ClawKit Logo
ClawKitReliability Toolkit
Back to Registry
Official Verified developer tools Safety 5/5

skill-dependency-chain-auditor

Helps audit transitive skill dependency chains in agent compositions — catching the class of risk where a skill's direct dependencies appear safe but a dependency-of-a-dependency introduces a vulnerability that propagates up the entire chain.

skill-install — Terminal

Install via CLI (Recommended)

clawhub install openclaw/skills/skills/andyxinweiminicloud/skill-dependency-chain-auditor
Or

What This Skill Does

The skill-dependency-chain-auditor is a critical security utility designed to map and validate the integrity of transitive dependency trees within the OpenClaw ecosystem. Unlike standard audits that verify a skill's immediate requirements, this agent traverses the entire dependency graph to identify vulnerabilities hidden deep within sub-dependencies. By uncovering the full recursive chain, it prevents "supply chain" style attacks where a high-trust skill is compromised via a less-scrutinized, foundational, or low-level dependency. It enforces security best practices by checking version pinning and mapping trust gradients across complex skill compositions.

Installation

To integrate this auditor into your OpenClaw environment, execute the following command in your terminal:

clawhub install openclaw/skills/skills/andyxinweiminicloud/skill-dependency-chain-auditor

Use Cases

This skill is indispensable for power users and enterprise agents who compose complex workflows. Use it when:

  • You are deploying a new, high-authority skill and want to verify its sub-dependency provenance.
  • You want to identify which installed skills are using unpinned, floating version dependencies that could expose you to silent remote updates.
  • You are conducting a security audit of your agent's current capabilities to ensure no "shadow" dependencies are running on your system without proper vetting.

Example Prompts

  1. "Audit the transitive dependency chain for my 'data-processor-v2' skill and list any dependencies that are not version-pinned."
  2. "Show me the full dependency graph for all currently installed skills and highlight any trust gradients where a top-level skill relies on an unaudited sub-dependency."
  3. "Run a security scan on the entire agent composition to identify potential blast radius risks in the dependency tree."

Tips & Limitations

  • Transparency: The auditor provides a full map of your dependency surface; use this to clean up unused, legacy skills that might be introducing unnecessary risk.
  • Depth: Note that the auditor performs recursive analysis; for very deep dependency trees, the initial scan may take a few seconds to complete.
  • Verification: While this skill identifies risks, it is an analytical tool. Always review flagged items manually, especially when a dependency is flagged for having a low trust rating or floating version numbers. Ensure your OpenClaw agent environment is up to date for the most accurate graph mapping.
Read Full Documentation on GitHub

Metadata

Author@andyxinweiminicloud
Stars4473
Views1
Updated2026-05-01
View Author Profile
AI Skill Finder

Not sure this is the right skill?

Describe what you want to build — we'll match you to the best skill from 16,000+ options.

Find the right skill
Add to Configuration

Paste this into your clawhub.json to enable this plugin.

{
  "plugins": {
    "official-andyxinweiminicloud-skill-dependency-chain-auditor": {
      "enabled": true,
      "auto_update": true
    }
  }
}

Tags(AI)

#security#audit#supply-chain#dependency-management
Safety Score: 5/5

Flags: file-read

Related Skills

delta-disclosure-auditor

Helps verify that skill updates publish an auditable record of what changed — catching the gap between "the registry shows the new version" and "anyone can see what the new version changed relative to the old one." v1.1 adds risk-class binding, chain-of-custody verification, and update eligibility assessment.

andyxinweiminicloud 4473

capability-composition-analyzer

Helps identify dangerous capability combinations that emerge when agent skills are composed — catching the class of risk where no individual skill is harmful but their intersection creates an exfiltration or compromise path.

andyxinweiminicloud 4473

transparency-log-auditor

Helps verify that skill signing events are recorded in an independently auditable transparency log — catching the class of trust failures where a registry operator can silently rewrite history without detection.

andyxinweiminicloud 4473

behavioral-invariant-monitor

Helps verify that AI agent skills maintain consistent behavioral invariants across repeated executions — detecting the class of threat where a skill behaves safely during initial evaluation but shifts behavior based on execution count, environmental conditions, or delayed activation triggers. v1.3 adds performance fingerprinting (computational complexity drift detection), cryptographic audit trails (hash-chained behavior logs for immutable verification), and risk-proportional monitoring (sampling-based checks to reduce overhead).

andyxinweiminicloud 4473

skill-update-delta-monitor

Helps detect security-relevant changes in AI skills after installation. Tracks deltas between the audited version and current version, flagging updates that expand permissions, add new network endpoints, or alter behavior in ways that bypass install-time security checks.

andyxinweiminicloud 4473