dep-auditAudit project dependencies for known vulnerabilities (CVEs). Supports npm, pip, Cargo, and Go. Zero API keys required. Safe-by-default: report-only mode, fix...
Install via ClawdBot CLI:
clawdbot install tkuehnl/dep-auditDetect and report known vulnerabilities in your project's dependency tree.
Supports npm, pip (Python), Cargo (Rust), and Go out of the box.
No API keys. No config. Just point it at a project.
This skill activates when the user mentions:
permissions:
exec: true # Required to run audit CLIs
read: true # Read lockfiles
write: on-request # SBOM generation writes sbom.cdx.json when user asks
network: true # Tools fetch advisory DBsFollow this sequence exactly:
Run the detection script to discover lockfiles and available tools:
bash <skill_dir>/scripts/detect.sh <target_directory>If no target directory is given, use the current working directory (.).
Parse the JSON output. Note which ecosystems have lockfiles and which tools are available.
For each ecosystem detected in Step 1:
bash <skill_dir>/scripts/audit-npm.sh <directory>
bash <skill_dir>/scripts/audit-pip.sh <directory>
bash <skill_dir>/scripts/audit-cargo.sh <directory>
bash <skill_dir>/scripts/audit-go.sh <directory>Note:yarn.lockandpnpm-lock.yamlare detected asyarnandpnpmecosystems respectively. Audit support is npm-only in v0.1.x (package-lock.json). If only ayarn.lockorpnpm-lock.yamlis present, inform the user that dedicated yarn/pnpm audit is not yet supported and suggest runningyarn auditorpnpm auditmanually.
Each script outputs normalized JSON to stdout.
Pipe or pass all per-ecosystem JSON results to the aggregator:
bash <skill_dir>/scripts/aggregate.sh <npm_result.json> <pip_result.json> ... 1>unified.json 2>report.mdThe aggregator outputs unified JSON to stdout and a Markdown report to stderr.
Capture both: 2>report.md for the Markdown, 1>unified.json for the JSON.
Show the user the Markdown report from the aggregator. Highlight:
If zero vulnerabilities found: report "ā No known vulnerabilities found."
If no lockfiles found: report "No lockfiles found in
When the user is in a Discord channel:
Show Full ReportShow Fix CommandsGenerate SBOMIf the user asks to fix vulnerabilities:
git checkout -b dep-audit-fixesExample interaction:
I found these fix commands:
1. cd /home/user/project && npm audit fix
2. pip install requests>=2.31.0
I recommend creating a branch first:
git checkout -b dep-audit-fixes
Shall I run them? (yes/no)bash <skill_dir>/scripts/sbom.sh <directory>Report the file location and component count.
| Situation | Behavior |
|-----------|----------|
| Tool not found | Print which tool is missing + install command. Continue with available tools. |
| Audit tool fails | Capture stderr, report "audit failed for [ecosystem]: [error]". Continue with others. |
| Timeout (>30s per tool) | When timeout/gtimeout is available, report "audit timed out for [ecosystem], skipping". Continue. |
| Invalid target directory | Report "directory not found or not accessible" and stop that ecosystem scan (do not report false "clean"). |
| No lockfiles found | Report "No lockfiles found" + list supported ecosystems. |
| jq not available | Detection works without jq. Audit and aggregation require jq ā install it first. |
| Malformed lockfile | Report parse error for that ecosystem. Continue with others. |
aggregate.sh now tolerates mixed inputs (valid results + error objects).errors in unified JSON and rendered in a "Skipped / Error Inputs" Markdown section.status: "error" instead of crashing.npm audit fix, pip install --upgrade) are printed as suggestions. The agent will ask for confirmation before running them.Generated Mar 1, 2026
Open source maintainers can use dep-audit to regularly scan their repositories for vulnerabilities before releases or after dependency updates. This helps ensure code security and compliance, especially for projects with multiple contributors and dependencies across npm, pip, Cargo, or Go ecosystems. It supports generating SBOMs for transparency and audit trails.
Enterprises can integrate dep-audit into their CI/CD pipelines to audit dependencies in internal projects for known CVEs, enhancing supply chain security. It scans lockfiles from various package managers without requiring API keys, making it easy to deploy across teams. The safe-by-default approach with report-only mode minimizes risks during automated scans.
Freelance developers can use dep-audit to quickly audit client projects for vulnerabilities, providing security assessments as part of their services. It supports multiple ecosystems, allowing freelancers to handle diverse tech stacks without additional setup. The tool's ability to generate fix suggestions and SBOMs adds value in client reporting and remediation efforts.
Institutions teaching software development can incorporate dep-audit into coursework to help students learn about dependency security and vulnerability management. It scans student projects for CVEs in supported ecosystems, providing practical insights into real-world security practices. The Discord integration facilitates interactive learning in classroom settings.
Startups building minimum viable products (MVPs) can use dep-audit to ensure their dependencies are free from critical vulnerabilities before launch. It scans projects with minimal configuration, saving time for small teams focused on rapid development. The ability to audit across npm, pip, Cargo, and Go covers common tech stacks used in early-stage startups.
Offer dep-audit as a free open-source tool for basic vulnerability scanning, with premium features like advanced reporting, historical trend analysis, and team dashboards available via subscription. Revenue can be generated from enterprises needing enhanced security insights and compliance tracking. This model encourages adoption while monetizing value-added services.
Provide consulting services to help organizations integrate dep-audit into their workflows, including custom configurations, training, and support for specific ecosystems like Discord v2. Revenue comes from one-time setup fees and ongoing maintenance contracts. This model leverages the tool's flexibility to address unique client security needs.
Develop a marketplace where third-party developers can create and sell plugins extending dep-audit's capabilities, such as support for additional package managers or integration with other security tools. Revenue is generated through commissions on plugin sales and listing fees. This model fosters community growth and expands the tool's ecosystem.
š¬ Integration Tip
Integrate dep-audit into CI/CD pipelines by running detection and audit scripts as part of build processes, using the JSON output for automated reporting and alerts.
Use the mcporter CLI to list, configure, auth, and call MCP servers/tools directly (HTTP or stdio), including ad-hoc servers, config edits, and CLI/type generation.
Connect to 100+ APIs (Google Workspace, Microsoft 365, GitHub, Notion, Slack, Airtable, HubSpot, etc.) with managed OAuth. Use this skill when users want to...
Build, debug, and deploy websites using HTML, CSS, JavaScript, and modern frameworks following production best practices.
YouTube Data API integration with managed OAuth. Search videos, manage playlists, access channel data, and interact with comments. Use this skill when users want to interact with YouTube. For other third party apps, use the api-gateway skill (https://clawhub.ai/byungkyu/api-gateway).
Scaffold, test, document, and debug REST and GraphQL APIs. Use when the user needs to create API endpoints, write integration tests, generate OpenAPI specs, test with curl, mock APIs, or troubleshoot HTTP issues.
Search for jobs across LinkedIn, Indeed, Glassdoor, ZipRecruiter, Google Jobs, Bayt, Naukri, and BDJobs using the JobSpy MCP server.