2

    License & Dependency Compliance Auditor

    by rayyer

    Automated open-source license audit and risk assessment based on your project's specific distribution model.

    Updated Jun 2026
    Security scanned
    yarn

    $10

    · or 50 credits

    30-day refund guarantee

    Secure checkout via Stripe

    Also available in a bundle

    Compliance & Audit Suite — Ship-Ready Bundle

    4 skills · $25

    Save 38%
    View bundle

    Included in download

    • Find AGPL or GPL dependencies that conflict with a proprietary or SaaS product
    • Audit dependency licenses before a release, fundraise, or acquisition
    • file_write, file_read automation included
    • Ready for yarn
    • Instant install

    Sample input

    We're a proprietary SaaS about to raise a round. Audit our dependencies for any license that could be a problem in due diligence.

    Sample output

    Detected: npm (pnpm-lock) + Go modules. Project license: none found. Distribution model: proprietary hosted SaaS. Analyzed 47 direct / 612 transitive deps.

    Writing the full report to LICENSE_AUDIT.md.

    Summary: 10 findings — 2 Critical, 3 High, 3 Medium, 2 Low.

    Deal-breaker for due diligence: rrweb@2.0.0 is AGPL-3.0 and you ship as hosted SaaS. AGPL's network clause means using it obligates open-sourcing your entire application — exactly what an acquirer's counsel flags. Replace it with a permissive session-replay library before the raise.

    Also Critical: fast-geoip-pro@1.4.2 has no license at all — that's all-rights-reserved, you have no right to ship it.

    High: project has no LICENSE declared; 96 Apache-2.0 deps ship to the browser with no aggregated NOTICE; a BUSL-1.1 Terraform provider needs its internal-use grant confirmed.

    First moves: swap rrweb, resolve the unlicensed geoip dep, add a project LICENSE. Full details with versions, SPDX ids, and fixes in LICENSE_AUDIT.md.

    This is an engineering analysis, not legal counsel — have an attorney confirm before the raise.

    Screenshots

    About This Skill

    A single GPL or AGPL dependency can force you to open-source your entire product, or sink an acquisition in due diligence. This skill audits your dependency tree for license risk — scoped to how your project actually ships, because the same dependency can be perfectly fine in one model and a violation in another.

    What makes it different

    It detects your distribution model first — hosted SaaS, distributed app/binary, open source, or internal tool — then judges every dependency against it. AGPL is a non-issue for a CLI tool but a Critical violation in proprietary SaaS. GPL is fine in your backend but not in a distributed binary. Generic license scanners ignore this; this one leads with it.

    What it checks

    • Copyleft conflicts AGPL in proprietary SaaS (the #1 startup trap — network use counts as distribution), GPL in distributed proprietary software, LGPL static-linking nuances, MPL file-level reciprocity
    • Source-available licenses: BUSL, SSPL, Elastic License, FSL, Confluent — used commercially against their terms. Tracks the version whipsaw (Redis → AGPL 2025, Elasticsearch → AGPL 2024, Terraform → BUSL 2023)
    • Attribution duties: missing NOTICE files (Apache-2.0), stripped copyright headers, no aggregated third-party licenses when distributing (including browser-shipped frontend bundles)
    • Unknown / no license: dependencies that are all-rights-reserved by default — no legal right to use
    • Your own project: missing or mismatched LICENSE, outbound/inbound incompatibility for open-source projects

    Ecosystems

    npm/yarn/pnpm, PyPI (pip/poetry/pipenv), Cargo, Go modules, Maven/Gradle, RubyGems, Composer, NuGet, pub.dev — reads direct and transitive dependencies from lock files, distinguishes shipped vs dev/build-only.

    How it works

    1. Detects ecosystems + your project license + distribution model (asks if ambiguous).
    2. Builds the dependency license map from lock files, with SPDX identifiers.
    3. Audits each against the distribution model and per-license obligations.
    4. Writes LICENSE_AUDIT.md graded by legal risk (Critical/High/Medium/Low) with the dependency, version, SPDX id, the exact conflict, and a concrete fix — replace with X, comply by Y, or get a commercial license.

    Why buy it

    • Distribution-aware — the only framing that gives correct answers; avoids both false alarms and missed violations
    • Due-diligence ready — run it before a release, fundraise, or acquisition; the report is the artifact reviewers ask for
    • Concrete fixes — named permissive replacements and exact compliance steps, not "remove GPL stuff"
    • Current — knows the 2023–2025 source-available relicensing wave and pins findings to the version in your lock file
    • Agent-agnostic — Claude Code, Cursor, Codex CLI, Copilot, Gemini CLI

    Limitations

    Analyzes declared licenses statically. Not legal advice — license interpretation is fact-specific. Doesn't scan for security CVEs (use an SCA tool for that), doesn't auto-generate NOTICE files, and doesn't verify that a declared license matches the actual code.

    Reviews

    No reviews yet - be the first to share your experience.

    Only users who have downloaded or purchased this skill can leave a review.

    Security Scanned

    Passed automated security review

    Permissions

    Write Files
    Read Files

    File Scopes

    **/package.json
    **/package-lock.json
    **/yarn.lock
    **/pnpm-lock.yaml
    **/pyproject.toml
    **/requirements*.txt
    **/poetry.lock
    **/Pipfile.lock
    **/Cargo.toml
    **/Cargo.lock
    **/go.mod
    **/go.sum
    **/pom.xml
    **/build.gradle*
    **/Gemfile*
    **/composer.{json,lock}
    **/*.csproj
    **/pubspec.{yaml,lock}
    **/LICENSE*
    **/COPYING*
    **/NOTICE*
    **/node_modules/**/package.json
    **/third_party/**
    **/vendor/**
    LICENSE_AUDIT.md

    Static analysis only. Reads manifests, lock files, and installed package metadata to determine each dependency's license, plus LICENSE/NOTICE files for attribution checks. Writes a single file (LICENSE_AUDIT.md). No network calls, no shell, no environment reads. If "Network Access" is auto-detected from the ZIP it's a false positive — the skill references registry/license docs in its checklists but never fetches them.

    Tags

    audit
    compliance
    dependencies
    devops
    gpl
    legal
    license
    open-source
    supply-chain

    No runtime dependencies. Works on any repo using npm/yarn/pnpm, pip/poetry, Cargo, Go modules, Maven/Gradle, RubyGems, Composer, NuGet, or pub. Best results with a lock file present (for transitive deps). Compatible with any agent supporting the SKILL.md standard.

    Creator

    rayyer

    Frequently Asked Questions

    Learn More About AI Agent Skills

    More Premium Skills

    Multi-Agent Orchestration Master Library

    Transform Claude Code into a coordinated multi-agent system. Battle-tested tmux orchestration patterns, YAML task queues, event-driven communication, and parallel worker management for 8+ agents.

    $157 installs
    PII & Data-Leak Scanner

    PII & Data-Leak Scanner

    Scan your schemas, seed data, config, and logs for personal data before it leaks. Detects PII-indicating column and key names (email, ssn, phone, address) across SQL, CSV, and JSON, plus PII in the data itself: email addresses, SSN-like numbers, credit-card-like numbers, phone numbers, and PII written into log files. Each finding is flagged with its location and a GDPR-style review note. Heuristic by design: it surfaces what to review, not a compliance guarantee.

    $153 installs

    designing-hybrid-context-layers

    Architects the right retrieval strategy for every query — teaching your agent when to use RAG, a knowledge graph, or a temporal index instead of defaulting to vector search for everything.

    $1015 installs

    ai-automation-qa-pack

    Professional QA & UAT documentation generator for AI automation agencies and complex agent deployments.

    $59 installs

    $10