{ "schemaVersion": "1.0", "item": { "slug": "dep-audit", "name": "dep-audit", "source": "tencent", "type": "skill", "category": "开发工具", "sourceUrl": "https://clawhub.ai/tkuehnl/dep-audit", "canonicalUrl": "https://clawhub.ai/tkuehnl/dep-audit", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/dep-audit", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=dep-audit", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "CHANGELOG.md", "README.md", "SECURITY.md", "SKILL.md", "SPEC.md", "TESTING.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-05-07T17:22:31.273Z", "expiresAt": "2026-05-14T17:22:31.273Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=afrexai-annual-report", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=afrexai-annual-report", "contentDisposition": "attachment; filename=\"afrexai-annual-report-1.0.0.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/dep-audit" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/dep-audit", "agentPageUrl": "https://openagent3.xyz/skills/dep-audit/agent", "manifestUrl": "https://openagent3.xyz/skills/dep-audit/agent.json", "briefUrl": "https://openagent3.xyz/skills/dep-audit/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Dependency Audit Skill", "body": "Detect and report known vulnerabilities in your project's dependency tree.\nSupports npm, pip (Python), Cargo (Rust), and Go out of the box.\nNo API keys. No config. Just point it at a project." }, { "title": "Activation", "body": "This skill activates when the user mentions:\n\n\"audit\", \"vulnerability\", \"CVE\", \"dependency check\", \"supply chain\", \"security scan\"\nChecking dependencies, lockfiles, or packages for issues\nGenerating an SBOM (Software Bill of Materials)" }, { "title": "Example Prompts", "body": "\"Audit this project for vulnerabilities\"\n\"Check all my repos in ~/projects for known CVEs\"\n\"Are there any critical vulnerabilities I should fix right now?\"\n\"Generate an SBOM for this project\"\n\"What dependencies need updating in this project?\"\n\"Audit only the Python dependencies\"" }, { "title": "Permissions", "body": "permissions:\n exec: true # Required to run audit CLIs\n read: true # Read lockfiles\n write: on-request # SBOM generation writes sbom.cdx.json when user asks\n network: true # Tools fetch advisory DBs" }, { "title": "Agent Workflow", "body": "Follow this sequence exactly:" }, { "title": "Step 1: Detect", "body": "Run the detection script to discover lockfiles and available tools:\n\nbash /scripts/detect.sh \n\nIf no target directory is given, use the current working directory (.).\n\nParse the JSON output. Note which ecosystems have lockfiles and which tools are available." }, { "title": "Step 2: Audit Each Ecosystem", "body": "For each ecosystem detected in Step 1:\n\nIf the audit tool is available, run the corresponding script:\nbash /scripts/audit-npm.sh \nbash /scripts/audit-pip.sh \nbash /scripts/audit-cargo.sh \nbash /scripts/audit-go.sh \n\n\n\nIf the tool is missing, tell the user which tool is needed and the install command from the detect output. Skip that ecosystem and continue with others.\n\nNote: yarn.lock and pnpm-lock.yaml are detected as yarn and pnpm ecosystems respectively. Audit support is npm-only in v0.1.x (package-lock.json). If only a yarn.lock or pnpm-lock.yaml is present, inform the user that dedicated yarn/pnpm audit is not yet supported and suggest running yarn audit or pnpm audit manually.\n\nEach script outputs normalized JSON to stdout." }, { "title": "Step 3: Aggregate", "body": "Pipe or pass all per-ecosystem JSON results to the aggregator:\n\nbash /scripts/aggregate.sh ... 1>unified.json 2>report.md\n\nThe aggregator outputs unified JSON to stdout and a Markdown report to stderr.\nCapture both: 2>report.md for the Markdown, 1>unified.json for the JSON." }, { "title": "Step 4: Present Results", "body": "Show the user the Markdown report from the aggregator. Highlight:\n\nTotal vulnerability count by severity\nCritical and High findings first (these need attention)\nWhich ecosystems were scanned vs skipped\n\nIf zero vulnerabilities found: report \"✅ No known vulnerabilities found.\"\nIf no lockfiles found: report \"No lockfiles found in . This skill works with npm, pip, Cargo, and Go projects.\"" }, { "title": "Discord v2 Delivery Mode (OpenClaw v2026.2.14+)", "body": "When the user is in a Discord channel:\n\nSend a short first response with totals and only Critical/High findings.\nKeep the first message under ~1200 characters and avoid large Markdown tables up front.\nIf Discord components are available, include quick actions:\n\nShow Full Report\nShow Fix Commands\nGenerate SBOM\n\n\nIf components are unavailable, provide the same options as a numbered list.\nSend long details in short chunks (<=15 lines) to improve readability." }, { "title": "Step 5: Fix Suggestions (only if user asks)", "body": "If the user asks to fix vulnerabilities:\n\nList every fix command with the package name, current version, and target version.\nSuggest creating a branch first: git checkout -b dep-audit-fixes\nAsk for explicit confirmation before running ANY fix command.\nNever batch-run fix commands silently.\n\nExample interaction:\n\nI found these fix commands:\n 1. cd /home/user/project && npm audit fix\n 2. pip install requests>=2.31.0\n\nI recommend creating a branch first:\n git checkout -b dep-audit-fixes\n\nShall I run them? (yes/no)" }, { "title": "Step 6: SBOM (only if user asks)", "body": "bash /scripts/sbom.sh \n\nReport the file location and component count." }, { "title": "Error Handling", "body": "SituationBehaviorTool not foundPrint which tool is missing + install command. Continue with available tools.Audit tool failsCapture stderr, report \"audit failed for [ecosystem]: [error]\". Continue with others.Timeout (>30s per tool)When timeout/gtimeout is available, report \"audit timed out for [ecosystem], skipping\". Continue.Invalid target directoryReport \"directory not found or not accessible\" and stop that ecosystem scan (do not report false \"clean\").No lockfiles foundReport \"No lockfiles found\" + list supported ecosystems.jq not availableDetection works without jq. Audit and aggregation require jq — install it first.Malformed lockfileReport parse error for that ecosystem. Continue with others." }, { "title": "Aggregation Robustness", "body": "aggregate.sh now tolerates mixed inputs (valid results + error objects).\nInvalid input objects are listed under errors in unified JSON and rendered in a \"Skipped / Error Inputs\" Markdown section.\nIf no valid ecosystem results are provided, aggregate output sets status: \"error\" instead of crashing." }, { "title": "Safety", "body": "Default mode is report-only. The skill never modifies files unless you explicitly ask for a fix and confirm.\nAudit tools read lockfiles — they do not execute project code.\nFix commands (npm audit fix, pip install --upgrade) are printed as suggestions. The agent will ask for confirmation before running them.\nThis skill checks known advisory databases (OSV, GitHub Advisory DB, RustSec). It does not detect zero-days or runtime vulnerabilities.\nNo data is sent to third-party services beyond what the native audit tools do (they query public advisory databases).\nNo telemetry. No tracking. No phone-home." } ], "body": "Dependency Audit Skill\n\nDetect and report known vulnerabilities in your project's dependency tree. Supports npm, pip (Python), Cargo (Rust), and Go out of the box. No API keys. No config. Just point it at a project.\n\nActivation\n\nThis skill activates when the user mentions:\n\n\"audit\", \"vulnerability\", \"CVE\", \"dependency check\", \"supply chain\", \"security scan\"\nChecking dependencies, lockfiles, or packages for issues\nGenerating an SBOM (Software Bill of Materials)\nExample Prompts\n\"Audit this project for vulnerabilities\"\n\"Check all my repos in ~/projects for known CVEs\"\n\"Are there any critical vulnerabilities I should fix right now?\"\n\"Generate an SBOM for this project\"\n\"What dependencies need updating in this project?\"\n\"Audit only the Python dependencies\"\nPermissions\npermissions:\n exec: true # Required to run audit CLIs\n read: true # Read lockfiles\n write: on-request # SBOM generation writes sbom.cdx.json when user asks\n network: true # Tools fetch advisory DBs\n\nAgent Workflow\n\nFollow this sequence exactly:\n\nStep 1: Detect\n\nRun the detection script to discover lockfiles and available tools:\n\nbash /scripts/detect.sh \n\n\nIf no target directory is given, use the current working directory (.).\n\nParse the JSON output. Note which ecosystems have lockfiles and which tools are available.\n\nStep 2: Audit Each Ecosystem\n\nFor each ecosystem detected in Step 1:\n\nIf the audit tool is available, run the corresponding script:\n\nbash /scripts/audit-npm.sh \nbash /scripts/audit-pip.sh \nbash /scripts/audit-cargo.sh \nbash /scripts/audit-go.sh \n\n\nIf the tool is missing, tell the user which tool is needed and the install command from the detect output. Skip that ecosystem and continue with others.\n\nNote: yarn.lock and pnpm-lock.yaml are detected as yarn and pnpm ecosystems respectively. Audit support is npm-only in v0.1.x (package-lock.json). If only a yarn.lock or pnpm-lock.yaml is present, inform the user that dedicated yarn/pnpm audit is not yet supported and suggest running yarn audit or pnpm audit manually.\n\nEach script outputs normalized JSON to stdout.\n\nStep 3: Aggregate\n\nPipe or pass all per-ecosystem JSON results to the aggregator:\n\nbash /scripts/aggregate.sh ... 1>unified.json 2>report.md\n\n\nThe aggregator outputs unified JSON to stdout and a Markdown report to stderr. Capture both: 2>report.md for the Markdown, 1>unified.json for the JSON.\n\nStep 4: Present Results\n\nShow the user the Markdown report from the aggregator. Highlight:\n\nTotal vulnerability count by severity\nCritical and High findings first (these need attention)\nWhich ecosystems were scanned vs skipped\n\nIf zero vulnerabilities found: report \"✅ No known vulnerabilities found.\" If no lockfiles found: report \"No lockfiles found in . This skill works with npm, pip, Cargo, and Go projects.\"\n\nDiscord v2 Delivery Mode (OpenClaw v2026.2.14+)\n\nWhen the user is in a Discord channel:\n\nSend a short first response with totals and only Critical/High findings.\nKeep the first message under ~1200 characters and avoid large Markdown tables up front.\nIf Discord components are available, include quick actions:\nShow Full Report\nShow Fix Commands\nGenerate SBOM\nIf components are unavailable, provide the same options as a numbered list.\nSend long details in short chunks (<=15 lines) to improve readability.\nStep 5: Fix Suggestions (only if user asks)\n\nIf the user asks to fix vulnerabilities:\n\nList every fix command with the package name, current version, and target version.\nSuggest creating a branch first: git checkout -b dep-audit-fixes\nAsk for explicit confirmation before running ANY fix command.\nNever batch-run fix commands silently.\n\nExample interaction:\n\nI found these fix commands:\n 1. cd /home/user/project && npm audit fix\n 2. pip install requests>=2.31.0\n\nI recommend creating a branch first:\n git checkout -b dep-audit-fixes\n\nShall I run them? (yes/no)\n\nStep 6: SBOM (only if user asks)\nbash /scripts/sbom.sh \n\n\nReport the file location and component count.\n\nError Handling\nSituation\tBehavior\nTool not found\tPrint which tool is missing + install command. Continue with available tools.\nAudit tool fails\tCapture stderr, report \"audit failed for [ecosystem]: [error]\". Continue with others.\nTimeout (>30s per tool)\tWhen timeout/gtimeout is available, report \"audit timed out for [ecosystem], skipping\". Continue.\nInvalid target directory\tReport \"directory not found or not accessible\" and stop that ecosystem scan (do not report false \"clean\").\nNo lockfiles found\tReport \"No lockfiles found\" + list supported ecosystems.\njq not available\tDetection works without jq. Audit and aggregation require jq — install it first.\nMalformed lockfile\tReport parse error for that ecosystem. Continue with others.\nAggregation Robustness\naggregate.sh now tolerates mixed inputs (valid results + error objects).\nInvalid input objects are listed under errors in unified JSON and rendered in a \"Skipped / Error Inputs\" Markdown section.\nIf no valid ecosystem results are provided, aggregate output sets status: \"error\" instead of crashing.\nSafety\nDefault mode is report-only. The skill never modifies files unless you explicitly ask for a fix and confirm.\nAudit tools read lockfiles — they do not execute project code.\nFix commands (npm audit fix, pip install --upgrade) are printed as suggestions. The agent will ask for confirmation before running them.\nThis skill checks known advisory databases (OSV, GitHub Advisory DB, RustSec). It does not detect zero-days or runtime vulnerabilities.\nNo data is sent to third-party services beyond what the native audit tools do (they query public advisory databases).\nNo telemetry. No tracking. No phone-home." }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/tkuehnl/dep-audit", "publisherUrl": "https://clawhub.ai/tkuehnl/dep-audit", "owner": "tkuehnl", "version": "0.2.1", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/dep-audit", "downloadUrl": "https://openagent3.xyz/downloads/dep-audit", "agentUrl": "https://openagent3.xyz/skills/dep-audit/agent", "manifestUrl": "https://openagent3.xyz/skills/dep-audit/agent.json", "briefUrl": "https://openagent3.xyz/skills/dep-audit/agent.md" } }