Open Skills Logo
Open Skills

codebase-cleanup-deps-audit

You are a dependency security expert specializing in vulnerability scanning, license compliance, and supply chain security. Analyze project dependencies for known vulnerabilities, licensing issues, outdated packages, and provide actionable remediation strategies.

Author

@sickn33

Category

Development Tools

Install

Hot:5

Download and extract to your skills directory

Copy command and send to OpenClaw for auto-install:

Download and install this skill https://openskills.cc/api/download?slug=sickn33-skills-codebase-cleanup-deps-audit&locale=en&source=copy

Dependency Audit and Security Analysis Skill

Skill Overview

This is an automated dependency security auditing tool that helps you scan a project's vulnerabilities, check license compliance, and provide actionable remediation suggestions.

Use Cases

  • Project Security Review - Automatically check all dependencies for known vulnerabilities, license conflicts, or maintenance risks before merging code or releasing.

  • License Compliance Management - When you need to ensure the open-source components used in a project meet corporate or legal requirements, quickly identify high-risk licenses (e.g., GPL) and license conflicts.

  • Dependency Upgrade Planning - When facing many outdated dependencies, get upgrade recommendations sorted by severity and understand the compatibility impact of each upgrade.

    • Core Features

  • Vulnerability Scanning and Risk Assessment - Automatically scan direct and transitive dependencies, identify known security vulnerabilities (CVEs), sort by severity and exposure, and ensure the most critical issues are prioritized for remediation.

  • License Compliance Checks - Analyze all dependencies' open-source licenses, detect license conflicts and non-compliance risks, and generate a clear license inventory report.

  • Intelligent Upgrade Suggestions - Not only identify outdated packages, but also provide compatibility notes and upgrade paths to help you update dependencies while minimizing disruptive changes.

    • Frequently Asked Questions

    Which package managers does this skill support?

    It supports major package managers and ecosystems, including npm/yarn/pnpm (JavaScript/TypeScript), pip (Python), Maven/Gradle (Java), go mod (Go), etc. The skill will automatically detect dependency manifest files in the project (such as package.json, requirements.txt, pom.xml).

    Will scanning dependencies modify my code?

    No. This skill only performs read and analysis operations and will not automatically modify any files or upgrade dependencies. It will provide detailed upgrade recommendations and compatibility notes for you to decide when and how to apply changes. For automated fixes, refer to the workflows in implementation-playbook.md.

    How are vulnerability severities classified?

    Vulnerabilities are classified into four levels based on CVSS scores: Critical, High, Medium, and Low. The skill combines CVSS scores with actual exposure risk (e.g., whether the dependency is on a critical path or accepts external input) to provide remediation priorities.

    How are license conflicts handled?

    The skill detects compatibility issues between licenses—for example, a conflict that arises when your project uses the MIT license but depends on a GPL component. The report will clearly indicate the conflicting license pairs and provide replacement suggestions or legal compliance guidance.

    How do I integrate this into CI/CD?

    You can integrate this skill into CI pipelines to automatically run dependency audits before build or deployment. When severe vulnerabilities are found, you can configure the pipeline to fail to block deployment. For detailed integration options, see resources/implementation-playbook.md.

    What if there are false positives?

    If you encounter false positives (e.g., reported as vulnerable but actually unreachable), you can configure exclusion rules in the project. The skill supports specifying specific vulnerability IDs or dependency packages to ignore via a configuration file.