{"id":"a831d4fc-5a1a-4ba3-a5d2-98ee9eb86606","shortId":"rusdG3","kind":"skill","title":"dep-audit","tagline":"Audit project dependencies for known vulnerabilities (CVEs). Supports npm, pip, Cargo, and Go. Zero API keys required. Safe-by-default: report-only mode, fix commands require confirmation.","description":"# Dependency Audit Skill\n\nDetect and report known vulnerabilities in your project's dependency tree.\nSupports **npm**, **pip (Python)**, **Cargo (Rust)**, and **Go** out of the box.\nNo API keys. No config. Just point it at a project.\n\n## Activation\n\nThis skill activates when the user mentions:\n- \"audit\", \"vulnerability\", \"CVE\", \"dependency check\", \"supply chain\", \"security scan\"\n- Checking dependencies, lockfiles, or packages for issues\n- Generating an SBOM (Software Bill of Materials)\n\n## Example Prompts\n\n1. \"Audit this project for vulnerabilities\"\n2. \"Check all my repos in ~/projects for known CVEs\"\n3. \"Are there any critical vulnerabilities I should fix right now?\"\n4. \"Generate an SBOM for this project\"\n5. \"What dependencies need updating in this project?\"\n6. \"Audit only the Python dependencies\"\n\n## Permissions\n\n```yaml\npermissions:\n  exec: true          # Required to run audit CLIs\n  read: true          # Read lockfiles\n  write: on-request   # SBOM generation writes sbom.cdx.json when user asks\n  network: true       # Tools fetch advisory DBs\n```\n\n## Agent Workflow\n\nFollow this sequence exactly:\n\n### Step 1: Detect\n\nRun the detection script to discover lockfiles and available tools:\n\n```bash\nbash <skill_dir>/scripts/detect.sh <target_directory>\n```\n\nIf no target directory is given, use the current working directory (`.`).\n\nParse the JSON output. Note which ecosystems have lockfiles and which tools are available.\n\n### Step 2: Audit Each Ecosystem\n\nFor each ecosystem detected in Step 1:\n\n- **If the audit tool is available**, run the corresponding script:\n  ```bash\n  bash <skill_dir>/scripts/audit-npm.sh <directory>\n  bash <skill_dir>/scripts/audit-pip.sh <directory>\n  bash <skill_dir>/scripts/audit-cargo.sh <directory>\n  bash <skill_dir>/scripts/audit-go.sh <directory>\n  ```\n\n- **If the tool is missing**, tell the user which tool is needed and the install command from the detect output. Skip that ecosystem and continue with others.\n\n> **Note:** `yarn.lock` and `pnpm-lock.yaml` are detected as `yarn` and `pnpm` ecosystems respectively. Audit support is npm-only in v0.1.x (`package-lock.json`). If only a `yarn.lock` or `pnpm-lock.yaml` is present, inform the user that dedicated yarn/pnpm audit is not yet supported and suggest running `yarn audit` or `pnpm audit` manually.\n\nEach script outputs normalized JSON to stdout.\n\n### Step 3: Aggregate\n\nPipe or pass all per-ecosystem JSON results to the aggregator:\n\n```bash\nbash <skill_dir>/scripts/aggregate.sh <npm_result.json> <pip_result.json> ... 1>unified.json 2>report.md\n```\n\nThe aggregator outputs unified JSON to **stdout** and a Markdown report to **stderr**.\nCapture both: `2>report.md` for the Markdown, `1>unified.json` for the JSON.\n\n### Step 4: Present Results\n\nShow the user the Markdown report from the aggregator. Highlight:\n- Total vulnerability count by severity\n- Critical and High findings first (these need attention)\n- Which ecosystems were scanned vs skipped\n\nIf **zero vulnerabilities** found: report \"✅ No known vulnerabilities found.\"\nIf **no lockfiles** found: report \"No lockfiles found in <dir>. This skill works with npm, pip, Cargo, and Go projects.\"\n\n### Discord v2 Delivery Mode (OpenClaw v2026.2.14+)\n\nWhen the user is in a Discord channel:\n\n- Send a short first response with totals and only Critical/High findings.\n- Keep the first message under ~1200 characters and avoid large Markdown tables up front.\n- If Discord components are available, include quick actions:\n  - `Show Full Report`\n  - `Show Fix Commands`\n  - `Generate SBOM`\n- If components are unavailable, provide the same options as a numbered list.\n- Send long details in short chunks (<=15 lines) to improve readability.\n\n### Step 5: Fix Suggestions (only if user asks)\n\nIf the user asks to fix vulnerabilities:\n\n1. List every fix command with the package name, current version, and target version.\n2. **Suggest** creating a branch first: `git checkout -b dep-audit-fixes`\n3. **Ask for explicit confirmation** before running ANY fix command.\n4. Never batch-run fix commands silently.\n\nExample interaction:\n```\nI found these fix commands:\n  1. cd /home/user/project && npm audit fix\n  2. pip install requests>=2.31.0\n\nI recommend creating a branch first:\n  git checkout -b dep-audit-fixes\n\nShall I run them? (yes/no)\n```\n\n### Step 6: SBOM (only if user asks)\n\n```bash\nbash <skill_dir>/scripts/sbom.sh <directory>\n```\n\nReport the file location and component count.\n\n## Error Handling\n\n| Situation | Behavior |\n|-----------|----------|\n| Tool not found | Print which tool is missing + install command. Continue with available tools. |\n| Audit tool fails | Capture stderr, report \"audit failed for [ecosystem]: [error]\". Continue with others. |\n| Timeout (>30s per tool) | When `timeout`/`gtimeout` is available, report \"audit timed out for [ecosystem], skipping\". Continue. |\n| Invalid target directory | Report \"directory not found or not accessible\" and stop that ecosystem scan (do **not** report false \"clean\"). |\n| No lockfiles found | Report \"No lockfiles found\" + list supported ecosystems. |\n| `jq` not available | Detection works without jq. Audit and aggregation **require** jq — install it first. |\n| Malformed lockfile | Report parse error for that ecosystem. Continue with others. |\n\n### Aggregation Robustness\n\n- `aggregate.sh` now tolerates mixed inputs (valid results + error objects).\n- Invalid input objects are listed under `errors` in unified JSON and rendered in a \"Skipped / Error Inputs\" Markdown section.\n- If no valid ecosystem results are provided, aggregate output sets `status: \"error\"` instead of crashing.\n\n## Safety\n\n- **Default mode is report-only.** The skill never modifies files unless you explicitly ask for a fix and confirm.\n- Audit tools read lockfiles — they do not execute project code.\n- Fix commands (`npm audit fix`, `pip install --upgrade`) are printed as suggestions. The agent will ask for confirmation before running them.\n- This skill checks known advisory databases (OSV, GitHub Advisory DB, RustSec). It does not detect zero-days or runtime vulnerabilities.\n- No data is sent to third-party services beyond what the native audit tools do (they query public advisory databases).\n- No telemetry. No tracking. No phone-home.","tags":["dep","audit","cacheforge","skills","cacheforge-ai","agent-skills","ai-agents","clawhub","devops","discord-v2","kubernetes","openclaw"],"capabilities":["skill","source-cacheforge-ai","skill-dep-audit","topic-agent-skills","topic-ai-agents","topic-cacheforge","topic-clawhub","topic-devops","topic-discord-v2","topic-kubernetes","topic-openclaw","topic-prometheus"],"categories":["cacheforge-skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/cacheforge-ai/cacheforge-skills/dep-audit","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add cacheforge-ai/cacheforge-skills","source_repo":"https://github.com/cacheforge-ai/cacheforge-skills","install_from":"skills.sh"}},"qualityScore":"0.454","qualityRationale":"deterministic score 0.45 from registry signals: · indexed on github topic:agent-skills · 8 github stars · SKILL.md body (6,255 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-18T19:09:04.126Z","embedding":null,"createdAt":"2026-05-18T13:14:37.692Z","updatedAt":"2026-05-18T19:09:04.126Z","lastSeenAt":"2026-05-18T19:09:04.126Z","tsv":"'/home/user/project':598 '/projects':115 '/scripts/aggregate.sh':360 '/scripts/audit-cargo.sh':257 '/scripts/audit-go.sh':259 '/scripts/audit-npm.sh':253 '/scripts/audit-pip.sh':255 '/scripts/detect.sh':203 '/scripts/sbom.sh':634 '1':103,189,240,361,385,544,596 '1200':481 '15':524 '2':109,230,363,380,558,602 '2.31.0':606 '3':119,344,571 '30s':675 '4':130,391,581 '5':137,530 '6':145,626 'access':700 'action':497 'activ':70,73 'advisori':180,848,852,884 'agent':182,836 'aggreg':345,357,366,402,730,747,784 'aggregate.sh':749 'api':18,60 'ask':175,536,540,572,631,807,838 'attent':416 'audit':3,4,34,78,104,146,159,231,243,299,322,331,334,569,600,618,660,666,684,728,813,826,878 'avail':199,228,246,494,658,682,723 'avoid':484 'b':566,615 'bash':201,202,251,252,254,256,258,358,359,632,633 'batch':584 'batch-run':583 'behavior':645 'beyond':874 'bill':98 'box':58 'branch':562,611 'captur':378,663 'cargo':14,51,447 'cd':597 'chain':84 'channel':464 'charact':482 'check':82,87,110,846 'checkout':565,614 'chunk':523 'clean':710 'clis':160 'code':822 'command':30,275,503,548,580,587,595,655,824 'compon':492,507,640 'config':63 'confirm':32,575,812,840 'continu':284,656,671,690,744 'correspond':249 'count':406,641 'crash':791 'creat':560,609 'critic':123,409 'critical/high':474 'current':212,553 'cve':80 'cves':10,118 'data':866 'databas':849,885 'day':861 'db':853 'dbs':181 'dedic':320 'default':24,793 'deliveri':453 'dep':2,568,617 'dep-audit':1 'dep-audit-fix':567,616 'depend':6,33,45,81,88,139,150 'detail':520 'detect':36,190,193,237,278,292,724,858 'directori':207,214,693,695 'discord':451,463,491 'discov':196 'ecosystem':221,233,236,282,297,352,418,669,688,704,720,743,780 'error':642,670,740,756,764,773,788 'everi':546 'exact':187 'exampl':101,589 'exec':154 'execut':820 'explicit':574,806 'fail':662,667 'fals':709 'fetch':179 'file':637,803 'find':412,475 'first':413,468,478,563,612,735 'fix':29,127,502,531,542,547,570,579,586,594,601,619,810,823,827 'follow':184 'found':426,431,435,439,592,648,697,713,717 'front':489 'full':499 'generat':94,131,170,504 'git':564,613 'github':851 'given':209 'go':16,54,449 'gtimeout':680 'handl':643 'high':411 'highlight':403 'home':893 'improv':527 'includ':495 'inform':316 'input':753,759,774 'instal':274,604,654,733,829 'instead':789 'interact':590 'invalid':691,758 'issu':93 'jq':721,727,732 'json':217,340,353,369,389,767 'keep':476 'key':19,61 'known':8,39,117,429,847 'larg':485 'line':525 'list':517,545,718,762 'locat':638 'lockfil':89,164,197,223,434,438,712,716,737,816 'long':519 'malform':736 'manual':335 'markdown':374,384,398,486,775 'materi':100 'mention':77 'messag':479 'miss':264,653 'mix':752 'mode':28,454,794 'modifi':802 'name':552 'nativ':877 'need':140,271,415 'network':176 'never':582,801 'normal':339 'note':219,287 'npm':12,48,303,445,599,825 'npm-on':302 'number':516 'object':757,760 'on-request':166 'openclaw':455 'option':513 'osv':850 'other':286,673,746 'output':218,279,338,367,785 'packag':91,551 'package-lock.json':307 'pars':215,739 'parti':872 'pass':348 'per':351,676 'per-ecosystem':350 'permiss':151,153 'phone':892 'phone-hom':891 'pip':13,49,446,603,828 'pipe':346 'pnpm':296,333 'pnpm-lock.yaml':290,313 'point':65 'present':315,392 'print':649,832 'project':5,43,69,106,136,144,450,821 'prompt':102 'provid':510,783 'public':883 'python':50,149 'queri':882 'quick':496 'read':161,163,815 'readabl':528 'recommend':608 'render':769 'repo':113 'report':26,38,375,399,427,436,500,635,665,683,694,708,714,738,797 'report-on':25,796 'report.md':364,381 'request':168,605 'requir':20,31,156,731 'respect':298 'respons':469 'result':354,393,755,781 'right':128 'robust':748 'run':158,191,247,329,577,585,622,842 'runtim':863 'rust':52 'rustsec':854 'safe':22 'safe-by-default':21 'safeti':792 'sbom':96,133,169,505,627 'sbom.cdx.json':172 'scan':86,420,705 'script':194,250,337 'section':776 'secur':85 'send':465,518 'sent':868 'sequenc':186 'servic':873 'set':786 'sever':408 'shall':620 'short':467,522 'show':394,498,501 'silent':588 'situat':644 'skill':35,72,442,800,845 'skill-dep-audit' 'skip':280,422,689,772 'softwar':97 'source-cacheforge-ai' 'status':787 'stderr':377,664 'stdout':342,371 'step':188,229,239,343,390,529,625 'stop':702 'suggest':328,532,559,834 'suppli':83 'support':11,47,300,326,719 'tabl':487 'target':206,556,692 'telemetri':887 'tell':265 'third':871 'third-parti':870 'time':685 'timeout':674,679 'toler':751 'tool':178,200,226,244,262,269,646,651,659,661,677,814,879 'topic-agent-skills' 'topic-ai-agents' 'topic-cacheforge' 'topic-clawhub' 'topic-devops' 'topic-discord-v2' 'topic-kubernetes' 'topic-openclaw' 'topic-prometheus' 'total':404,471 'track':889 'tree':46 'true':155,162,177 'unavail':509 'unifi':368,766 'unified.json':362,386 'unless':804 'updat':141 'upgrad':830 'use':210 'user':76,174,267,318,396,459,535,539,630 'v0.1.x':306 'v2':452 'v2026.2.14':456 'valid':754,779 'version':554,557 'vs':421 'vulner':9,40,79,108,124,405,425,430,543,864 'without':726 'work':213,443,725 'workflow':183 'write':165,171 'yaml':152 'yarn':294,330 'yarn.lock':288,311 'yarn/pnpm':321 'yes/no':624 'yet':325 'zero':17,424,860 'zero-day':859","prices":[{"id":"2e923436-a67f-46d0-9b0e-f1f13edba777","listingId":"a831d4fc-5a1a-4ba3-a5d2-98ee9eb86606","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"cacheforge-ai","category":"cacheforge-skills","install_from":"skills.sh"},"createdAt":"2026-05-18T13:14:37.692Z"}],"sources":[{"listingId":"a831d4fc-5a1a-4ba3-a5d2-98ee9eb86606","source":"github","sourceId":"cacheforge-ai/cacheforge-skills/dep-audit","sourceUrl":"https://github.com/cacheforge-ai/cacheforge-skills/tree/main/skills/dep-audit","isPrimary":false,"firstSeenAt":"2026-05-18T13:14:37.692Z","lastSeenAt":"2026-05-18T19:09:04.126Z"}],"details":{"listingId":"a831d4fc-5a1a-4ba3-a5d2-98ee9eb86606","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"cacheforge-ai","slug":"dep-audit","github":{"repo":"cacheforge-ai/cacheforge-skills","stars":8,"topics":["agent-skills","ai-agents","cacheforge","clawhub","devops","discord-v2","kubernetes","openclaw","prometheus"],"license":"mit","html_url":"https://github.com/cacheforge-ai/cacheforge-skills","pushed_at":"2026-02-22T20:49:48Z","description":"⚡ SOTA agent skills for OpenClaw — observability, security, code quality, incident response, and more. Built by Anvil AI.","skill_md_sha":"656ace4c5e25d2039708961096fd1097c40db161","skill_md_path":"skills/dep-audit/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/cacheforge-ai/cacheforge-skills/tree/main/skills/dep-audit"},"layout":"multi","source":"github","category":"cacheforge-skills","frontmatter":{"name":"dep-audit","description":"Audit project dependencies for known vulnerabilities (CVEs). Supports npm, pip, Cargo, and Go. Zero API keys required. Safe-by-default: report-only mode, fix commands require confirmation."},"skills_sh_url":"https://skills.sh/cacheforge-ai/cacheforge-skills/dep-audit"},"updatedAt":"2026-05-18T19:09:04.126Z"}}