← 返回 Skills 市场

Deps Mgmt

Name: Deps Mgmt
Author: codekungfu

作者 ClawKK · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ✓ 安全检测通过

131

总下载

当前安装

版本数

在 OpenClaw 中安装

/install deps-mgmt

功能描述

Deep dependency management workflow—inventory, upgrade policy, security patches, licensing, lockfiles, and supply-chain hygiene. Use when upgrading framework...

使用说明 (SKILL.md)

Dependencies

Dependencies are supply-chain surface area: versions affect security, reproducibility, and upgrade cost.

When to Offer This Workflow

Trigger conditions:

Dependabot noise; major version upgrades
CVE response or license audit
“Works on my machine” due to unpinned dependencies

Initial offer:

Use six stages: (1) inventory & risk, (2) policy & cadence, (3) lockfiles & reproducibility, (4) upgrades & testing, (5) security & licensing, (6) governance & tooling). Confirm ecosystem (npm, pip, Maven, Go modules, etc.).

Stage 1: Inventory & Risk

Goal: Direct vs transitive dependencies; flag critical packages (crypto, auth, parsing, serialization).

Exit condition: SBOM or export for top applications; list of critical deps.

Stage 2: Policy & Cadence

Goal: When to upgrade (time-based vs on-demand); SemVer rules for libraries vs applications.

Stage 3: Lockfiles & Reproducibility

Goal: Committed lockfiles for deployable apps; libraries test against a compatibility matrix instead of one frozen lock.

Stage 4: Upgrades & Testing

Goal: Prefer one major bump per PR when feasible; CI matrix on supported language/runtime versions.

Stage 5: Security & Licensing

Goal: SCA scanning; patch SLA by severity; license allowlist for compliance.

Stage 6: Governance & Tooling

Goal: Renovate/Bot policies; pin internal packages; document exceptions and overrides.

Final Review Checklist

Inventory and risk hotspots known
Upgrade cadence and semver policy documented
Lockfiles or matrix strategy per repo type
CI validates upgrades
SCA and license policy enforced

Tips for Effective Guidance

Transitive CVEs may need overrides—trace the dependency graph.
Pin CI images and toolchains, not only application dependencies.

Handling Deviations

Monorepos: shared versions with Nx/Bazel/etc.—coordinate breaking upgrades.

安全使用建议

This skill is an advisory checklist and appears safe to install: it makes no network calls, installs, or secret requests in its instructions. Before using it in automated workflows, confirm what your agent will be permitted to do when you ask it to act on these recommendations (for example, whether the agent will be allowed to read repositories, run SCA tools, or modify CI). If you intend to run inventory or fixes, use explicit, audited tools and grant the agent least privilege (read-only repo access, scoped API tokens) and monitor any requests to expose credentials or external endpoints. Finally, remember this skill is high-level guidance — you'll still need concrete tooling (SBOM generators, SCA scanners, CI jobs) to perform the actual scans and upgrades.

功能分析

Type: OpenClaw Skill Name: deps-mgmt Version: 1.0.0 The skill bundle provides a structured workflow for dependency management, covering inventory, security patching, and licensing. It contains no executable code or suspicious instructions, focusing entirely on guiding the agent through standard software supply-chain best practices in SKILL.md.

能力评估

✓ Purpose & Capability

Name, description, and the SKILL.md all describe a dependency-management workflow (inventory, policy, lockfiles, upgrades, SCA, governance). The skill requests no binaries, env vars, installs, or config paths — which is coherent for a purely advisory workflow.

✓ Instruction Scope

SKILL.md contains process steps, checklists, and recommendations only; it does not instruct the agent to read files, call external services, or access credentials. The guidance is intentionally high-level and does not perform any I/O itself.

✓ Install Mechanism

No install spec or code files are present. As an instruction-only skill, nothing will be written to disk or downloaded during install.

✓ Credentials

The skill declares no required environment variables, credentials, or config paths — appropriate for a non-executing advisory workflow.

✓ Persistence & Privilege

always is false and model invocation is not disabled (default). The skill does not request persistent presence or elevated privileges.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install deps-mgmt
安装完成后，直接呼叫该 Skill 的名称或使用 /deps-mgmt 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release of the deps-mgmt skill providing a structured workflow for deep dependency management. - Introduces a six-stage process covering inventory, policy, reproducibility, upgrades, security, and governance. - Includes clear trigger conditions to identify when to apply the workflow. - Offers defined goals and exit conditions for each workflow stage. - Provides a comprehensive final review checklist to ensure best practices. - Shares tips for effective dependency management and strategies for handling monorepo deviations.

元数据

Slug deps-mgmt

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题

Deps Mgmt 是什么？

Deep dependency management workflow—inventory, upgrade policy, security patches, licensing, lockfiles, and supply-chain hygiene. Use when upgrading framework... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 131 次。

如何安装 Deps Mgmt？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install deps-mgmt」即可一键安装，无需额外配置。

Deps Mgmt 是免费的吗？

是的，Deps Mgmt 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Deps Mgmt 支持哪些平台？

Deps Mgmt 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Deps Mgmt？

由 ClawKK（@codekungfu）开发并维护，当前版本 v1.0.0。