← 返回 Skills 市场
92
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install java-dependency-security-scan
功能描述
分析 Java、Maven 或 Spring 项目依赖漏洞,验证版本受影响情况,检查传递和内嵌依赖,并生成安全修复建议报告。
使用说明 (SKILL.md)
快速开始
当用户提出以下需求时,使用本 Skill:
| 场景 | 示例 |
|---|---|
| 扫描项目依赖漏洞 | "扫描我的 Spring Boot 项目依赖漏洞" |
| 核实特定依赖 | "log4j-core 2.14.1 是否有漏洞?" |
| 分析 CVE 影响 | "CVE-2021-44228 对我的项目有什么影响?" |
| 检查传递依赖 | "分析项目中 commons-lang3 的依赖路径" |
| 检查 JAR 内嵌依赖 | "分析这个第三方 JAR 包里的依赖" |
| 生成安全报告 | "生成依赖安全扫描报告" |
核心工作流程
收集证据 → 界定范围 → 匹配漏洞 → 输出报告
1. 收集证据(按优先级)
| 优先级 | 证据类型 | 说明 |
|---|---|---|
| 1 | lockfile | gradle.lockfile、libs.versions.toml |
| 2 | dependency:tree | mvn dependency:tree / gradlew dependencies |
| 3 | 构建文件 | pom.xml / build.gradle 声明 |
| 4 | 用户输入 | 依赖清单、扫描报告 |
2. 界定扫描范围
默认扫描:
- Maven:
compile、runtimescope - Gradle:
runtimeClasspath、implementation配置 - 第三方 JAR 中实际携带的内嵌依赖
默认排除:
test、testImplementation等测试依赖provided、compileOnly等容器提供依赖
3. 匹配漏洞
确认漏洞需同时满足:
- ✅ 依赖坐标明确(groupId:artifactId:version)
- ✅ 版本落入 CVE 公告的受影响范围
- ✅ 运行时实际生效(非被覆盖/排除)
4. 输出报告
按以下结构输出:
- 扫描概况:项目信息、依赖数量、漏洞统计
- 漏洞明细:按严重级别分组,包含 CVE、修复版本
- 修复方案:优先级排序的具体修复建议
- 剩余风险:未验证的假设和不确定性
关键原则
- 先收集证据,再下结论:优先使用 lockfile 和 dependency:tree
- 双重验证:扫描器结果只是线索,需人工核实版本和受影响范围
- 明确不确定性:无法确认的信息要标注"需要验证"或"证据不足"
- 关注运行时:默认只关注实际进入运行时类路径的依赖
目录
- 执行原则与环境 - 证据权重、漏洞匹配标签、严重级别
- Maven 项目分析 - Maven 依赖树分析、scope 对照、传递依赖机制
- Gradle 项目分析 - Gradle 依赖分析、配置对照、版本目录
- 漏洞扫描工具 - OWASP DC、OSV、Grype、Trivy 等工具使用
- 命令示例 - 常用命令速查手册
- 输出与修复模板 - 报告模板、修复代码示例
- 参考与常见问题 - 速查表、FAQ、参考链接
安全使用建议
This skill is a documentation-driven procedure for auditing Java dependencies; it appears internally consistent. Before using it, ensure you: (1) run it in a safe environment where reading project files and unpacking JARs is permitted (it inspects pom.xml/build.gradle and may unzip jars); (2) have the referenced CLI tools available (mvn, gradle, osv-scanner, trivy, grype, unzip, jdeps, etc.) or be prepared to install them yourself; (3) understand that the skill may call public vulnerability APIs (e.g., api.osv.dev) — if you need to avoid network calls, run the steps offline with local databases; and (4) verify reports manually (the skill itself emphasizes cross-checking and marking uncertain findings). There are no requests for secrets or elevated privileges in the skill materials.
功能分析
Type: OpenClaw Skill
Name: java-dependency-security-scan
Version: 1.0.0
The skill bundle is a comprehensive and legitimate set of instructions for performing Java dependency security audits. It provides structured workflows for analyzing Maven and Gradle projects, using standard industry tools (OWASP Dependency-Check, OSV, Grype, Trivy), and generating remediation reports. There is no evidence of malicious intent, data exfiltration, or prompt injection attacks; all commands and guidelines are strictly aligned with the stated purpose of security scanning.
能力评估
Purpose & Capability
The name/description (Java/Maven/Gradle dependency security scan) matches the SKILL.md and reference files. All required actions (reading pom.xml/build.gradle, running dependency:tree, inspecting JARs, querying vulnerability feeds like OSV) are consistent with that purpose. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
Runtime instructions are explicit and limited to collecting project dependency evidence (lockfiles, dependency trees, build files), running known scanning tools (osv-scanner, grype, trivy, OWASP Dependency-Check), inspecting JAR contents and producing reports. There are no instructions to access unrelated system files, secrets, or to transmit data to unexpected endpoints beyond standard vulnerability feeds (example: api.osv.dev).
Install Mechanism
This is instruction-only with no install spec and no code files to execute. That minimizes install-time risk. The skill references external tools but does not attempt to download or execute code itself.
Credentials
The skill declares no required environment variables, credentials, or config paths. The referenced operations (file reads, CLI tool invocations, optional curl to OSV API) are proportionate to a dependency scanner and do not request unrelated secrets.
Persistence & Privilege
always is false and the skill doesn't request persistent system-level changes or access to other skills' configurations. It relies on ad-hoc commands and local file inspection, which is appropriate for its function.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install java-dependency-security-scan - 安装完成后,直接呼叫该 Skill 的名称或使用
/java-dependency-security-scan触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- Initial release of the java-dependency-security-scan skill.
- Supports security risk analysis for dependencies in Java, Maven, and Spring ecosystem projects.
- Provides workflows for collecting evidence, defining scan scope, matching vulnerabilities, and generating security reports.
- Detailed instructions for common scenarios such as scanning dependencies, verifying affected versions, analyzing CVEs, and auditing embedded JAR dependencies.
- Emphasizes evidence-based conclusions, dual confirmation, uncertainty marking, and runtime relevance.
- Includes references for principles, Maven/Gradle analysis, scanning tools, command examples, reporting templates, and FAQs.
元数据
常见问题
dependency-security-scan 是什么?
分析 Java、Maven 或 Spring 项目依赖漏洞,验证版本受影响情况,检查传递和内嵌依赖,并生成安全修复建议报告。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 92 次。
如何安装 dependency-security-scan?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install java-dependency-security-scan」即可一键安装,无需额外配置。
dependency-security-scan 是免费的吗?
是的,dependency-security-scan 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
dependency-security-scan 支持哪些平台?
dependency-security-scan 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 dependency-security-scan?
由 qiushuizy(@qiushuizy)开发并维护,当前版本 v1.0.0。
推荐 Skills