard names (e.g., `@company/internal-lib`)\r
- Go packages (requires GitHub token to look up)\r
\r
These are listed in the "Not found in registry" section and can be ignored.\r
\r
### Python import errors\r
\r
If you see `ModuleNotFoundError` for lib modules, make sure you're running from the correct directory or using the full path to `depradar.py`:\r
```bash\r
cd /path/to/project && python3 /full/path/to/depradar-skill/scripts/depradar.py\r
```\r
\r
### "Permission denied" on check-config.sh\r
\r
```bash\r
chmod +x ~/.claude/skills/depradar-skill/hooks/scripts/check-config.sh\r
```\r
\r
---\r
\r
## Privacy and Security\r
\r
- `/depradar` only reads dependency file names and version numbers, NOT your code contents (beyond scanning for symbol names)\r
- No code is sent to any external service\r
- Community searches use only the package name and version number as queries\r
- API tokens are read from local files only and never transmitted except as Authorization headers to their respective APIs\r
- The codebase scan runs entirely locally using Python's `ast` module and file reading\r
\r
---\r
\r
## Architecture Overview\r
\r
```\r
/depradar invocation\r
│\r
▼\r
dep_parser.py ← Reads package.json, requirements.txt, etc.\r
│\r
▼\r
[Phase 1: Registry] ──────────────────────────────────────── PARALLEL\r
github_releases.py ← Primary: full release notes + CHANGELOG.md\r
npm_registry.py ← npm metadata + latest version\r
pypi_registry.py ← PyPI metadata + latest version\r
crates_registry.py ← crates.io metadata\r
maven_registry.py ← Maven Central metadata\r
│\r
▼\r
changelog_parser.py ← Extract BreakingChange[] from release notes\r
│\r
▼\r
[Phase 2: Codebase Scan] ──────────────────────────────────── PARALLEL (per package)\r
usage_scanner.py ← AST (Python/JS) + grep fallback\r
impact_analyzer.py ← Cross-reference symbols with your code\r
│\r
▼\r
[Phase 3: Community] ──────────────────────────────────────── PARALLEL\r
github_issues.py ← GitHub Issues Search API\r
stackoverflow.py ← Stack Exchange API\r
reddit_sc.py ← Reddit via ScrapeCreators\r
hackernews.py ← HN Algolia (historical) + Firebase API\r
twitter_x.py ← X/Twitter via xAI Grok (optional)\r
│\r
▼\r
score.py ← Severity × Recency × Impact × Community (0-100)\r
normalize.py ← Min-max normalization per source\r
dedupe.py ← Trigram Jaccard deduplication\r
│\r
▼\r
render.py ← compact | json | md | context output\r
```\r
\r
---\r
\r
## Version History\r
\r
See `CHANGELOG.md` for detailed release notes.\r
\r
Current version: **2.0.0**\r
\r
---\r
\r
## License\r
\r
MIT — see `LICENSE` file.\r
\r
---\r
\r
## Related Skills\r
\r
- `/last30days` — Search what happened on the internet in the last 30 days about any topic\r
- `/security-audit` — Scan for known CVEs in your dependencies (pairs well with /depradar)\r
\r
---\r
\r
## Contributing\r
\r
Issues and PRs welcome. See `SPEC.md` for the full architecture specification.\r
\r
---\r
\r
*Built with the Claude Code Skills architecture. Modeled after the `/last30days` skill pattern.*\r
安全使用建议
What to do before installing or running this skill:
- Inspect sync.sh and scripts/depradar.py yourself (they're included). Look for any network calls, external downloads, or unexpected shell commands before running the installer. The repo copies files into your home skills directory — verify it does what you expect.
- Start in demo/mock mode: run depradar with --mock or run the script in a disposable container/VM to see behavior without network access or touching real config.
- Do not supply high-privilege secrets blindly. If you provide a GitHub token, give the minimum scope needed (prefer a read-only token) and understand it increases the skill's GitHub API rate limit capabilities. Only add SCRAPECREATORS/XAI/STACKOVERFLOW keys if you trust the service and have reviewed how those keys are used.
- Because SKILL.md contains a detected prompt-injection marker, be cautious about giving the skill autonomous invocation in an agent that can call it without review. Prefer manual invocation until you've inspected files.
- If you plan to use it in CI, run it in an isolated build step and audit output; use --no-community or --no-scan flags to limit external scraping or code scanning until you're comfortable.
If you want, I can: (1) show the contents of scripts/sync.sh and scripts/depradar.py for a targeted review, (2) point out exactly where env/config paths are read, or (3) produce a short checklist of items to search for in the code before running it.
功能分析
Type: OpenClaw Skill
Name: depradar
Version: 2.3.0
The depradar skill is a comprehensive and professionally architected dependency analysis tool designed to detect breaking changes and their impact on a codebase. It performs local dependency file parsing (package.json, requirements.txt, etc.), queries public registries (npm, PyPI, Maven, etc.), and searches community platforms (GitHub, Stack Overflow, Reddit, HN) for migration reports. The tool uses Python's 'ast' module and a bundled Node.js script (js_ast_helper.js) for local code analysis. While it possesses broad capabilities including network access and sub-process execution, these are strictly aligned with its stated purpose. A potential XXE vulnerability in pom.xml parsing (dep_parser.py) is addressed by a prioritized attempt to use the 'defusedxml' library. No evidence of malicious intent, credential theft, or unauthorized data exfiltration was found.
能力评估
Purpose & Capability
Name/description match the actual code: the package contains a full Python tool that parses dependency files, queries registries, scans the codebase, and searches community sources. However, the registry metadata presented earlier claimed 'No install spec' and 'Required env vars: none / required config paths: none', while files (agents/openai.yaml, README.md, SKILL.md, scripts) clearly reference an install script, optional API keys, and config paths (~/.config/depradar/.env and .claude/depradar.env). That mismatch between the declared metadata and the repository contents is an inconsistency to be aware of (likely a packaging/metadata error, not necessarily malicious).
Instruction Scope
SKILL.md instructs the agent to locate and run scripts/depradar.py, scan the user's project files, read config at ~/.config/depradar/.env and .claude/depradar.env, and optionally auto-save reports to ~/Documents/DepRadar/. Those behaviors are expected for this tool, but they do involve reading local files and home-directory configuration. Also SKILL.md contains a detected prompt-injection token (see scan findings). The instructions provide broad discretion (search multiple registries and community sources) and reference multiple local paths — so you should only run it in projects you trust or inside an isolated environment if you are unsure.
Install Mechanism
No remote download URLs are present in the visible files; installation is performed via the included scripts/sync.sh that copies the skill into a local skills directory. README and agents/openai.yaml describe running bash scripts/sync.sh which may optionally run npm install for an optional JS AST parser. This is lower risk than arbitrary remote downloads, but you should inspect sync.sh before execution to confirm it doesn't fetch unexpected remote assets or change unexpected system state.
Credentials
The tool references API keys (GITHUB_TOKEN, SCRAPECREATORS_API_KEY, XAI_API_KEY, STACKOVERFLOW_API_KEY) and config files for optional features (community scraping, higher rate limits, Twitter/X integration). Those credentials are proportionate to the described community-signal features. However, the top-level metadata presented earlier claimed 'no required env vars' while several files and the install manifest expect or recommend keys and config files — an inconsistency. Only provide tokens if you understand and accept the specific integrations; prefer minimal scopes (e.g., GitHub token with minimal read-only rate-enhancing scopes).
Persistence & Privilege
The skill does not request 'always: true', does not modify other skills, and its hook is a benign SessionStart check that prints a tip if GITHUB_TOKEN is missing (the hook always exits 0). Install is local to the user's skills directory. No elevated persistence or system-wide modification was found in the provided files.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install depradar - 安装完成后,直接呼叫该 Skill 的名称或使用
/depradar触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.3.0
Initial public release — 838 tests, 6 ecosystems, zero dependencies
元数据
常见问题
Dep Radar 是什么?
Dependency breaking-change radar. Use this skill when the user wants to check for breaking changes, outdated dependencies, upgrade risks, or migration issues... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 100 次。
如何安装 Dep Radar?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install depradar」即可一键安装,无需额外配置。
Dep Radar 是免费的吗?
是的,Dep Radar 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Dep Radar 支持哪些平台?
Dep Radar 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Dep Radar?
由 Tarun Khatri(@tarun-khatri)开发并维护,当前版本 v2.3.0。
推荐 Skills