依赖审计：使用 Openclaw Skills 保护您的项目-脚本在线

AI智能体脚本智能办公脚本自动化游戏脚本浏览器自动化脚本服务器脚本

依赖审计：使用 Openclaw Skills 保护您的项目

作者：互联网

2026-03-30

AI教程

什么是依赖审计技能？

依赖审计技能是为 Openclaw Skills 设计的强大安全工具，旨在保护您的软件供应链。它可以识别多个编程环境（包括 Node.js (npm)、Python (pip)、Rust (Cargo) 和 Go）中的已知漏洞 (CVE)。通过利用 OSV、GitHub Advisory 和 RustSec 等公开咨询数据库，它可以在无需外部 API 令牌或复杂设置的情况下，深入了解项目的依赖树。

该技能基于默认安全理念构建，主要以仅报告模式运行，以防止对代码库进行意外更改。通过与 Openclaw Skills 集成，它允许开发人员通过自动化发现安全风险，并通过建议的修复命令和基于分支的更新提供清晰、可操作的修复路径，从而保持安全态势。

下载入口:https://github.com/openclaw/skills/tree/main/skills/tkuehnl/dep-audit

安装与下载

1. ClawHub CLI

从源直接安装技能的最快方式。

npx clawhub@latest install dep-audit

2. 手动安装

将技能文件夹复制到以下位置之一

全局模式 ~/.openclaw/skills/ 工作区 /skills/

优先级：工作区 > 本地 > 内置

3. 提示词安装

将此提示词复制到 OpenClaw 即可自动安装。

请帮我使用 Clawhub 安装 dep-audit。如果尚未安装 Clawhub，请先安装（npm i -g clawhub）。

依赖审计技能应用场景

在生产发布前扫描本地存储库中的关键漏洞。
识别共享目录中多个项目里过时或不安全的包。
生成 CycloneDX 软件物料清单 (SBOM) 以用于合规性文档。
通过 Openclaw Skills 在开发生命周期中自动化安全检查。
快速识别新披露的 CVE 是否影响任何当前项目依赖项。

依赖审计技能工作原理

该技能启动检测阶段，扫描目标目录以寻找受支持的锁文件，如 package-lock.json、requirements.txt 或 Cargo.lock。
它检查主机系统上是否存在原生审计工具，以确保可以安全地执行扫描。
为每个检测到的生态系统（npm、pip、Cargo 或 Go）运行专用脚本以查询漏洞数据库。
来自所有生态系统的结果被传输到聚合器，将数据标准化为统一的 JSON 结构。
生成一份全面的 Markdown 报告，为用户优先列出严重和高危发现。
如果有要求，该技能会提供特定的 shell 命令来修复漏洞，在执行前需要用户明确确认。

依赖审计技能配置指南

要将此技能与 Openclaw Skills 配合使用，请确保系统中安装了 jq，因为它是数据聚合所必需的。不需要额外的 API 密钥或配置文件。

# 验证您的环境是否就绪
bash scripts/detect.sh .

# 如果需要，为 npm 项目运行手动审计
bash scripts/audit-npm.sh /path/to/project

该技能利用标准系统工具。请确保为您希望扫描的特定语言安装了相关的 CLI 工具（如 npm 或 cargo-audit）。

依赖审计技能数据架构与分类体系

依赖审计技能产生结构化数据，以确保透明度和易于集成。它主要利用统一的 JSON 格式进行程序化访问，并利用 Markdown 格式进行人工审查。

数据点	描述
生态系统	正在审计的包管理器或语言（例如 npm、pip）。
漏洞数量	按严重程度分类的安全问题总数。
CVE ID	漏洞的唯一标识符。
包名称	包含安全风险的具体依赖项。
版本信息	当前安装版本与安全目标版本之间的比较。
SBOM 文件	遵循 CycloneDX 标准生成的 sbom.cdx.json 文件。

name: dep-audit
description: >
  Audit project dependencies for known vulnerabilities (CVEs).
  Supports npm, pip, Cargo, and Go. Zero API keys required.
  Safe-by-default: report-only mode, fix commands require confirmation.
version: 0.1.3
author: Anvil AI
tags: [security, audit, dependencies, cve, supply-chain, discord, discord-v2]

Dependency Audit Skill

Detect and report known vulnerabilities in your project's dependency tree. Supports npm, pip (Python), Cargo (Rust), and Go out of the box. No API keys. No config. Just point it at a project.

Activation

This skill activates when the user mentions:

"audit", "vulnerability", "CVE", "dependency check", "supply chain", "security scan"
Checking dependencies, lockfiles, or packages for issues
Generating an SBOM (Software Bill of Materials)

Example Prompts

"Audit this project for vulnerabilities"
"Check all my repos in ~/projects for known CVEs"
"Are there any critical vulnerabilities I should fix right now?"
"Generate an SBOM for this project"
"What dependencies need updating in this project?"
"Audit only the Python dependencies"

Permissions

permissions:
  exec: true          # Required to run audit CLIs
  read: true          # Read lockfiles
  write: on-request   # SBOM generation writes sbom.cdx.json when user asks
  network: true       # Tools fetch advisory DBs

Agent Workflow

Follow this sequence exactly:

Step 1: Detect

Run the detection script to discover lockfiles and available tools:

bash /scripts/detect.sh

If no target directory is given, use the current working directory (.).

Parse the JSON output. Note which ecosystems have lockfiles and which tools are available.

Step 2: Audit Each Ecosystem

For each ecosystem detected in Step 1:

If the audit tool is available, run the corresponding script:

bash /scripts/audit-npm.sh 
bash /scripts/audit-pip.sh 
bash /scripts/audit-cargo.sh 
bash /scripts/audit-go.sh

If the tool is missing, tell the user which tool is needed and the install command from the detect output. Skip that ecosystem and continue with others.

Note: yarn.lock and pnpm-lock.yaml are detected as yarn and pnpm ecosystems respectively. Audit support is npm-only in v0.1.x (package-lock.json). If only a yarn.lock or pnpm-lock.yaml is present, inform the user that dedicated yarn/pnpm audit is not yet supported and suggest running yarn audit or pnpm audit manually.

Each script outputs normalized JSON to stdout.

Step 3: Aggregate

Pipe or pass all per-ecosystem JSON results to the aggregator:

bash /scripts/aggregate.sh   ... 1>unified.json 2>report.md

The aggregator outputs unified JSON to stdout and a Markdown report to stderr. Capture both: 2>report.md for the Markdown, 1>unified.json for the JSON.

Step 4: Present Results

Show the user the Markdown report from the aggregator. Highlight:

Total vulnerability count by severity
Critical and High findings first (these need attention)
Which ecosystems were scanned vs skipped

If zero vulnerabilities found: report "? No known vulnerabilities found." If no lockfiles found: report "No lockfiles found in

. This skill works with npm, pip, Cargo, and Go projects."

Discord v2 Delivery Mode (OpenClaw v2026.2.14+)

When the user is in a Discord channel:

Send a short first response with totals and only Critical/High findings.
Keep the first message under ~1200 characters and avoid large Markdown tables up front.
If Discord components are available, include quick actions:
- Show Full Report
- Show Fix Commands
- Generate SBOM
If components are unavailable, provide the same options as a numbered list.
Send long details in short chunks (<=15 lines) to improve readability.

Step 5: Fix Suggestions (only if user asks)

If the user asks to fix vulnerabilities:

List every fix command with the package name, current version, and target version.
Suggest creating a branch first: git checkout -b dep-audit-fixes
Ask for explicit confirmation before running ANY fix command.
Never batch-run fix commands silently.

Example interaction:

I found these fix commands:
  1. cd /home/user/project && npm audit fix
  2. pip install requests>=2.31.0

I recommend creating a branch first:
  git checkout -b dep-audit-fixes

Shall I run them? (yes/no)

Step 6: SBOM (only if user asks)

bash /scripts/sbom.sh

Report the file location and component count.

Error Handling

Situation	Behavior
Tool not found	Print which tool is missing + install command. Continue with available tools.
Audit tool fails	Capture stderr, report "audit failed for [ecosystem]: [error]". Continue with others.
Timeout (>30s per tool)	When `timeout`/`gtimeout` is available, report "audit timed out for [ecosystem], skipping". Continue.
Invalid target directory	Report "directory not found or not accessible" and stop that ecosystem scan (do not report false "clean").
No lockfiles found	Report "No lockfiles found" + list supported ecosystems.
`jq` not available	Detection works without jq. Audit and aggregation require jq — install it first.
Malformed lockfile	Report parse error for that ecosystem. Continue with others.

Aggregation Robustness

aggregate.sh now tolerates mixed inputs (valid results + error objects).
Invalid input objects are listed under errors in unified JSON and rendered in a "Skipped / Error Inputs" Markdown section.
If no valid ecosystem results are provided, aggregate output sets status: "error" instead of crashing.

Safety

Default mode is report-only. The skill never modifies files unless you explicitly ask for a fix and confirm.
Audit tools read lockfiles — they do not execute project code.
Fix commands (npm audit fix, pip install --upgrade) are printed as suggestions. The agent will ask for confirmation before running them.
This skill checks known advisory databases (OSV, GitHub Advisory DB, RustSec). It does not detect zero-days or runtime vulnerabilities.
No data is sent to third-party services beyond what the native audit tools do (they query public advisory databases).
No telemetry. No tracking. No phone-home.

上一篇：Kaspi 自动支付：Telegram 支付自动化 - Openclaw Skills 下一篇：Tator Trader：自然语言加密交易 API - Openclaw Skills