OpenClaw · Skill
DepGuard
DepGuard scans your project dependencies for known vulnerabilities, license violations, and outdated packages. It uses native package manager audit tools (npm audit, pip-audit, cargo-audit, etc.) and enriches results with license analysis and risk scoring.
Install
Start with the primary install command. Alternate entrypoints are included below for ClawHub and OpenClaw CLI users.
Primary command
clawhub install suhteevah/depguardClawHub installer
npx clawhub@latest install suhteevah/depguardOpenClaw CLI
openclaw skills install suhteevah/depguardDirect OpenClaw install
openclaw install suhteevah/depguardWhat this skill does
DepGuard scans your project dependencies for known vulnerabilities, license violations, and outdated packages. It uses native package manager audit tools (npm audit, pip-audit, cargo-audit, etc.) and enriches results with license analysis and risk scoring.
Why it matters
It wraps native audit tools for 10 package managers into one command, adding license analysis and offline risk scoring without sending dependency data to an external server.
Typical use cases
- Checking npm packages for CVEs before a production deploy
- Auditing open source licenses before shipping a commercial product
- Blocking GPL dependencies from entering a proprietary codebase
- Generating an SBOM for a security audit or procurement requirement
- Auto-fixing vulnerable package versions across a monorepo
Source instructions
DepGuard — Dependency Audit & License Compliance
DepGuard scans your project dependencies for known vulnerabilities, license violations, and outdated packages. It uses native package manager audit tools (npm audit, pip-audit, cargo-audit, etc.) and enriches results with license analysis and risk scoring.
Commands
Free Tier (No license required)
depguard scan [directory]
One-shot vulnerability and license scan of your project dependencies.
How to execute:
bash "<SKILL_DIR>/scripts/depguard.sh" scan [directory]
What it does:
- Detects package manager (npm, yarn, pnpm, pip, cargo, go, composer, bundler, maven, gradle)
- Runs native audit commands (npm audit, pip-audit, cargo audit, etc.)
- Parses dependency manifests for license information
- Generates a security report with severity levels
- Lists packages with problematic or unknown licenses
Example usage scenarios:
- "Scan my dependencies for vulnerabilities" → runs
depguard scan . - "Check the licenses of my node modules" → runs
depguard scan . --licenses-only - "Are any of my packages insecure?" → runs
depguard scan
depguard report [directory]
Generate a formatted dependency health report in markdown.
bash "<SKILL_DIR>/scripts/depguard.sh" report [directory]
Pro Tier ($19/user/month — requires DEPGUARD_LICENSE_KEY)
depguard hooks install
Install git hooks that scan dependencies on every commit that modifies lockfiles.
bash "<SKILL_DIR>/scripts/depguard.sh" hooks install
What it does:
- Validates Pro+ license
- Installs lefthook pre-commit hook targeting lockfile changes
- On every commit that modifies package-lock.json, yarn.lock, Cargo.lock, etc.: runs vulnerability scan, blocks commit if critical/high vulns found
depguard hooks uninstall
Remove DepGuard git hooks.
bash "<SKILL_DIR>/scripts/depguard.sh" hooks uninstall
depguard watch [directory]
Continuous monitoring — re-scans on any lockfile change.
bash "<SKILL_DIR>/scripts/depguard.sh" watch [directory]
depguard fix [directory]
Auto-fix vulnerabilities by upgrading to patched versions where available.
bash "<SKILL_DIR>/scripts/depguard.sh" fix [directory]
Team Tier ($39/user/month — requires DEPGUARD_LICENSE_KEY with team tier)
depguard policy [directory]
Enforce a dependency policy: block specific licenses, require minimum versions, deny specific packages.
bash "<SKILL_DIR>/scripts/depguard.sh" policy [directory]
depguard sbom [directory]
Generate a Software Bill of Materials (SBOM) in CycloneDX or SPDX format.
bash "<SKILL_DIR>/scripts/depguard.sh" sbom [directory]
depguard compliance [directory]
Generate a compliance report for auditors — maps licenses to categories (permissive, copyleft, proprietary, unknown).
bash "<SKILL_DIR>/scripts/depguard.sh" compliance [directory]
Supported Package Managers
| Manager | Lockfile | Audit Tool |
|---|---|---|
| npm | package-lock.json | npm audit |
| yarn | yarn.lock | yarn audit |
| pnpm | pnpm-lock.yaml | pnpm audit |
| pip | requirements.txt / Pipfile.lock | pip-audit / safety |
| cargo | Cargo.lock | cargo audit |
| go | go.sum | govulncheck |
| composer | composer.lock | composer audit |
| bundler | Gemfile.lock | bundle audit |
| maven | pom.xml | mvn dependency-check |
| gradle | build.gradle | gradle dependencyCheck |
Configuration
Add to ~/.openclaw/openclaw.json:
{
"skills": {
"entries": {
"depguard": {
"enabled": true,
"apiKey": "YOUR_LICENSE_KEY",
"config": {
"severityThreshold": "high",
"blockedLicenses": ["GPL-3.0", "AGPL-3.0"],
"allowedLicenses": ["MIT", "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "ISC"],
"ignoredVulnerabilities": [],
"autoFix": false,
"sbomFormat": "cyclonedx"
}
}
}
}
}
Important Notes
- Free tier works immediately — no configuration needed
- All scanning happens locally using native package manager audit tools
- License validation is offline — no phone-home
- Falls back to manifest parsing if native audit tools aren't available
- Supports monorepos — scans all workspaces/packages
When to Use DepGuard
The user might say things like:
- "Scan my dependencies for vulnerabilities"
- "Check my package licenses"
- "Are any of my npm packages insecure?"
- "Generate a security audit report"
- "Set up dependency monitoring"
- "Block GPL dependencies in this project"
- "Generate an SBOM"
- "Check if we're compliant with our license policy"