원클릭으로 Manus에서 모든 스킬 실행

checking-license-compliance

Audit a project's dependency licenses against an explicit policy (allow-list / deny-list / review-required) and flag incompatibilities before they ship to production. Reads SPDX license identifiers from npm package manifests, Python METADATA / PKG-INFO files, and pyproject.toml; classifies each license by family (permissive, weak-copyleft, strong-copyleft, proprietary, unknown); detects copyleft contamination and SPDX-incompatible license combinations. Use when: pre-release legal review, M&A code-audit due diligence, preparing an OSS attribution NOTICE file, or switching a project's own license. Threshold: any GPL-family license in a project declaring MIT or Apache-2.0; any UNKNOWN-license package; any metadata-vs-source license mismatch. Trigger with: "check licenses", "license compliance audit", "SPDX scan", "GPL contamination check".

Manus에서 실행

스타2,344

포크332

업데이트2026년 6월 8일 01:18

출처

jeremylongshore

jeremylongshore/claude-code-plugins-plus-skills

GitHub 저장소 열기 Creator 저장소 보기

설치 명령

다운로드

Manus에서 실행

파일 탐색기

4 개 파일

SKILL.md

readonly

이 저장소의 다른 Skills

같은 저장소

auditing-npm-dependencies

jeremylongshore/claude-code-plugins-plus-skills

Audit a Node.js project's installed npm dependency tree for known CVEs by wrapping the npm audit JSON output and emitting findings in the canonical penetration-tester schema. Detects direct AND transitive vulnerabilities, normalizes npm's severity scale (info/low/moderate/ high/critical) to the shared Severity enum, and parses both v1 and v2 audit output formats so the skill works against npm 6 and npm 7+ lockfiles. Use when: pre-merge gate on a Node project, post-incident sweep after a transitive package compromise (e.g. event-stream, ua-parser, node-ipc, color.js), SOC2 vendor-management evidence collection, or auditing an inherited or acquired Node codebase. Threshold: any HIGH or CRITICAL CVE in the resolved dependency tree. MODERATE / LOW reported informationally. Trigger with: "audit npm deps", "npm vulnerability scan", "check node packages for CVEs", "npm audit".

2026-06-082.3k

auditing-python-dependencies

jeremylongshore/claude-code-plugins-plus-skills

Audit a Python project's installed dependencies for known CVEs by wrapping pip-audit (PyPA's official vulnerability auditor) and emitting findings in the canonical penetration-tester schema. Detects vulnerable direct AND transitive packages, normalizes pip-audit's severity output via OSV severity bands, falls back to pip list --outdated when pip-audit isn't installed, and supports requirements.txt, pyproject.toml (PEP 621), Pipfile.lock, and poetry.lock as input sources. Use when: pre-merge gate on a Python project, post-incident sweep after a PyPI compromise (e.g. ctx, request-toolbelt typosquats, ultralytics 8.3.42 compromise), SOC2 evidence collection, or inheriting an unfamiliar Python codebase. Threshold: any HIGH or CRITICAL CVE in the resolved dependency tree. MODERATE / LOW reported informationally. Trigger with: "audit python deps", "pip vulnerability scan", "check pypi packages for CVEs", "pip-audit run".

2026-06-082.3k

composing-vulnerability-report

jeremylongshore/claude-code-plugins-plus-skills

Read findings JSONL files from cluster 1-4 skills, deduplicate by fingerprint, group by severity, and compose a deliverable- grade markdown vulnerability report with per-finding sections (title, severity, target, detail, remediation, evidence) and a top-level summary table. The canonical written artifact a customer receives at engagement close; precise, reproducible, machine- checkable against source findings. Use when: closing an engagement, generating an interim report, regenerating after CVE or OWASP enrichment, or producing the input for generating-executive-summary. Threshold: findings missing required fields are dropped. HIGH and CRITICAL findings highlighted in the summary section. Trigger with: "compose vuln report", "write pentest report", "generate vulnerability deliverable", "render findings to report".

2026-06-082.3k

confirming-pentest-authorization

jeremylongshore/claude-code-plugins-plus-skills

Verify that a penetration test has explicit, written, signed authorization before any scanning begins. Reads a Rules-of- Engagement (ROE) attestation file, validates required fields (authorizer, in-scope targets, time window, emergency contact, signature), checks the signer against an allowlist, and emits a CRITICAL finding if anything is missing. Designed as the first skill the orchestrator routes to. Use when: starting a new engagement, after a scope change, or before any cluster 1-4 scan skill runs. Threshold: any missing or unsigned ROE field; any time-window expiry; any in-scope target outside the authorized list. Trigger with: "confirm authorization", "verify ROE", "check pentest authz", "pre-flight authorization".

2026-06-082.3k

defining-pentest-scope

jeremylongshore/claude-code-plugins-plus-skills

Parse the ROE scope definition, enumerate every in-scope target (hostnames, IPs, CIDRs, URLs, cloud accounts, SaaS tenants), validate syntax, detect overlap with out-of-scope or known third-party SaaS ranges, and emit a normalized target list plus IP allowlist for scanning tools. Runs after confirming-pentest- authorization and before any cluster 1-4 scan. Use when: starting an engagement, expanding scope mid-engagement, validating that a target list matches the ROE, or generating an allowlist for an external scanner. Threshold: malformed syntax, in-scope overlap with out-of-scope, reserved or third-party SaaS ranges without acknowledgement. Trigger with: "define scope", "enumerate targets", "validate target list", "generate IP allowlist".

2026-06-082.3k

generating-executive-summary

jeremylongshore/claude-code-plugins-plus-skills

Compose an exec-readable summary from a unified findings JSONL plus the OWASP coverage report. Computes a single engagement risk score (0-100, severity-weighted with OWASP-breadth and governance terms), rolls up findings into headline counts, names the top-3 remediation priorities with effort + impact estimates, and produces a 1-2 page markdown document for a C-level or board audience. Elides technical detail; the vulnerability report is the deep document. Use when: closing an engagement, preparing the exec-readout meeting, packaging for board review, or producing a one-page narrative for auditor / insurer / board. Threshold: input findings missing produces CRITICAL operational finding; otherwise the deliverable is the document itself. Trigger with: "generate exec summary", "executive summary", "C-level readout", "board pentest summary".

2026-06-082.3k

name	checking-license-compliance
description	Audit a project's dependency licenses against an explicit policy (allow-list / deny-list / review-required) and flag incompatibilities before they ship to production. Reads SPDX license identifiers from npm package manifests, Python METADATA / PKG-INFO files, and pyproject.toml; classifies each license by family (permissive, weak-copyleft, strong-copyleft, proprietary, unknown); detects copyleft contamination and SPDX-incompatible license combinations. Use when: pre-release legal review, M&A code-audit due diligence, preparing an OSS attribution NOTICE file, or switching a project's own license. Threshold: any GPL-family license in a project declaring MIT or Apache-2.0; any UNKNOWN-license package; any metadata-vs-source license mismatch. Trigger with: "check licenses", "license compliance audit", "SPDX scan", "GPL contamination check".
allowed-tools	["Read","Bash(python3:)","Bash(pip:)","Bash(npm:*)","Glob"]
disallowed-tools	["Bash(rm:)","Bash(curl:)","Bash(wget:*)","Write(.env)","Edit(.env)"]
version	3.0.0-dev
author	Jeremy Longshore <jeremy@intentsolutions.io>
license	MIT
compatibility	Designed for Claude Code
tags	["security","licensing","spdx","compliance","pentest"]

Checking License Compliance

Overview

License compliance is a security concern only in the indirect sense that an unintended license obligation can force you to release proprietary source code, retroactively invalidate a customer contract, or render an M&A transaction infeasible. The cost is legal and contractual rather than exploitative — but the consequence ladder is real.

The most-stepped-on landmine is copyleft contamination: unintentionally including a GPL or AGPL-licensed package in a codebase the rest of which is permissively licensed (MIT, Apache-2.0, BSD). The terms of the GPL family say that any project distributing GPL code MUST itself release source under a GPL-compatible license. If your package.json says MIT and one of your transitive deps is GPL-2.0, you may be obligated to either re-license your code or remove the dep.

This skill audits the resolved dependency tree against an explicit policy file and emits findings for:

Direct deps with deny-listed licenses
Transitive deps with deny-listed licenses
Packages with UNKNOWN license metadata (no SPDX identifier)
License conflicts between metadata and source headers
Combinations of licenses that are mutually incompatible (e.g. GPL-2.0 + Apache-2.0 without a patent grant)

When the skill produces findings

Finding	Severity	Threshold	Affected control
Strong-copyleft in permissive project	CRITICAL	GPL-2.0/3.0, AGPL-3.0, or similar in a project declaring MIT/Apache-2.0/BSD	(legal)
Weak-copyleft requiring source disclosure	HIGH	LGPL family in a project where the obligation isn't being met (no source-availability commitment)	(legal)
Custom / non-SPDX license	HIGH	License field doesn't match SPDX expression syntax; requires legal review	(legal)
Unknown license	MEDIUM	Package has no `license` field, no LICENSE file detected	(legal)
Deny-listed license (per policy)	HIGH	Package license is in the explicit deny-list in the policy file	(legal)
Review-required license (per policy)	MEDIUM	Package license is in the review-list (e.g. MPL-2.0)	(legal)
Incompatible license combination	HIGH	Detected pair of licenses known to conflict (e.g. GPL-2.0-only + Apache-2.0)	(legal)
License declared differently in metadata vs source headers	MEDIUM	LICENSE file says one license; per-file SPDX-License-Identifier headers say another	(legal)
Permissive license requiring attribution	INFO	MIT/BSD/Apache-2.0 — emit reminder that NOTICE / attribution file should list the package	(informational)

Prerequisites

Python 3.9+
Target project with EITHER a package.json + node_modules/ OR a Python project (pyproject.toml/requirements.txt/ installed venv)
Policy file at ./.license-policy.json (auto-detected) or passed via --policy. If absent, the skill uses a built-in default policy that flags strong copyleft for permissive parent projects.

Instructions

Step 1 — Identify the project's own declared license

The skill reads the project's top-level license from:

npm: package.json's license field
Python: pyproject.toml's [project].license table OR setup.cfg's license field

If the project's own license isn't declared, the skill emits a FATAL operational finding — license compliance can't be checked without a baseline. Add a license field before running.

Step 2 — Identify policy

The policy file is JSON:

{
  "allow": ["MIT", "BSD-3-Clause", "Apache-2.0", "ISC", "BSD-2-Clause"],
  "deny":  ["GPL-2.0-only", "GPL-3.0-only", "AGPL-3.0-only", "AGPL-3.0-or-later"],
  "review": ["MPL-2.0", "EPL-2.0", "CDDL-1.0", "LGPL-3.0-or-later"],
  "project_license": "MIT"
}

allow: licenses that pass without comment. deny: licenses that produce a finding regardless of project license. review: licenses that produce a MEDIUM-severity finding for legal review. project_license: enforced — if the project declares this but a dep is in deny, finding is CRITICAL.

Step 3 — Run the scanner

python3 ./scripts/check_licenses.py /path/to/project

Options:

Usage: check_licenses.py PATH [OPTIONS]

Options:
  --output FILE      Write findings to FILE (default: stdout)
  --format FMT       json | jsonl | markdown (default: markdown)
  --min-severity SEV (default: info)
  --policy FILE      Override default policy
  --emit-attribution  Also emit an attribution file (NOTICE.md) listing
                     every permissive-licensed dep that requires attribution

Step 4 — Interpret findings

CRITICAL findings block release pending legal review. Either remove the offending dep, replace it with a permissively-licensed alternative, or escalate to legal for a written exception.

HIGH findings require legal sign-off but don't necessarily block release if the legal posture (e.g. service-only deployment under AGPL) makes the obligation moot.

MEDIUM findings should be reviewed quarterly and either resolved or moved into an explicit exception list.

INFO findings are reminders that an attribution / NOTICE file should reference these packages.

Examples

Example 1 — Pre-release legal gate

python3 ./scripts/check_licenses.py . --min-severity high --format json --output license-audit.json
jq -e '. == []' license-audit.json || { echo "License finding — legal review required"; exit 1; }

Example 2 — Generate attribution file

python3 ./scripts/check_licenses.py . --emit-attribution --format markdown --output NOTICE.md

Example 3 — M&A due diligence

mkdir -p evidence/legal/
python3 ./scripts/check_licenses.py target-acquisition-codebase/ \
    --format json \
    --output evidence/legal/license-audit-$(date +%Y%m%d).json

Output

JSON / JSONL / Markdown per lib/report.py. Exit codes: 0 clean, 1 high/critical, 2 error.

Each Finding includes:

id — license-compliance::<package>::<license-id>
severity — CRITICAL / HIGH / MEDIUM / LOW / INFO
category — license-compliance
summary — what's wrong
evidence — package name, declared license, project license, policy match
references — SPDX URL for the license, package home page

Error Handling

No project license → emits an INFO/operational finding recommending the operator add a license field, exits 2.
Unparseable policy file → exits 2 with a parser error message.
Package with malformed license field → treated as UNKNOWN license, emits MEDIUM finding.
No SPDX identifier in source headers → emits INFO finding reminding that SPDX header convention catches contamination at the file level.

Resources

references/THEORY.md — SPDX license expression syntax, family classifications, copyleft propagation theory, common license incompatibilities, when LGPL static linking matters, AGPL service-distribution clauses, public-domain edge cases (CC0 vs unlicense)
references/PLAYBOOK.md — Default policy templates per project type (proprietary product, OSS library, internal-only tool, SaaS service), attribution file generation, legal-counsel handoff templates, replacing copyleft deps with permissive alternatives