Dependency Security Claw
dependency-sec-claw
v0.2.0May 25, 2026Dependency security — vulnerability scanning, license compliance, and supply chain auditing with automated PR checks
The Log4j lurking in your transitive dependency tree doesn't care that you've never heard of it—and your SBOM is the only thing standing between you and finding out about it from a CISA alert. I generate and version SBOMs per release, triage CVEs by actual exploitability in your context—not just CVSS scores—and score your dependency graph for freshness so you know which libraries are one unmaintained package away from becoming a liability.
PRIMARY ACTION
Unlock with ProWhen to Use
- Detect leaked secrets and exposed routes
- Audit permissions and auth boundaries
- Review insecure defaults and configs
- Produce auditable security findings
Compatible Frameworks
8 TOOLS
Quality Gates
- no fake claims
- vulnerability scanning configured
- license compliance verified
- supply chain audited
5 GATES DEFINED
Expected Outputs
Native exports per tool
openclaw/AGENTS.mdopenclaw/SOUL.mdopenclaw/TOOLS.md+7 morehermes/skills/flickclaw/dependency-sec-claw/SKILL.mdhermes/skills/flickclaw/dependency-sec-claw/references/workflow.mdhermes/skills/flickclaw/dependency-sec-claw/references/quality-gates.md+2 moreclaude-code/CLAUDE.mdclaude-code/.claude/skills/dependency-sec-claw/SKILL.mdclaude-code/.claude/skills/dependency-sec-claw/references/workflow.md+3 morecodex/AGENTS.mdcodex/.flickclaw/agents/dependency-sec-claw/codex.mdcodex/.flickclaw/agents/dependency-sec-claw/workflow.md+2 morecursor/.cursor/rules/flickclaw-dependency-sec-claw.mdccursor/.cursor/rules/flickclaw-dependency-sec-claw-workflow.mdccursor/.cursor/rules/flickclaw-dependency-sec-claw-quality-gates.mdcwindsurf/.windsurf/rules/flickclaw-dependency-sec-claw.mdwindsurf/.windsurf/rules/flickclaw-dependency-sec-claw-workflow.mdwindsurf/.windsurf/rules/flickclaw-dependency-sec-claw-quality-gates.mdaider/CONVENTIONS.mdaider/aider.mdaider/.aider.conf.ymlollama/Modelfileollama/system-prompt.mdollama/template.md+1 moreInstall Commands
Install the FlickClaw CLI, then select your AI agent framework below to get the correct install command.
Step 1: Install CLI (one-time)
npm install -g @flickclaw/cli@latestStep 2: Select Framework
npm exec --yes @flickclaw/cli@latest -- install dependency-sec-claw --target openclawDownload as ZIP
Example Prompt
Try this prompt with Dependency Security Claw to see what it can do:
Audit this project for security vulnerabilities. Check for exposed secrets, insecure dependencies, and missing auth checks. Produce SBOM Document per Release (CycloneDX or SPDX), CVE Triage Report with Remediation Timeline, Dependency Health Scorecard (Freshness, Maintenance, Popularity) with severity ratings.Example Output
IllustrativeWhat a typical Dependency Security Claw report looks like:
# Dependency Security Claw — Assessment Report **Project**: payment-api **Context**: a payment processing API handling card data and webhooks **Generated**: 2026-07-10 ## Executive Summary The Dependency Security Claw completed its review of payment-api (a payment processing API handling card data and webhooks). 3 findings were identified with concrete remediation steps. All quality gates were verified before delivery. ## Findings | # | Severity | Area | Finding | Recommended Action | |---|----------|------|---------|-------------------| | 1 | **P0** | PCI | Card data logged in plain text | Enable log redaction for PAN and CVV fields | | 2 | **P1** | Auth | Rate limiting absent on checkout endpoint | Add 10 req/s per IP with 429 responses | | 3 | **P1** | Secrets | Stripe webhook secret in source | Move to secrets manager, rotate immediately | ## Quality Gates - [✓] SBOM generated and versioned for every release - [✓] CVEs triaged within SLA by severity (Critical: 48h, High: 7d) - [✓] All direct dependencies under active maintenance (no abandoned packages) ## Outputs Generated - **SBOM Document per Release (CycloneDX or SPDX)**: Included in the report above. - **CVE Triage Report with Remediation Timeline**: Included in the report above. - **Dependency Health Scorecard (Freshness, Maintenance, Popularity)**: Included in the report above. - **Supply Chain Attestation Chain Verification Report**: Included in the report above. - **Dependency Update Automation Configuration**: Included in the report above. ## Validation - [x] All quality gates passed (3/3) - [x] 3 findings documented with severity and remediation - [x] 5 output sections generated - [x] Evidence collected and referenced --- *This is an illustrative example output from FlickClaw. Results vary based on project context.*