# Send Dependency Auditor to your agent Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually. ## Fast path - Download the package from Yavira. - Extract it into a folder your agent can access. - Paste one of the prompts below and point your agent at the extracted folder. ## Suggested prompts ### New install ```text I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete. ``` ### Upgrade existing ```text I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run. ``` ## Machine-readable fields ```json { "schemaVersion": "1.0", "item": { "slug": "dependency-auditor", "name": "Dependency Auditor", "source": "tencent", "type": "skill", "category": "数据分析", "sourceUrl": "https://clawhub.ai/alirezarezvani/dependency-auditor", "canonicalUrl": "https://clawhub.ai/alirezarezvani/dependency-auditor", "targetPlatform": "OpenClaw" }, "install": { "downloadUrl": "/downloads/dependency-auditor", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=dependency-auditor", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "packageFormat": "ZIP package", "primaryDoc": "SKILL.md", "includedAssets": [ "README.md", "SKILL.md", "assets/sample_package.json", "assets/sample_requirements.txt", "expected_outputs/sample_license_report.txt", "expected_outputs/sample_upgrade_plan.txt" ], "downloadMode": "redirect", "sourceHealth": { "source": "tencent", "slug": "dependency-auditor", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-29T10:04:40.411Z", "expiresAt": "2026-05-06T10:04:40.411Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=dependency-auditor", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=dependency-auditor", "contentDisposition": "attachment; filename=\"dependency-auditor-2.1.1.zip\"", "redirectLocation": null, "bodySnippet": null, "slug": "dependency-auditor" }, "scope": "item", "summary": "Item download looks usable.", "detail": "Yavira can redirect you to the upstream package for this item.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/dependency-auditor" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] } }, "links": { "detailUrl": "https://openagent3.xyz/skills/dependency-auditor", "downloadUrl": "https://openagent3.xyz/downloads/dependency-auditor", "agentUrl": "https://openagent3.xyz/skills/dependency-auditor/agent", "manifestUrl": "https://openagent3.xyz/skills/dependency-auditor/agent.json", "briefUrl": "https://openagent3.xyz/skills/dependency-auditor/agent.md" } } ``` ## Documentation ### Dependency Auditor Skill Type: POWERFUL Category: Engineering Domain: Dependency Management & Security ### Overview The Dependency Auditor is a comprehensive toolkit for analyzing, auditing, and managing dependencies across multi-language software projects. This skill provides deep visibility into your project's dependency ecosystem, enabling teams to identify vulnerabilities, ensure license compliance, optimize dependency trees, and plan safe upgrades. In modern software development, dependencies form complex webs that can introduce significant security, legal, and maintenance risks. A single project might have hundreds of direct and transitive dependencies, each potentially introducing vulnerabilities, license conflicts, or maintenance burden. This skill addresses these challenges through automated analysis and actionable recommendations. ### 1. Vulnerability Scanning & CVE Matching Comprehensive Security Analysis Scans dependencies against built-in vulnerability databases Matches Common Vulnerabilities and Exposures (CVE) patterns Identifies known security issues across multiple ecosystems Analyzes transitive dependency vulnerabilities Provides CVSS scores and exploit assessments Tracks vulnerability disclosure timelines Maps vulnerabilities to dependency paths Multi-Language Support JavaScript/Node.js: package.json, package-lock.json, yarn.lock Python: requirements.txt, pyproject.toml, Pipfile.lock, poetry.lock Go: go.mod, go.sum Rust: Cargo.toml, Cargo.lock Ruby: Gemfile, Gemfile.lock Java/Maven: pom.xml, gradle.lockfile PHP: composer.json, composer.lock C#/.NET: packages.config, project.assets.json ### 2. License Compliance & Legal Risk Assessment License Classification System Permissive Licenses: MIT, Apache 2.0, BSD (2-clause, 3-clause), ISC Copyleft (Strong): GPL (v2, v3), AGPL (v3) Copyleft (Weak): LGPL (v2.1, v3), MPL (v2.0) Proprietary: Commercial, custom, or restrictive licenses Dual Licensed: Multi-license scenarios and compatibility Unknown/Ambiguous: Missing or unclear licensing Conflict Detection Identifies incompatible license combinations Warns about GPL contamination in permissive projects Analyzes license inheritance through dependency chains Provides compliance recommendations for distribution Generates legal risk matrices for decision-making ### 3. Outdated Dependency Detection Version Analysis Identifies dependencies with available updates Categorizes updates by severity (patch, minor, major) Detects pinned versions that may be outdated Analyzes semantic versioning patterns Identifies floating version specifiers Tracks release frequencies and maintenance status Maintenance Status Assessment Identifies abandoned or unmaintained packages Analyzes commit frequency and contributor activity Tracks last release dates and security patch availability Identifies packages with known end-of-life dates Assesses upstream maintenance quality ### 4. Dependency Bloat Analysis Unused Dependency Detection Identifies dependencies that aren't actually imported/used Analyzes import statements and usage patterns Detects redundant dependencies with overlapping functionality Identifies oversized packages for simple use cases Maps actual vs. declared dependency usage Redundancy Analysis Identifies multiple packages providing similar functionality Detects version conflicts in transitive dependencies Analyzes bundle size impact of dependencies Identifies opportunities for dependency consolidation Maps dependency overlap and duplication ### 5. Upgrade Path Planning & Breaking Change Risk Semantic Versioning Analysis Analyzes semver patterns to predict breaking changes Identifies safe upgrade paths (patch/minor versions) Flags major version updates requiring attention Tracks breaking changes across dependency updates Provides rollback strategies for failed upgrades Risk Assessment Matrix Low Risk: Patch updates, security fixes Medium Risk: Minor updates with new features High Risk: Major version updates, API changes Critical Risk: Dependencies with known breaking changes Upgrade Prioritization Security patches: Highest priority Bug fixes: High priority Feature updates: Medium priority Major rewrites: Planned priority Deprecated features: Immediate attention ### 6. Supply Chain Security Dependency Provenance Verifies package signatures and checksums Analyzes package download sources and mirrors Identifies suspicious or compromised packages Tracks package ownership changes and maintainer shifts Detects typosquatting and malicious packages Transitive Risk Analysis Maps complete dependency trees Identifies high-risk transitive dependencies Analyzes dependency depth and complexity Tracks influence of indirect dependencies Provides supply chain risk scoring ### 7. Lockfile Analysis & Deterministic Builds Lockfile Validation Ensures lockfiles are up-to-date with manifests Validates integrity hashes and version consistency Identifies drift between environments Analyzes lockfile conflicts and resolution strategies Ensures deterministic, reproducible builds Environment Consistency Compares dependencies across environments (dev/staging/prod) Identifies version mismatches between team members Validates CI/CD environment consistency Tracks dependency resolution differences ### Scanner Engine (dep_scanner.py) Multi-format parser supporting 8+ package ecosystems Built-in vulnerability database with 500+ CVE patterns Transitive dependency resolution from lockfiles JSON and human-readable output formats Configurable scanning depth and exclusion patterns ### License Analyzer (license_checker.py) License detection from package metadata and files Compatibility matrix with 20+ license types Conflict detection engine with remediation suggestions Risk scoring based on distribution and usage context Export capabilities for legal review ### Upgrade Planner (upgrade_planner.py) Semantic version analysis with breaking change prediction Dependency ordering based on risk and interdependence Migration checklists with testing recommendations Rollback procedures for failed upgrades Timeline estimation for upgrade cycles ### Security Teams Vulnerability Management: Continuous scanning for security issues Incident Response: Rapid assessment of vulnerable dependencies Supply Chain Monitoring: Tracking third-party security posture Compliance Reporting: Automated security compliance documentation ### Legal & Compliance Teams License Auditing: Comprehensive license compliance verification Risk Assessment: Legal risk analysis for software distribution Due Diligence: Dependency licensing for M&A activities Policy Enforcement: Automated license policy compliance ### Development Teams Dependency Hygiene: Regular cleanup of unused dependencies Upgrade Planning: Strategic dependency update scheduling Performance Optimization: Bundle size optimization through dep analysis Technical Debt: Identifying and prioritizing dependency technical debt ### DevOps & Platform Teams Build Optimization: Faster builds through dependency optimization Security Automation: Automated vulnerability scanning in CI/CD Environment Consistency: Ensuring consistent dependencies across environments Release Management: Dependency-aware release planning ### CI/CD Pipeline Integration # Security gate in CI python dep_scanner.py /project --format json --fail-on-high python license_checker.py /project --policy strict --format json ### Scheduled Audits # Weekly dependency audit ./audit_dependencies.sh > weekly_report.html python upgrade_planner.py deps.json --timeline 30days ### Development Workflow # Pre-commit dependency check python dep_scanner.py . --quick-scan python license_checker.py . --warn-conflicts ### Custom Vulnerability Databases Support for internal/proprietary vulnerability feeds Custom CVE pattern definitions Organization-specific risk scoring Integration with enterprise security tools ### Policy-Based Scanning Configurable license policies by project type Custom risk thresholds and escalation rules Automated policy enforcement and notifications Exception management for approved violations ### Reporting & Dashboards Executive summaries for management Technical reports for development teams Trend analysis and dependency health metrics Integration with project management tools ### Multi-Project Analysis Portfolio-level dependency analysis Shared dependency impact analysis Organization-wide license compliance Cross-project vulnerability propagation ### Scanning Frequency Security Scans: Daily or on every commit License Audits: Weekly or monthly Upgrade Planning: Monthly or quarterly Full Dependency Audit: Quarterly ### Risk Management Prioritize Security: Address high/critical CVEs immediately License First: Ensure compliance before functionality Gradual Updates: Incremental dependency updates Test Thoroughly: Comprehensive testing after updates Monitor Continuously: Automated monitoring and alerting ### Team Workflows Security Champions: Designate dependency security owners Review Process: Mandatory review for new dependencies Update Cycles: Regular, scheduled dependency updates Documentation: Maintain dependency rationale and decisions Training: Regular team education on dependency security ### Security Metrics Mean Time to Patch (MTTP) for vulnerabilities Number of high/critical vulnerabilities Percentage of dependencies with known vulnerabilities Security debt accumulation rate ### Compliance Metrics License compliance percentage Number of license conflicts Time to resolve compliance issues Policy violation frequency ### Maintenance Metrics Percentage of up-to-date dependencies Average dependency age Number of abandoned dependencies Upgrade success rate ### Efficiency Metrics Bundle size reduction percentage Unused dependency elimination rate Build time improvement Developer productivity impact ### Common Issues False Positives: Tuning vulnerability detection sensitivity License Ambiguity: Resolving unclear or multiple licenses Breaking Changes: Managing major version upgrades Performance Impact: Optimizing scanning for large codebases ### Resolution Strategies Whitelist false positives with documentation Contact maintainers for license clarification Implement feature flags for risky upgrades Use incremental scanning for large projects ### Planned Features Machine learning for vulnerability prediction Automated dependency update pull requests Integration with container image scanning Real-time dependency monitoring dashboards Natural language policy definition ### Ecosystem Expansion Additional language support (Swift, Kotlin, Dart) Container and infrastructure dependencies Development tool and build system dependencies Cloud service and SaaS dependency tracking ### Quick Start # Scan project for vulnerabilities and licenses python scripts/dep_scanner.py /path/to/project # Check license compliance python scripts/license_checker.py /path/to/project --policy strict # Plan dependency upgrades python scripts/upgrade_planner.py deps.json --risk-threshold medium For detailed usage instructions, see README.md. This skill provides comprehensive dependency management capabilities essential for maintaining secure, compliant, and efficient software projects. Regular use helps teams stay ahead of security threats, maintain legal compliance, and optimize their dependency ecosystems. ## Trust - Source: tencent - Verification: Indexed source record - Publisher: alirezarezvani - Version: 2.1.1 ## Source health - Status: healthy - Item download looks usable. - Yavira can redirect you to the upstream package for this item. - Health scope: item - Reason: direct_download_ok - Checked at: 2026-04-29T10:04:40.411Z - Expires at: 2026-05-06T10:04:40.411Z - Recommended action: Download for OpenClaw ## Links - [Detail page](https://openagent3.xyz/skills/dependency-auditor) - [Send to Agent page](https://openagent3.xyz/skills/dependency-auditor/agent) - [JSON manifest](https://openagent3.xyz/skills/dependency-auditor/agent.json) - [Markdown brief](https://openagent3.xyz/skills/dependency-auditor/agent.md) - [Download page](https://openagent3.xyz/downloads/dependency-auditor)