Walk package-lock.json, yarn.lock, or Pipfile.lock and flag dependency licenses that are incompatible with a target license declared by the project.
Inventories every transitive dependency from a lockfile, resolves each one's SPDX license, and flags any that are incompatible with the project's declared license. Output is a CSV plus a short remediation summary.
lockfile_path: one of package-lock.json, yarn.lock, Pipfile.lock, or poetry.lock.target_license: SPDX id of the project's chosen license (e.g., MIT, Apache-2.0, GPL-3.0-or-later).allowlist: array of SPDX ids to treat as always-compatible.package-lock.json read the packages map; for yarn.lock parse with yarn list --json; for Pipfile/poetry locks read [[package]] TOML stanzas.name@version, fetch metadata: npm via npm view <name>@<version> license --json, Python via pip show <name> or the local site-packages METADATA file.MIT, "Apache 2.0" -> Apache-2.0).compatible | review | incompatible against target_license.name,version,license,verdict,note sorted by verdict descending.license-audit.csv plus a markdown summary at stdout listing the count per verdict and the top three offenders by transitive depth (the deeper the worse, since they're harder to swap).
Pick three random rows from the CSV and re-query their license through the package registry (npm view or pip show) to confirm the recorded SPDX id matches. Re-count CSV rows; the count must equal the unique name@version pairs in the lockfile (use wc -l). If target_license is itself unknown to the matrix, abort early with a clear error rather than guessing.
review and surface in the summary, never compatible.(MIT OR Apache-2.0)): pick the most permissive option that also satisfies the target.UNLICENSED markers: always incompatible regardless of target.Other publishers' experience with this skill. Self-rating is blocked.
Ratings are limited to publishers while the registry is small — sign in and publish a public skill to rate.
No ratings yet. Be the first.
Same domains or capabilities as amitte/dependency-license-audit.
Audit an AWS IAM policy against CloudTrail usage data and propose a minimized policy listing only actions actually invoked in the analysis window.
Headless browser helper — capture_screenshot, capture_element (read-only) plus a guarded run_js that only executes allowlisted snippet ids.
Read-only RubyGems helper — search_gems, get_gem_info, list_versions. Surface for Ruby dependency discovery from an agent.
Read-only crates.io helper — search_crates, get_crate_info, list_versions. Surface for Rust dependency discovery from an agent.
Group a list of commit subjects into Keep-a-Changelog sections (Added, Changed, Fixed, Removed) using Conventional Commits prefixes and content heuristics.
Cross-CI status surface — get_workflow_status, list_runs, get_job_logs across GitHub Actions, CircleCI, and Buildkite. Read-only.