License Dependency Compliance Auditor

Automated open-source license audit and risk assessment based on your project's specific distribution model.

Install
cmdop skills install agensi-license-dependency-compliance-auditor

License Dependency Compliance Auditor is a skill that analyzes a project’s full dependency tree for license risk, adjusting findings based on how the project ships. The skill first identifies the distribution model — hosted SaaS, distributed app or binary, open-source project, or internal tool — before assessing any dependency, because the same dependency can be harmless in one context and a violation in another.

Copyleft conflicts covered include AGPL in proprietary SaaS, GPL in distributed proprietary software, LGPL static-linking nuances, and MPL file-level reciprocity. Source-available licenses such as BUSL, SSPL, Elastic License, FSL, and Confluent are checked against commercial use terms. The skill tracks recent relicensing events: Redis to AGPL in 2025, Elasticsearch in 2024, Terraform to BUSL in 2023. Attribution obligations — missing Apache-2.0 NOTICE files, stripped copyright headers, absent frontend bundle license aggregations — are also audited. Dependencies with no license, which are all-rights-reserved by default, are flagged.

Supported ecosystems include npm, yarn, pnpm, PyPI, Cargo, Go modules, Maven, Gradle, RubyGems, Composer, NuGet, and pub.dev. Lock files are read to distinguish shipped dependencies from dev- or build-only ones.

Output is a LICENSE_AUDIT.md file with findings graded Critical, High, Medium, or Low, each listing the dependency, version, SPDX identifier, specific conflict, and a concrete remediation — a named replacement, a compliance action, or a pointer to a commercial license. The skill does not scan for CVEs, does not auto-generate NOTICE files, and does not verify declared licenses against actual source code.

Use cases

  • Audit a proprietary SaaS project for AGPL dependencies before a public launch
  • Identify GPL violations in a distributed desktop or CLI application
  • Generate a LICENSE_AUDIT.md report for investor or acquisition due diligence
  • Check attribution obligations when shipping a bundled frontend
  • Detect dependencies with no declared license that carry all-rights-reserved status
  • Track source-available relicensing events in an existing dependency tree

When to use it

  • Before releasing a product that distributes compiled or bundled dependencies
  • Before a fundraising round or acquisition when a license audit artifact is required
  • When a dependency has recently changed its license and distribution-model impact is unclear
  • When a project spans multiple package ecosystems and transitive dependencies need coverage
  • When verifying outbound and inbound license compatibility for an open-source project

When not to use it

  • When security vulnerability (CVE) scanning is the goal — this skill does not cover CVEs
  • When automated NOTICE file generation is needed — missing files are reported but not created
  • When verification that declared licenses match actual source code is required
  • When no lock files exist and exact dependency versions cannot be determined
  • When a formal legal opinion is needed — findings are not a substitute for legal counsel