← 返回 Skills 市场
85
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install licenseguard
功能描述
Open source license compliance scanner — catches copyleft, viral, and problematic licenses in your dependencies before they create legal risk
使用说明 (SKILL.md)
LicenseGuard -- Open Source License Compliance Scanner
LicenseGuard scans your dependency manifests for copyleft, viral, and problematic open source licenses before they create legal risk. It detects license declarations across 8 package manager ecosystems (npm, Python, Ruby, Go, Java/Kotlin, Rust, PHP, .NET), classifies risk levels from Critical (copyleft/viral) to Low (permissive), and produces compliance reports with compatibility matrices. All scanning happens locally using pattern matching on manifest files and license text -- no code or dependency data is sent externally.
Commands
Free Tier (No license required)
licenseguard scan [file|directory]
One-shot license compliance scan of dependency manifests.
How to execute:
bash "\x3CSKILL_DIR>/scripts/licenseguard.sh" scan [target]
What it does:
- Accepts a file path or directory (defaults to current directory)
- Auto-detects package managers in use (npm, Python, Ruby, Go, Java, Rust, PHP, .NET)
- Finds all dependency manifest files (package.json, go.mod, Cargo.toml, pom.xml, etc.)
- Parses declared licenses from manifests and lock files
- Searches for LICENSE/COPYING/NOTICE files in dependency directories
- Matches SPDX license identifiers and common license text patterns
- Classifies each dependency license by risk level (Critical/High/Medium/Low/Unknown)
- Flags dependencies with NO declared license (unknown risk)
- Flags dual-licensed packages where one option is copyleft
- Calculates a compliance score (0-100)
- Free tier: limited to scanning up to 5 manifest files
- Exit code 0 if score >= 70, exit code 1 if score \x3C 70 or critical issues found
Example usage scenarios:
- "Scan my project for license issues" -> runs
licenseguard scan . - "Check if my dependencies have copyleft licenses" -> runs
licenseguard scan . - "Are my npm packages license-compliant?" -> runs
licenseguard scan package.json - "Audit the licenses in this Go module" -> runs
licenseguard scan go.mod - "What licenses are in my Rust dependencies?" -> runs
licenseguard scan Cargo.toml
Pro Tier ($19/user/month -- requires LICENSEGUARD_LICENSE_KEY)
licenseguard scan [file|directory] (unlimited)
Full license compliance scan with no manifest file limit.
How to execute:
bash "\x3CSKILL_DIR>/scripts/licenseguard.sh" scan [target]
What it does (beyond free):
- Unlimited manifest file scanning
- Deep license text pattern matching (GPL boilerplate, MIT text, Apache notice)
- Dual-license detection and risk assessment
- Detailed remediation advice per finding
licenseguard hooks install
Install git pre-commit hooks that scan dependency manifests for license issues before every commit.
How to execute:
bash "\x3CSKILL_DIR>/scripts/licenseguard.sh" hooks install
What it does:
- Validates Pro+ license
- Copies lefthook config to project root
- Installs lefthook pre-commit hook
- On every commit: scans staged manifest files for license issues, blocks commit if copyleft/viral licenses detected
licenseguard hooks uninstall
Remove LicenseGuard git hooks.
bash "\x3CSKILL_DIR>/scripts/licenseguard.sh" hooks uninstall
licenseguard report [directory]
Generate a full markdown license compliance report.
bash "\x3CSKILL_DIR>/scripts/licenseguard.sh" report [directory]
What it does:
- Validates Pro+ license
- Runs full scan of the directory
- Generates a formatted markdown report with risk breakdown
- Includes per-dependency findings, compliance score, and remediation steps
- Lists all dependencies grouped by risk level
- Output written to LICENSEGUARD-REPORT.md
licenseguard matrix [directory]
Generate a license compatibility matrix.
bash "\x3CSKILL_DIR>/scripts/licenseguard.sh" matrix [directory]
What it does:
- Validates Pro+ license
- Discovers all unique licenses in the project dependencies
- Produces a compatibility matrix showing which licenses can be combined
- Flags incompatible license combinations (e.g., GPL + proprietary)
- Helps with license selection for your own project
Team Tier ($39/user/month -- requires LICENSEGUARD_LICENSE_KEY with team tier)
licenseguard policy [directory]
Enforce an approved license list.
bash "\x3CSKILL_DIR>/scripts/licenseguard.sh" policy [directory]
What it does:
- Validates Team+ license
- Loads approved license list from ~/.openclaw/openclaw.json (licenseguard.config.approvedLicenses)
- Scans all dependencies and flags any using a license NOT on the approved list
- Produces a pass/fail report for CI/CD gating
- Exit code 0 if all dependencies use approved licenses, 1 otherwise
licenseguard sbom [directory]
Generate a Software Bill of Materials (SBOM).
bash "\x3CSKILL_DIR>/scripts/licenseguard.sh" sbom [directory]
What it does:
- Validates Team+ license
- Discovers all dependencies across all package managers
- Generates a CycloneDX-like SBOM in JSON and markdown formats
- Includes: package name, version, license, risk level, source URL
- Suitable for compliance audits, supply chain security, and regulatory requirements
- Output written to LICENSEGUARD-SBOM.json and LICENSEGUARD-SBOM.md
License Risk Categories
LicenseGuard classifies open source licenses into five risk levels:
| Risk Level | Licenses | Impact |
|---|---|---|
| Critical (Copyleft/Viral) | GPL-2.0, GPL-3.0, AGPL-3.0, SSPL, EUPL | Must open-source your code |
| High (Weak Copyleft) | LGPL-2.1, LGPL-3.0, MPL-2.0, EPL-2.0, CDDL | Must share modifications to the library |
| Medium (Notice Required) | Apache-2.0, BSD-2-Clause, BSD-3-Clause, MIT, ISC | Must include license notice |
| Low (Permissive) | Unlicense, CC0, WTFPL, 0BSD | Minimal restrictions |
| Unknown | NOASSERTION, Custom, Missing | Cannot determine risk -- review manually |
Supported Package Managers
| Ecosystem | Manifest Files | Lock Files |
|---|---|---|
| npm | package.json | package-lock.json, yarn.lock |
| Python | requirements.txt, Pipfile, pyproject.toml, setup.py, setup.cfg | Pipfile.lock |
| Ruby | Gemfile | Gemfile.lock |
| Go | go.mod | go.sum |
| Java/Kotlin | pom.xml, build.gradle, build.gradle.kts | - |
| Rust | Cargo.toml | Cargo.lock |
| PHP | composer.json | composer.lock |
| .NET | *.csproj, packages.config | *.sln |
Detection Methods
- Manifest parsing -- Extract declared licenses from package manager files
- License file scanning -- Search for LICENSE, COPYING, NOTICE files in dependency directories
- SPDX matching -- Match SPDX license identifiers (MIT, Apache-2.0, GPL-3.0-only, etc.)
- Text pattern matching -- Detect common license boilerplate (GPL preamble, MIT text, Apache notice)
- Missing license detection -- Flag dependencies with no license declaration
- Dual-license detection -- Identify packages offering multiple license options (OR expressions)
Configuration
Users can configure LicenseGuard in ~/.openclaw/openclaw.json:
{
"skills": {
"entries": {
"licenseguard": {
"enabled": true,
"apiKey": "YOUR_LICENSE_KEY_HERE",
"config": {
"riskThreshold": "high",
"approvedLicenses": ["MIT", "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "ISC"],
"excludePackages": [],
"excludePatterns": ["**/node_modules/**", "**/vendor/**"],
"reportFormat": "markdown"
}
}
}
}
}
Important Notes
- Free tier works immediately with no configuration (limited to 5 manifest files)
- All scanning happens locally -- no code or dependency data is sent to external servers
- License validation is offline -- no phone-home or network calls
- Zero telemetry -- no usage data, analytics, or tracking
- Pattern matching on manifests + license files, no network calls during scanning
- Git hooks use lefthook which must be installed (see install metadata above)
- Exit codes: 0 = compliant (score >= 70), 1 = issues found (for CI/CD integration)
- Compliance score calculation: starts at 100, deducts points per risk level (Critical: -15, High: -10, Medium: -3, Unknown: -8)
Error Handling
- If lefthook is not installed and user tries
hooks install, prompt to install it - If license key is invalid or expired, show clear message with link to https://licenseguard.pages.dev/renew
- If a manifest file cannot be parsed, warn and continue with other files
- If no manifest files found in target, report clean scan with info message
- If package manager is not recognized, skip with a warning
When to Use LicenseGuard
The user might say things like:
- "Scan for license issues in my dependencies"
- "Check if any of my packages use GPL"
- "Are my npm dependencies license-compliant?"
- "Find copyleft licenses in this project"
- "Generate a license compliance report"
- "Set up license checking on my commits"
- "Create an SBOM for this project"
- "What licenses are my Go dependencies using?"
- "Check license compatibility"
- "Enforce our approved license list"
- "Are there any viral licenses in my Rust crates?"
- "Scan my Python requirements for problematic licenses"
安全使用建议
LicenseGuard is a local, shell-script-based scanner that appears consistent with its description. Before installing: 1) Know that Pro/Team features require you to provide LICENSEGUARD_LICENSE_KEY (or put apiKey in ~/.openclaw/openclaw.json). 2) The optional hooks install will copy a lefthook config into your repo and run lefthook install — review lefthook.yml before committing. 3) The pre-commit hook sources scripts from $HOME/.openclaw/skills/licenseguard when running, so ensure that directory is trusted and not writable by untrusted users. 4) Scans traverse the provided directory with find (can read many files under the target); avoid running against / or other sensitive roots. 5) There are no obvious network exfiltration calls in the scripts (license validation is JWT-decoded locally), but you should still review the shipped scripts if you have sensitive environment constraints. Overall the package is coherent for its purpose.
功能分析
Type: OpenClaw Skill
Name: licenseguard
Version: 1.0.0
The licenseguard skill is a legitimate utility designed to scan project dependencies for license compliance across eight major ecosystems (npm, Python, Go, Rust, etc.). It operates entirely locally by parsing manifest files and matching license declarations against a comprehensive set of SPDX identifiers and regex patterns defined in scripts/patterns.sh. The skill provides features for generating compliance reports, SBOMs, and installing git pre-commit hooks using the third-party tool 'lefthook'. No evidence of data exfiltration, malicious execution, or unauthorized network activity was found; the code logic is transparent and aligns with the stated purpose of identifying legal risks in open-source dependencies.
能力标签
能力评估
Purpose & Capability
Name/description match the implementation: shell scripts parse manifests and license files across multiple ecosystems, classify risk, and offer hook/report/policy/sbom features. Required binaries (git, bash) and the optional lefthook install are appropriate for the stated functionality.
Instruction Scope
Runtime instructions and scripts operate locally and only reference manifest files, license files, and the user's repo. The scanner can walk directories (using find) and will read many files under a provided target directory — expected for this tool but worth noting (scanning '/' would traverse many paths). The hooks install sources analyzer.sh from $HOME/.openclaw/skills/licenseguard, which means the hook executes code from that skill directory on every commit.
Install Mechanism
Install spec only recommends installing the public 'lefthook' brew formula (used for optional pre-commit hooks). No remote arbitrary archive downloads or unusual install locations are used. The skill files themselves are included with the package (shell scripts).
Credentials
Primary credential LICENSEGUARD_LICENSE_KEY is declared and used to unlock Pro/Team features — this is reasonable. The scripts also read ~/.openclaw/openclaw.json for apiKey/config (used by policy feature); that config path is referenced in SKILL.md and code but was not declared in the registry's required config paths. The scripts attempt to use python/node/jq if available to parse configs, but do not require them.
Persistence & Privilege
always is false and model invocation is not disabled. The skill installs a lefthook pre-commit hook into a repository when explicitly requested; this modifies repository-level files (lefthook.yml) as expected for a hooks tool. It does not modify other skills or global agent settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install licenseguard - 安装完成后,直接呼叫该 Skill 的名称或使用
/licenseguard触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of LicenseGuard – an open source license compliance scanner.
- Scans dependencies for copyleft, viral, and problematic licenses across 8 package manager ecosystems.
- Reports license risk levels (Critical/High/Medium/Low/Unknown) and calculates a compliance score.
- Enforces approved license lists and blocks commits with high-risk licenses (Pro/Team features).
- Generates compliance reports, compatibility matrices, and SBOMs for audit and security.
- All scans run locally; no external data is sent.
元数据
常见问题
licenseguard 是什么?
Open source license compliance scanner — catches copyleft, viral, and problematic licenses in your dependencies before they create legal risk. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 85 次。
如何安装 licenseguard?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install licenseguard」即可一键安装,无需额外配置。
licenseguard 是免费的吗?
是的,licenseguard 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
licenseguard 支持哪些平台?
licenseguard 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(darwin, linux, win32)。
谁开发了 licenseguard?
由 suhteevah(@suhteevah)开发并维护,当前版本 v1.0.0。
推荐 Skills