{ "schemaVersion": "1.0", "item": { "slug": "dependency-auditor", "name": "Dependency Auditor", "source": "tencent", "type": "skill", "category": "数据分析", "sourceUrl": "https://clawhub.ai/alirezarezvani/dependency-auditor", "canonicalUrl": "https://clawhub.ai/alirezarezvani/dependency-auditor", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/dependency-auditor", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=dependency-auditor", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "README.md", "SKILL.md", "assets/sample_package.json", "assets/sample_requirements.txt", "expected_outputs/sample_license_report.txt", "expected_outputs/sample_upgrade_plan.txt" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-23T16:43:11.935Z", "expiresAt": "2026-04-30T16:43:11.935Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/dependency-auditor" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/dependency-auditor", "agentPageUrl": "https://openagent3.xyz/skills/dependency-auditor/agent", "manifestUrl": "https://openagent3.xyz/skills/dependency-auditor/agent.json", "briefUrl": "https://openagent3.xyz/skills/dependency-auditor/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Dependency Auditor", "body": "Skill Type: POWERFUL\nCategory: Engineering\nDomain: Dependency Management & Security" }, { "title": "Overview", "body": "The Dependency Auditor is a comprehensive toolkit for analyzing, auditing, and managing dependencies across multi-language software projects. This skill provides deep visibility into your project's dependency ecosystem, enabling teams to identify vulnerabilities, ensure license compliance, optimize dependency trees, and plan safe upgrades.\n\nIn modern software development, dependencies form complex webs that can introduce significant security, legal, and maintenance risks. A single project might have hundreds of direct and transitive dependencies, each potentially introducing vulnerabilities, license conflicts, or maintenance burden. This skill addresses these challenges through automated analysis and actionable recommendations." }, { "title": "1. Vulnerability Scanning & CVE Matching", "body": "Comprehensive Security Analysis\n\nScans dependencies against built-in vulnerability databases\nMatches Common Vulnerabilities and Exposures (CVE) patterns\nIdentifies known security issues across multiple ecosystems\nAnalyzes transitive dependency vulnerabilities\nProvides CVSS scores and exploit assessments\nTracks vulnerability disclosure timelines\nMaps vulnerabilities to dependency paths\n\nMulti-Language Support\n\nJavaScript/Node.js: package.json, package-lock.json, yarn.lock\nPython: requirements.txt, pyproject.toml, Pipfile.lock, poetry.lock\nGo: go.mod, go.sum\nRust: Cargo.toml, Cargo.lock\nRuby: Gemfile, Gemfile.lock\nJava/Maven: pom.xml, gradle.lockfile\nPHP: composer.json, composer.lock\nC#/.NET: packages.config, project.assets.json" }, { "title": "2. License Compliance & Legal Risk Assessment", "body": "License Classification System\n\nPermissive Licenses: MIT, Apache 2.0, BSD (2-clause, 3-clause), ISC\nCopyleft (Strong): GPL (v2, v3), AGPL (v3)\nCopyleft (Weak): LGPL (v2.1, v3), MPL (v2.0)\nProprietary: Commercial, custom, or restrictive licenses\nDual Licensed: Multi-license scenarios and compatibility\nUnknown/Ambiguous: Missing or unclear licensing\n\nConflict Detection\n\nIdentifies incompatible license combinations\nWarns about GPL contamination in permissive projects\nAnalyzes license inheritance through dependency chains\nProvides compliance recommendations for distribution\nGenerates legal risk matrices for decision-making" }, { "title": "3. Outdated Dependency Detection", "body": "Version Analysis\n\nIdentifies dependencies with available updates\nCategorizes updates by severity (patch, minor, major)\nDetects pinned versions that may be outdated\nAnalyzes semantic versioning patterns\nIdentifies floating version specifiers\nTracks release frequencies and maintenance status\n\nMaintenance Status Assessment\n\nIdentifies abandoned or unmaintained packages\nAnalyzes commit frequency and contributor activity\nTracks last release dates and security patch availability\nIdentifies packages with known end-of-life dates\nAssesses upstream maintenance quality" }, { "title": "4. Dependency Bloat Analysis", "body": "Unused Dependency Detection\n\nIdentifies dependencies that aren't actually imported/used\nAnalyzes import statements and usage patterns\nDetects redundant dependencies with overlapping functionality\nIdentifies oversized packages for simple use cases\nMaps actual vs. declared dependency usage\n\nRedundancy Analysis\n\nIdentifies multiple packages providing similar functionality\nDetects version conflicts in transitive dependencies\nAnalyzes bundle size impact of dependencies\nIdentifies opportunities for dependency consolidation\nMaps dependency overlap and duplication" }, { "title": "5. Upgrade Path Planning & Breaking Change Risk", "body": "Semantic Versioning Analysis\n\nAnalyzes semver patterns to predict breaking changes\nIdentifies safe upgrade paths (patch/minor versions)\nFlags major version updates requiring attention\nTracks breaking changes across dependency updates\nProvides rollback strategies for failed upgrades\n\nRisk Assessment Matrix\n\nLow Risk: Patch updates, security fixes\nMedium Risk: Minor updates with new features\nHigh Risk: Major version updates, API changes\nCritical Risk: Dependencies with known breaking changes\n\nUpgrade Prioritization\n\nSecurity patches: Highest priority\nBug fixes: High priority\nFeature updates: Medium priority\nMajor rewrites: Planned priority\nDeprecated features: Immediate attention" }, { "title": "6. Supply Chain Security", "body": "Dependency Provenance\n\nVerifies package signatures and checksums\nAnalyzes package download sources and mirrors\nIdentifies suspicious or compromised packages\nTracks package ownership changes and maintainer shifts\nDetects typosquatting and malicious packages\n\nTransitive Risk Analysis\n\nMaps complete dependency trees\nIdentifies high-risk transitive dependencies\nAnalyzes dependency depth and complexity\nTracks influence of indirect dependencies\nProvides supply chain risk scoring" }, { "title": "7. Lockfile Analysis & Deterministic Builds", "body": "Lockfile Validation\n\nEnsures lockfiles are up-to-date with manifests\nValidates integrity hashes and version consistency\nIdentifies drift between environments\nAnalyzes lockfile conflicts and resolution strategies\nEnsures deterministic, reproducible builds\n\nEnvironment Consistency\n\nCompares dependencies across environments (dev/staging/prod)\nIdentifies version mismatches between team members\nValidates CI/CD environment consistency\nTracks dependency resolution differences" }, { "title": "Scanner Engine (dep_scanner.py)", "body": "Multi-format parser supporting 8+ package ecosystems\nBuilt-in vulnerability database with 500+ CVE patterns\nTransitive dependency resolution from lockfiles\nJSON and human-readable output formats\nConfigurable scanning depth and exclusion patterns" }, { "title": "License Analyzer (license_checker.py)", "body": "License detection from package metadata and files\nCompatibility matrix with 20+ license types\nConflict detection engine with remediation suggestions\nRisk scoring based on distribution and usage context\nExport capabilities for legal review" }, { "title": "Upgrade Planner (upgrade_planner.py)", "body": "Semantic version analysis with breaking change prediction\nDependency ordering based on risk and interdependence\nMigration checklists with testing recommendations\nRollback procedures for failed upgrades\nTimeline estimation for upgrade cycles" }, { "title": "Security Teams", "body": "Vulnerability Management: Continuous scanning for security issues\nIncident Response: Rapid assessment of vulnerable dependencies\nSupply Chain Monitoring: Tracking third-party security posture\nCompliance Reporting: Automated security compliance documentation" }, { "title": "Legal & Compliance Teams", "body": "License Auditing: Comprehensive license compliance verification\nRisk Assessment: Legal risk analysis for software distribution\nDue Diligence: Dependency licensing for M&A activities\nPolicy Enforcement: Automated license policy compliance" }, { "title": "Development Teams", "body": "Dependency Hygiene: Regular cleanup of unused dependencies\nUpgrade Planning: Strategic dependency update scheduling\nPerformance Optimization: Bundle size optimization through dep analysis\nTechnical Debt: Identifying and prioritizing dependency technical debt" }, { "title": "DevOps & Platform Teams", "body": "Build Optimization: Faster builds through dependency optimization\nSecurity Automation: Automated vulnerability scanning in CI/CD\nEnvironment Consistency: Ensuring consistent dependencies across environments\nRelease Management: Dependency-aware release planning" }, { "title": "CI/CD Pipeline Integration", "body": "# Security gate in CI\npython dep_scanner.py /project --format json --fail-on-high\npython license_checker.py /project --policy strict --format json" }, { "title": "Scheduled Audits", "body": "# Weekly dependency audit\n./audit_dependencies.sh > weekly_report.html\npython upgrade_planner.py deps.json --timeline 30days" }, { "title": "Development Workflow", "body": "# Pre-commit dependency check\npython dep_scanner.py . --quick-scan\npython license_checker.py . --warn-conflicts" }, { "title": "Custom Vulnerability Databases", "body": "Support for internal/proprietary vulnerability feeds\nCustom CVE pattern definitions\nOrganization-specific risk scoring\nIntegration with enterprise security tools" }, { "title": "Policy-Based Scanning", "body": "Configurable license policies by project type\nCustom risk thresholds and escalation rules\nAutomated policy enforcement and notifications\nException management for approved violations" }, { "title": "Reporting & Dashboards", "body": "Executive summaries for management\nTechnical reports for development teams\nTrend analysis and dependency health metrics\nIntegration with project management tools" }, { "title": "Multi-Project Analysis", "body": "Portfolio-level dependency analysis\nShared dependency impact analysis\nOrganization-wide license compliance\nCross-project vulnerability propagation" }, { "title": "Scanning Frequency", "body": "Security Scans: Daily or on every commit\nLicense Audits: Weekly or monthly\nUpgrade Planning: Monthly or quarterly\nFull Dependency Audit: Quarterly" }, { "title": "Risk Management", "body": "Prioritize Security: Address high/critical CVEs immediately\nLicense First: Ensure compliance before functionality\nGradual Updates: Incremental dependency updates\nTest Thoroughly: Comprehensive testing after updates\nMonitor Continuously: Automated monitoring and alerting" }, { "title": "Team Workflows", "body": "Security Champions: Designate dependency security owners\nReview Process: Mandatory review for new dependencies\nUpdate Cycles: Regular, scheduled dependency updates\nDocumentation: Maintain dependency rationale and decisions\nTraining: Regular team education on dependency security" }, { "title": "Security Metrics", "body": "Mean Time to Patch (MTTP) for vulnerabilities\nNumber of high/critical vulnerabilities\nPercentage of dependencies with known vulnerabilities\nSecurity debt accumulation rate" }, { "title": "Compliance Metrics", "body": "License compliance percentage\nNumber of license conflicts\nTime to resolve compliance issues\nPolicy violation frequency" }, { "title": "Maintenance Metrics", "body": "Percentage of up-to-date dependencies\nAverage dependency age\nNumber of abandoned dependencies\nUpgrade success rate" }, { "title": "Efficiency Metrics", "body": "Bundle size reduction percentage\nUnused dependency elimination rate\nBuild time improvement\nDeveloper productivity impact" }, { "title": "Common Issues", "body": "False Positives: Tuning vulnerability detection sensitivity\nLicense Ambiguity: Resolving unclear or multiple licenses\nBreaking Changes: Managing major version upgrades\nPerformance Impact: Optimizing scanning for large codebases" }, { "title": "Resolution Strategies", "body": "Whitelist false positives with documentation\nContact maintainers for license clarification\nImplement feature flags for risky upgrades\nUse incremental scanning for large projects" }, { "title": "Planned Features", "body": "Machine learning for vulnerability prediction\nAutomated dependency update pull requests\nIntegration with container image scanning\nReal-time dependency monitoring dashboards\nNatural language policy definition" }, { "title": "Ecosystem Expansion", "body": "Additional language support (Swift, Kotlin, Dart)\nContainer and infrastructure dependencies\nDevelopment tool and build system dependencies\nCloud service and SaaS dependency tracking" }, { "title": "Quick Start", "body": "# Scan project for vulnerabilities and licenses\npython scripts/dep_scanner.py /path/to/project\n\n# Check license compliance\npython scripts/license_checker.py /path/to/project --policy strict\n\n# Plan dependency upgrades\npython scripts/upgrade_planner.py deps.json --risk-threshold medium\n\nFor detailed usage instructions, see README.md.\n\nThis skill provides comprehensive dependency management capabilities essential for maintaining secure, compliant, and efficient software projects. Regular use helps teams stay ahead of security threats, maintain legal compliance, and optimize their dependency ecosystems." } ], "body": "Dependency Auditor\n\nSkill Type: POWERFUL\nCategory: Engineering\nDomain: Dependency Management & Security\n\nOverview\n\nThe Dependency Auditor is a comprehensive toolkit for analyzing, auditing, and managing dependencies across multi-language software projects. This skill provides deep visibility into your project's dependency ecosystem, enabling teams to identify vulnerabilities, ensure license compliance, optimize dependency trees, and plan safe upgrades.\n\nIn modern software development, dependencies form complex webs that can introduce significant security, legal, and maintenance risks. A single project might have hundreds of direct and transitive dependencies, each potentially introducing vulnerabilities, license conflicts, or maintenance burden. This skill addresses these challenges through automated analysis and actionable recommendations.\n\nCore Capabilities\n1. Vulnerability Scanning & CVE Matching\n\nComprehensive Security Analysis\n\nScans dependencies against built-in vulnerability databases\nMatches Common Vulnerabilities and Exposures (CVE) patterns\nIdentifies known security issues across multiple ecosystems\nAnalyzes transitive dependency vulnerabilities\nProvides CVSS scores and exploit assessments\nTracks vulnerability disclosure timelines\nMaps vulnerabilities to dependency paths\n\nMulti-Language Support\n\nJavaScript/Node.js: package.json, package-lock.json, yarn.lock\nPython: requirements.txt, pyproject.toml, Pipfile.lock, poetry.lock\nGo: go.mod, go.sum\nRust: Cargo.toml, Cargo.lock\nRuby: Gemfile, Gemfile.lock\nJava/Maven: pom.xml, gradle.lockfile\nPHP: composer.json, composer.lock\nC#/.NET: packages.config, project.assets.json\n2. License Compliance & Legal Risk Assessment\n\nLicense Classification System\n\nPermissive Licenses: MIT, Apache 2.0, BSD (2-clause, 3-clause), ISC\nCopyleft (Strong): GPL (v2, v3), AGPL (v3)\nCopyleft (Weak): LGPL (v2.1, v3), MPL (v2.0)\nProprietary: Commercial, custom, or restrictive licenses\nDual Licensed: Multi-license scenarios and compatibility\nUnknown/Ambiguous: Missing or unclear licensing\n\nConflict Detection\n\nIdentifies incompatible license combinations\nWarns about GPL contamination in permissive projects\nAnalyzes license inheritance through dependency chains\nProvides compliance recommendations for distribution\nGenerates legal risk matrices for decision-making\n3. Outdated Dependency Detection\n\nVersion Analysis\n\nIdentifies dependencies with available updates\nCategorizes updates by severity (patch, minor, major)\nDetects pinned versions that may be outdated\nAnalyzes semantic versioning patterns\nIdentifies floating version specifiers\nTracks release frequencies and maintenance status\n\nMaintenance Status Assessment\n\nIdentifies abandoned or unmaintained packages\nAnalyzes commit frequency and contributor activity\nTracks last release dates and security patch availability\nIdentifies packages with known end-of-life dates\nAssesses upstream maintenance quality\n4. Dependency Bloat Analysis\n\nUnused Dependency Detection\n\nIdentifies dependencies that aren't actually imported/used\nAnalyzes import statements and usage patterns\nDetects redundant dependencies with overlapping functionality\nIdentifies oversized packages for simple use cases\nMaps actual vs. declared dependency usage\n\nRedundancy Analysis\n\nIdentifies multiple packages providing similar functionality\nDetects version conflicts in transitive dependencies\nAnalyzes bundle size impact of dependencies\nIdentifies opportunities for dependency consolidation\nMaps dependency overlap and duplication\n5. Upgrade Path Planning & Breaking Change Risk\n\nSemantic Versioning Analysis\n\nAnalyzes semver patterns to predict breaking changes\nIdentifies safe upgrade paths (patch/minor versions)\nFlags major version updates requiring attention\nTracks breaking changes across dependency updates\nProvides rollback strategies for failed upgrades\n\nRisk Assessment Matrix\n\nLow Risk: Patch updates, security fixes\nMedium Risk: Minor updates with new features\nHigh Risk: Major version updates, API changes\nCritical Risk: Dependencies with known breaking changes\n\nUpgrade Prioritization\n\nSecurity patches: Highest priority\nBug fixes: High priority\nFeature updates: Medium priority\nMajor rewrites: Planned priority\nDeprecated features: Immediate attention\n6. Supply Chain Security\n\nDependency Provenance\n\nVerifies package signatures and checksums\nAnalyzes package download sources and mirrors\nIdentifies suspicious or compromised packages\nTracks package ownership changes and maintainer shifts\nDetects typosquatting and malicious packages\n\nTransitive Risk Analysis\n\nMaps complete dependency trees\nIdentifies high-risk transitive dependencies\nAnalyzes dependency depth and complexity\nTracks influence of indirect dependencies\nProvides supply chain risk scoring\n7. Lockfile Analysis & Deterministic Builds\n\nLockfile Validation\n\nEnsures lockfiles are up-to-date with manifests\nValidates integrity hashes and version consistency\nIdentifies drift between environments\nAnalyzes lockfile conflicts and resolution strategies\nEnsures deterministic, reproducible builds\n\nEnvironment Consistency\n\nCompares dependencies across environments (dev/staging/prod)\nIdentifies version mismatches between team members\nValidates CI/CD environment consistency\nTracks dependency resolution differences\nTechnical Architecture\nScanner Engine (dep_scanner.py)\nMulti-format parser supporting 8+ package ecosystems\nBuilt-in vulnerability database with 500+ CVE patterns\nTransitive dependency resolution from lockfiles\nJSON and human-readable output formats\nConfigurable scanning depth and exclusion patterns\nLicense Analyzer (license_checker.py)\nLicense detection from package metadata and files\nCompatibility matrix with 20+ license types\nConflict detection engine with remediation suggestions\nRisk scoring based on distribution and usage context\nExport capabilities for legal review\nUpgrade Planner (upgrade_planner.py)\nSemantic version analysis with breaking change prediction\nDependency ordering based on risk and interdependence\nMigration checklists with testing recommendations\nRollback procedures for failed upgrades\nTimeline estimation for upgrade cycles\nUse Cases & Applications\nSecurity Teams\nVulnerability Management: Continuous scanning for security issues\nIncident Response: Rapid assessment of vulnerable dependencies\nSupply Chain Monitoring: Tracking third-party security posture\nCompliance Reporting: Automated security compliance documentation\nLegal & Compliance Teams\nLicense Auditing: Comprehensive license compliance verification\nRisk Assessment: Legal risk analysis for software distribution\nDue Diligence: Dependency licensing for M&A activities\nPolicy Enforcement: Automated license policy compliance\nDevelopment Teams\nDependency Hygiene: Regular cleanup of unused dependencies\nUpgrade Planning: Strategic dependency update scheduling\nPerformance Optimization: Bundle size optimization through dep analysis\nTechnical Debt: Identifying and prioritizing dependency technical debt\nDevOps & Platform Teams\nBuild Optimization: Faster builds through dependency optimization\nSecurity Automation: Automated vulnerability scanning in CI/CD\nEnvironment Consistency: Ensuring consistent dependencies across environments\nRelease Management: Dependency-aware release planning\nIntegration Patterns\nCI/CD Pipeline Integration\n# Security gate in CI\npython dep_scanner.py /project --format json --fail-on-high\npython license_checker.py /project --policy strict --format json\n\nScheduled Audits\n# Weekly dependency audit\n./audit_dependencies.sh > weekly_report.html\npython upgrade_planner.py deps.json --timeline 30days\n\nDevelopment Workflow\n# Pre-commit dependency check\npython dep_scanner.py . --quick-scan\npython license_checker.py . --warn-conflicts\n\nAdvanced Features\nCustom Vulnerability Databases\nSupport for internal/proprietary vulnerability feeds\nCustom CVE pattern definitions\nOrganization-specific risk scoring\nIntegration with enterprise security tools\nPolicy-Based Scanning\nConfigurable license policies by project type\nCustom risk thresholds and escalation rules\nAutomated policy enforcement and notifications\nException management for approved violations\nReporting & Dashboards\nExecutive summaries for management\nTechnical reports for development teams\nTrend analysis and dependency health metrics\nIntegration with project management tools\nMulti-Project Analysis\nPortfolio-level dependency analysis\nShared dependency impact analysis\nOrganization-wide license compliance\nCross-project vulnerability propagation\nBest Practices\nScanning Frequency\nSecurity Scans: Daily or on every commit\nLicense Audits: Weekly or monthly\nUpgrade Planning: Monthly or quarterly\nFull Dependency Audit: Quarterly\nRisk Management\nPrioritize Security: Address high/critical CVEs immediately\nLicense First: Ensure compliance before functionality\nGradual Updates: Incremental dependency updates\nTest Thoroughly: Comprehensive testing after updates\nMonitor Continuously: Automated monitoring and alerting\nTeam Workflows\nSecurity Champions: Designate dependency security owners\nReview Process: Mandatory review for new dependencies\nUpdate Cycles: Regular, scheduled dependency updates\nDocumentation: Maintain dependency rationale and decisions\nTraining: Regular team education on dependency security\nMetrics & KPIs\nSecurity Metrics\nMean Time to Patch (MTTP) for vulnerabilities\nNumber of high/critical vulnerabilities\nPercentage of dependencies with known vulnerabilities\nSecurity debt accumulation rate\nCompliance Metrics\nLicense compliance percentage\nNumber of license conflicts\nTime to resolve compliance issues\nPolicy violation frequency\nMaintenance Metrics\nPercentage of up-to-date dependencies\nAverage dependency age\nNumber of abandoned dependencies\nUpgrade success rate\nEfficiency Metrics\nBundle size reduction percentage\nUnused dependency elimination rate\nBuild time improvement\nDeveloper productivity impact\nTroubleshooting Guide\nCommon Issues\nFalse Positives: Tuning vulnerability detection sensitivity\nLicense Ambiguity: Resolving unclear or multiple licenses\nBreaking Changes: Managing major version upgrades\nPerformance Impact: Optimizing scanning for large codebases\nResolution Strategies\nWhitelist false positives with documentation\nContact maintainers for license clarification\nImplement feature flags for risky upgrades\nUse incremental scanning for large projects\nFuture Enhancements\nPlanned Features\nMachine learning for vulnerability prediction\nAutomated dependency update pull requests\nIntegration with container image scanning\nReal-time dependency monitoring dashboards\nNatural language policy definition\nEcosystem Expansion\nAdditional language support (Swift, Kotlin, Dart)\nContainer and infrastructure dependencies\nDevelopment tool and build system dependencies\nCloud service and SaaS dependency tracking\nQuick Start\n# Scan project for vulnerabilities and licenses\npython scripts/dep_scanner.py /path/to/project\n\n# Check license compliance\npython scripts/license_checker.py /path/to/project --policy strict\n\n# Plan dependency upgrades\npython scripts/upgrade_planner.py deps.json --risk-threshold medium\n\n\nFor detailed usage instructions, see README.md.\n\nThis skill provides comprehensive dependency management capabilities essential for maintaining secure, compliant, and efficient software projects. Regular use helps teams stay ahead of security threats, maintain legal compliance, and optimize their dependency ecosystems." }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/alirezarezvani/dependency-auditor", "publisherUrl": "https://clawhub.ai/alirezarezvani/dependency-auditor", "owner": "alirezarezvani", "version": "2.1.1", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/dependency-auditor", "downloadUrl": "https://openagent3.xyz/downloads/dependency-auditor", "agentUrl": "https://openagent3.xyz/skills/dependency-auditor/agent", "manifestUrl": "https://openagent3.xyz/skills/dependency-auditor/agent.json", "briefUrl": "https://openagent3.xyz/skills/dependency-auditor/agent.md" } }