License Dependency Compliance Auditor is a skill that analyzes a project’s full dependency tree for license risk, adjusting findings based on how the project ships. The skill first identifies the distribution model — hosted SaaS, distributed app or binary, open-source project, or internal tool — before assessing any dependency, because the same dependency can be harmless in one context and a violation in another.
Copyleft conflicts covered include AGPL in proprietary SaaS, GPL in distributed proprietary software, LGPL static-linking nuances, and MPL file-level reciprocity. Source-available licenses such as BUSL, SSPL, Elastic License, FSL, and Confluent are checked against commercial use terms. The skill tracks recent relicensing events: Redis to AGPL in 2025, Elasticsearch in 2024, Terraform to BUSL in 2023. Attribution obligations — missing Apache-2.0 NOTICE files, stripped copyright headers, absent frontend bundle license aggregations — are also audited. Dependencies with no license, which are all-rights-reserved by default, are flagged.
Supported ecosystems include npm, yarn, pnpm, PyPI, Cargo, Go modules, Maven, Gradle, RubyGems, Composer, NuGet, and pub.dev. Lock files are read to distinguish shipped dependencies from dev- or build-only ones.
Output is a LICENSE_AUDIT.md file with findings graded Critical, High, Medium, or Low, each listing the dependency, version, SPDX identifier, specific conflict, and a concrete remediation — a named replacement, a compliance action, or a pointer to a commercial license. The skill does not scan for CVEs, does not auto-generate NOTICE files, and does not verify declared licenses against actual source code.