wip-license-hook

License rug-pull detection. Scans dependencies and forks for license changes, gates upstream merges, maintains a license ledger, and generates a public compliance dashboard.

Safety Notice

This listing is from the official public ClawHub registry. Review SKILL.md and referenced scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "wip-license-hook" with this command: npx skills add Parker Todd Brooks/wip-license-hook

wip-license-hook

Detect license rug-pulls before they reach your codebase.

Commands

Initialize ledger for a project

wip-license-hook init --repo /path/to/repo

Scans all current dependencies and forks, records their licenses, creates LICENSE-LEDGER.json.

Scan all dependencies

wip-license-hook scan --all

Checks every dependency and fork against the ledger. Updates last_checked. Flags any changes.

Pre-merge gate

wip-license-hook gate --upstream <remote>

Fetches upstream without merging. Checks license. Returns exit code 0 (safe) or 1 (changed/blocked).

Use in git hooks or CI.

Generate report

wip-license-hook report

Outputs a human-readable license health report.

Generate dashboard

wip-license-hook dashboard --output ./docs

Creates a static HTML dashboard from the ledger. Deploy to GitHub Pages.

Daily Cron Usage

Add to HEARTBEAT.md or as a cron job:

wip-license-hook scan --all --alert

If any license changed, sends alert via configured channel (email, iMessage, Discord).

What It Detects

  • LICENSE file content changes
  • package.json license field changes
  • SPDX header changes
  • License removal (file deleted)
  • License downgrade (permissive → restrictive)

What It Does NOT Do

  • It does not legal advice make
  • It does not auto-merge anything ever
  • It does not modify upstream code

Alert Levels

  • 🟢 Clean — license unchanged since adoption
  • 🟡 Warning — license metadata inconsistency (e.g., LICENSE file says MIT but package.json says ISC)
  • 🔴 Blocked — license changed from what was adopted. Merge blocked. Human review required.

MCP

Tools: license_scan, license_audit, license_gate, license_ledger

Add to .mcp.json:

{
  "wip-license-hook": {
    "command": "node",
    "args": ["/path/to/tools/wip-license-hook/mcp-server.mjs"]
  }
}

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open Registry RecordOpen in ClawHub