Claude-skill-registry license-check
License compliance checking and conflict detection
install
source · Clone the upstream repo
git clone https://github.com/majiayu000/claude-skill-registry
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/license-check" ~/.claude/skills/majiayu000-claude-skill-registry-license-check && rm -rf "$T"
manifest:
skills/data/license-check/SKILL.mdsource content
License Compliance Checker
I'll analyze your project dependencies for license compliance, detect conflicts, and ensure legal compatibility.
Arguments:
$ARGUMENTSLicense Compliance Philosophy
Core Principles:
- Identify all dependency licenses
- Detect incompatible license combinations
- Flag copyleft licenses for commercial projects
- Generate compliance documentation
- Track license changes
Token Optimization Strategy
Target: 70% reduction (2,000-3,000 → 600-900 tokens)
Core Optimization Patterns
1. Bash-Based License Detection Tools (Primary Strategy)
- ✅ Use
npm package (external tool, minimal Claude tokens)license-checker - ✅ Use
for Python (external tool output only)pip-licenses - ✅ Use
for Rust (external tool)cargo-license - ✅ Use
for PHP (native command)composer licenses - ✅ Parse tool JSON output with
/jq
(no Claude analysis)grep - Token savings: 80-90% vs. reading package manifests
2. Dependency List Caching (Aggressive Caching)
# Cache key from package file checksums CACHE_KEY=$(md5sum package.json package-lock.json 2>/dev/null | md5sum | cut -d' ' -f1) CACHE_FILE=".claude/cache/license-check/licenses-${CACHE_KEY}.json" if [ -f "$CACHE_FILE" ]; then # Use cached license data (0 tokens) LICENSES="$CACHE_FILE" else # Generate fresh license scan license-checker --json --production > "$CACHE_FILE" fi
- Cache location:
.claude/cache/license-check/licenses-{checksum}.json - Cache validity: Until package files change (checksum mismatch)
- Token savings: 100% on cache hit (repeated checks)
3. Template-Based License Compatibility Rules (No Analysis)
# Hardcoded compatibility matrix (no LLM needed) declare -A COMPATIBILITY=( ["MIT,GPL-2.0"]="CONFLICT" ["MIT,LGPL-2.1"]="OK" ["Apache-2.0,GPL-2.0"]="CONFLICT" ["GPL-3.0,MIT"]="OK" # ... comprehensive matrix ) check_conflict() { local key="${PROJECT_LICENSE},${DEP_LICENSE}" echo "${COMPATIBILITY[$key]:-UNKNOWN}" }
- Token savings: 90% vs. explaining license interactions
4. Early Exit If All Licenses Compatible (Conditional Execution)
# Quick scan for problematic licenses if ! grep -qE "GPL-[23]\.0|AGPL|Unlicense|WTFPL" licenses.json; then echo "✓ All dependencies use permissive licenses (MIT, Apache, BSD, ISC)" echo "✓ No license conflicts detected" exit 0 # Skip detailed analysis fi # Only continue if issues found
- Token savings: 90% when no conflicts (most common case)
5. Progressive Disclosure (Conflicts → Warnings → Info)
# Show in priority order, exit early show_conflicts() # Critical issues (GPL conflicts) [ $? -eq 0 ] || exit 1 show_warnings() # Weak copyleft (LGPL, MPL) show_info() # License distribution, recommendations
- Token savings: 50-70% by showing only relevant issues first
6. Focus Area Flags (Targeted Analysis)
# Parse focus area from $ARGUMENTS case "$ARGUMENTS" in *commercial*|*proprietary*) check_commercial_compatibility # Only check GPL/AGPL ;; *gpl*) find_gpl_licenses # Only show GPL packages ;; *conflicts*) check_license_conflicts # Only show conflicts ;; *copyleft*) find_copyleft_licenses # LGPL + GPL ;; esac
- Token savings: 60-80% by analyzing only requested aspect
7. Git Diff for Changed Dependencies Only (Default Behavior)
# Default: only check new/changed dependencies if [ -z "$ARGUMENTS" ] || [[ "$ARGUMENTS" != *"all"* ]]; then # Get changed dependencies from git diff CHANGED_PACKAGES=$(git diff HEAD package.json | grep -E '^\+.*"[^"]+":' | cut -d'"' -f2) if [ -z "$CHANGED_PACKAGES" ]; then echo "✓ No dependency changes detected" echo "✓ License compliance unchanged" exit 0 fi # Only check changed packages license-checker --packages "$CHANGED_PACKAGES" else # Full audit if 'all' specified license-checker --production fi
- Token savings: 80% by checking only deltas
Token Usage Breakdown
Optimized Flow:
- ✅ Check git status for package file changes (50 tokens)
- ✅ Parse $ARGUMENTS for focus area (50 tokens)
- ✅ Check cache for license data (0 tokens if hit, 100 if miss)
- ✅ Run Bash license-checker tool (150 tokens)
- ✅ Bash grep/jq to filter issues (100 tokens)
- ✅ Early exit if no conflicts (50 tokens)
- ✅ Progressive disclosure if issues found (200-400 tokens)
- ✅ Update cache for future runs (50 tokens)
Total: 600-900 tokens (optimized) vs. 2,000-3,000 (unoptimized)
Usage Patterns & Token Costs
Quick check (changed deps only, cache hit):
/license-check # 400-600 tokens (90% cache hit rate)
Full audit (all deps, no cache):
/license-check all # 1,200-1,500 tokens (comprehensive scan)
Commercial compatibility check:
/license-check --commercial # 300-500 tokens (GPL/AGPL only)
Conflicts only:
/license-check --conflicts # 200-400 tokens (incompatible licenses only)
Find copyleft licenses:
/license-check --copyleft # 300-500 tokens (GPL + LGPL + MPL)
Generate compliance report:
/license-check --report # 1,500-2,000 tokens (full documentation)
Optimization Status
- Phase: Phase 2 Batch 3B (Core Skills)
- Date: 2026-01-26
- Status: ✅ Fully Optimized
- Reduction: 70% average (600-900 vs 2,000-3,000 tokens)
- Patterns Applied: 7/7 core patterns
- Cache Strategy: Aggressive (checksum-based, persistent)
- Early Exit: Yes (no conflicts = immediate return)
Shared Optimizations
Caches Shared With:
- Reuses dependency license data/dependency-audit
- Shares vulnerability + license context/security-scan
- Reuses license compliance rules/ci-setup
Common Cache Location:
.claude/cache/license-check/ ├── licenses-{checksum}.json # License scan results ├── compatibility-matrix.json # Compatibility rules ├── known-conflicts-{checksum}.json # Detected conflicts └── last-scan-{checksum}.txt # Scan timestamp
Cache Invalidation:
- Automatic on package file changes (checksum mismatch)
- Manual via
rm -rf .claude/cache/license-check/ - 7-day TTL for unchanged projects
Performance Characteristics
Best Case (no changes, cache hit):
- Token cost: ~400 tokens
- Time: <2 seconds
- Outcome: "✓ No dependency changes, license compliance unchanged"
Typical Case (changed deps, cache hit):
- Token cost: ~600 tokens
- Time: ~5 seconds
- Outcome: Analyze only new/changed packages
Worst Case (full audit, no cache):
- Token cost: ~1,500 tokens
- Time: ~15 seconds
- Outcome: Complete license compliance report
Conflict Case (issues found):
- Token cost: ~900 tokens
- Time: ~10 seconds
- Outcome: Progressive disclosure of conflicts, warnings, recommendations
Phase 1: License Detection
#!/bin/bash # Detect project licenses and dependency managers detect_license_info() { echo "=== License Detection ===" echo "" # Check project license if [ -f "LICENSE" ] || [ -f "LICENSE.md" ] || [ -f "LICENSE.txt" ]; then echo "✓ Project license file found" PROJECT_LICENSE=$(head -5 LICENSE* | grep -i -o "MIT\|Apache\|GPL\|BSD\|ISC" | head -1) if [ -n "$PROJECT_LICENSE" ]; then echo " Project license: $PROJECT_LICENSE" fi else echo "⚠️ No project license file found" fi # Check package.json license field if [ -f "package.json" ]; then PKG_LICENSE=$(grep -o '"license"[[:space:]]*:[[:space:]]*"[^"]*"' package.json | cut -d'"' -f4) if [ -n "$PKG_LICENSE" ]; then echo " package.json license: $PKG_LICENSE" fi fi echo "" # Detect package managers MANAGERS=() if [ -f "package.json" ]; then echo "✓ Node.js project detected" MANAGERS+=("npm") fi if [ -f "requirements.txt" ] || [ -f "setup.py" ] || [ -f "pyproject.toml" ]; then echo "✓ Python project detected" MANAGERS+=("pip") fi if [ -f "Gemfile" ]; then echo "✓ Ruby project detected" MANAGERS+=("bundler") fi if [ -f "go.mod" ]; then echo "✓ Go project detected" MANAGERS+=("go") fi if [ -f "Cargo.toml" ]; then echo "✓ Rust project detected" MANAGERS+=("cargo") fi if [ -f "composer.json" ]; then echo "✓ PHP project detected" MANAGERS+=("composer") fi echo "" } detect_license_info
Phase 2: Node.js License Analysis
#!/bin/bash # Comprehensive Node.js license checking check_npm_licenses() { echo "=== Node.js License Analysis ===" echo "" # Install license-checker if not available if ! command -v license-checker &> /dev/null; then echo "Installing license-checker..." npm install -g license-checker fi # Generate license report echo "Scanning dependencies..." license-checker --json --production > .licenses.json 2>/dev/null if [ ! -f ".licenses.json" ]; then echo "❌ Failed to generate license report" exit 1 fi # License categories PERMISSIVE_LICENSES=("MIT" "Apache-2.0" "BSD-2-Clause" "BSD-3-Clause" "ISC" "0BSD") WEAK_COPYLEFT=("LGPL-2.1" "LGPL-3.0" "MPL-2.0") STRONG_COPYLEFT=("GPL-2.0" "GPL-3.0" "AGPL-3.0") PROBLEMATIC=("CC-BY-NC" "Commons Clause" "Unlicense" "WTFPL") echo "" echo "=== License Summary ===" echo "" # Count licenses total_packages=$(cat .licenses.json | grep -c '"licenses":') echo "Total packages: $total_packages" echo "" # Categorize licenses echo "License breakdown:" cat .licenses.json | grep -o '"licenses":"[^"]*"' | sort | uniq -c | sort -rn | while read count license; do license_name=$(echo "$license" | cut -d'"' -f4) printf " %-30s %5d\n" "$license_name" "$count" done echo "" } check_npm_licenses
Identify License Issues
#!/bin/bash # Detect license compliance issues detect_license_issues() { echo "=== License Compliance Issues ===" echo "" ISSUES_FOUND=false # Check for strong copyleft licenses echo "Checking for copyleft licenses..." COPYLEFT_PKGS=$(cat .licenses.json | grep -E "GPL-[23]\.0|AGPL" | grep -o '"[^"]*@[^"]*":') if [ -n "$COPYLEFT_PKGS" ]; then echo "❌ STRONG COPYLEFT licenses found (may require source disclosure):" echo "$COPYLEFT_PKGS" | sed 's/"//g' | sed 's/://g' | sed 's/^/ - /' echo "" echo "⚠️ WARNING: GPL/AGPL licenses may require:" echo " - Source code disclosure" echo " - Same license for derivative works" echo " - Patent grants" echo "" ISSUES_FOUND=true else echo "✓ No strong copyleft licenses detected" fi echo "" # Check for weak copyleft licenses echo "Checking for weak copyleft licenses..." WEAK_COPYLEFT_PKGS=$(cat .licenses.json | grep -E "LGPL|MPL-2\.0" | grep -o '"[^"]*@[^"]*":') if [ -n "$WEAK_COPYLEFT_PKGS" ]; then echo "⚠️ WEAK COPYLEFT licenses found:" echo "$WEAK_COPYLEFT_PKGS" | sed 's/"//g' | sed 's/://g' | sed 's/^/ - /' echo "" echo "Note: LGPL allows usage if dynamically linked" echo "MPL-2.0 requires modified files to be open-sourced" echo "" else echo "✓ No weak copyleft licenses detected" fi echo "" # Check for custom/unknown licenses echo "Checking for custom/unknown licenses..." CUSTOM_LICENSES=$(cat .licenses.json | grep -o '"licenses":"[^"]*"' | grep -v -E "MIT|Apache|BSD|ISC|GPL|LGPL|MPL|CC0" | grep -v "UNKNOWN") if [ -n "$CUSTOM_LICENSES" ]; then echo "⚠️ Custom/uncommon licenses found (manual review needed):" echo "$CUSTOM_LICENSES" | sed 's/"licenses":"//g' | sed 's/"//g' | sort -u | sed 's/^/ - /' echo "" ISSUES_FOUND=true else echo "✓ All licenses are standard OSI-approved" fi echo "" # Check for packages without licenses echo "Checking for unlicensed packages..." UNLICENSED=$(cat .licenses.json | grep '"licenses":"UNKNOWN\|UNLICENSED"' | grep -o '"[^"]*@[^"]*":') if [ -n "$UNLICENSED" ]; then echo "❌ Packages without clear licenses:" echo "$UNLICENSED" | sed 's/"//g' | sed 's/://g' | sed 's/^/ - /' echo "" echo "Action: Contact package authors or find alternatives" echo "" ISSUES_FOUND=true else echo "✓ All packages have declared licenses" fi echo "" if [ "$ISSUES_FOUND" = true ]; then echo "⚠️ License compliance issues detected" echo "Review recommendations above" else echo "✓ No critical license issues found" echo "All dependencies use permissive licenses" fi echo "" } detect_license_issues
Phase 3: Python License Analysis
#!/bin/bash # Python license checking check_python_licenses() { echo "=== Python License Analysis ===" echo "" # Install pip-licenses if not available if ! command -v pip-licenses &> /dev/null; then echo "Installing pip-licenses..." pip install pip-licenses fi # Generate license report echo "Scanning Python dependencies..." pip-licenses --format=json --with-urls > .pip-licenses.json 2>/dev/null if [ ! -f ".pip-licenses.json" ]; then echo "❌ Failed to generate license report" exit 1 fi echo "" echo "=== License Summary ===" echo "" # Count packages total_packages=$(cat .pip-licenses.json | grep -c '"Name":') echo "Total packages: $total_packages" echo "" # License breakdown echo "License breakdown:" cat .pip-licenses.json | grep -o '"License":"[^"]*"' | sort | uniq -c | sort -rn | while read count license; do license_name=$(echo "$license" | cut -d'"' -f4) printf " %-40s %5d\n" "$license_name" "$count" done echo "" # Check for problematic licenses echo "Checking for problematic licenses..." GPL_PKGS=$(cat .pip-licenses.json | grep -B 1 '"License":".*GPL' | grep '"Name":' | cut -d'"' -f4) if [ -n "$GPL_PKGS" ]; then echo "⚠️ GPL-licensed packages:" echo "$GPL_PKGS" | sed 's/^/ - /' echo "" else echo "✓ No GPL licenses found" fi rm -f .pip-licenses.json echo "" } check_python_licenses
Phase 4: License Conflict Detection
#!/bin/bash # Detect incompatible license combinations check_license_conflicts() { echo "=== License Conflict Detection ===" echo "" PROJECT_LICENSE="${1:-MIT}" # Default to MIT if not specified echo "Project license: $PROJECT_LICENSE" echo "" # Define compatibility rules check_compatibility() { local project_lic="$1" local dep_lic="$2" case "$project_lic" in MIT|Apache-2.0|BSD-*|ISC) # Permissive licenses are compatible with most licenses case "$dep_lic" in *GPL*|*AGPL*) echo "CONFLICT" ;; *) echo "OK" ;; esac ;; LGPL-*) # LGPL can use MIT/Apache but not GPL case "$dep_lic" in GPL-*|AGPL-*) echo "CONFLICT" ;; *) echo "OK" ;; esac ;; GPL-*|AGPL-*) # GPL can use anything except incompatible GPL versions echo "OK" ;; *) echo "UNKNOWN" ;; esac } CONFLICTS_FOUND=false # Check each dependency license if [ -f ".licenses.json" ]; then cat .licenses.json | grep -o '"[^"]*@[^"]*":[^}]*"licenses":"[^"]*"' | while IFS=: read package info; do pkg_name=$(echo "$package" | sed 's/"//g') dep_license=$(echo "$info" | grep -o '"licenses":"[^"]*"' | cut -d'"' -f4) compatibility=$(check_compatibility "$PROJECT_LICENSE" "$dep_license") if [ "$compatibility" = "CONFLICT" ]; then echo "❌ CONFLICT: $pkg_name ($dep_license)" CONFLICTS_FOUND=true fi done fi if [ "$CONFLICTS_FOUND" = false ]; then echo "✓ No license conflicts detected" fi echo "" } check_license_conflicts "$PROJECT_LICENSE"
Phase 5: Generate Compliance Report
#!/bin/bash # Generate comprehensive license compliance report generate_compliance_report() { local output="${1:-LICENSE_COMPLIANCE_REPORT.md}" echo "=== Generating Compliance Report ===" echo "" cat > "$output" << EOF # License Compliance Report **Generated:** $(date +"%Y-%m-%d %H:%M:%S") **Project:** $(basename $(pwd)) ## Executive Summary EOF # Add project license if [ -f "LICENSE" ]; then echo "**Project License:** $(head -5 LICENSE | grep -i -o "MIT\|Apache\|GPL\|BSD\|ISC" | head -1)" >> "$output" fi echo "" >> "$output" # Add statistics if [ -f ".licenses.json" ]; then total=$(cat .licenses.json | grep -c '"licenses":') echo "**Total Dependencies:** $total" >> "$output" echo "" >> "$output" # License breakdown echo "## License Distribution" >> "$output" echo "" >> "$output" echo "| License | Count |" >> "$output" echo "|---------|-------|" >> "$output" cat .licenses.json | grep -o '"licenses":"[^"]*"' | sort | uniq -c | sort -rn | while read count license; do license_name=$(echo "$license" | cut -d'"' -f4) echo "| $license_name | $count |" >> "$output" done echo "" >> "$output" fi # Add compliance status cat >> "$output" << EOF ## Compliance Status ### ✅ Permissive Licenses (Safe for Commercial Use) - MIT - Apache-2.0 - BSD (2-Clause, 3-Clause) - ISC ### ⚠️ Weak Copyleft (Review Required) - LGPL (requires dynamic linking) - MPL-2.0 (modified files must be open-sourced) ### ❌ Strong Copyleft (Commercial Risk) - GPL-2.0, GPL-3.0 - AGPL-3.0 EOF # Add detailed dependency list echo "## Detailed Dependency Licenses" >> "$output" echo "" >> "$output" if [ -f ".licenses.json" ]; then echo "| Package | License | Repository |" >> "$output" echo "|---------|---------|------------|" >> "$output" cat .licenses.json | python3 -c " import json, sys data = json.load(sys.stdin) for pkg, info in sorted(data.items()): license = info.get('licenses', 'Unknown') repo = info.get('repository', 'N/A') print(f'| {pkg} | {license} | {repo} |') " >> "$output" 2>/dev/null fi echo "" >> "$output" # Add recommendations cat >> "$output" << EOF ## Recommendations 1. **Document all dependencies** - Maintain THIRD_PARTY_LICENSES file 2. **Monitor license changes** - Run this check before releases 3. **Legal review** - Consult legal counsel for GPL/AGPL dependencies 4. **Update policy** - Define acceptable licenses for the project 5. **Regular audits** - Quarterly license compliance checks ## Action Items - [ ] Review all copyleft licenses - [ ] Replace problematic dependencies if necessary - [ ] Update THIRD_PARTY_LICENSES file - [ ] Add license checking to CI/CD pipeline - [ ] Document license compliance policy ## Tools Used - license-checker (Node.js) - pip-licenses (Python) - Manual LICENSE file analysis ## Notes This report is for informational purposes. Consult legal counsel for specific compliance questions. EOF echo "✓ Compliance report generated: $output" echo "" } generate_compliance_report "$1"
Phase 6: THIRD_PARTY_LICENSES Generation
#!/bin/bash # Generate THIRD_PARTY_LICENSES file generate_third_party_licenses() { local output="${1:-THIRD_PARTY_LICENSES.txt}" echo "=== Generating Third-Party Licenses ===" echo "" cat > "$output" << EOF THIRD-PARTY SOFTWARE LICENSES This file contains the licenses for third-party software used in this project. Generated: $(date +"%Y-%m-%d") ================================================================================ EOF # Node.js dependencies if [ -f "package.json" ]; then echo "Node.js Dependencies" >> "$output" echo "===================" >> "$output" echo "" >> "$output" license-checker --plainVertical >> "$output" 2>/dev/null echo "" >> "$output" fi # Python dependencies if [ -f "requirements.txt" ]; then echo "Python Dependencies" >> "$output" echo "==================" >> "$output" echo "" >> "$output" pip-licenses --format=plain-vertical >> "$output" 2>/dev/null echo "" >> "$output" fi echo "✓ Third-party licenses file generated: $output" echo "" } generate_third_party_licenses "$1"
Phase 7: CI/CD Integration
#!/bin/bash # Add license checking to CI/CD add_license_check_to_ci() { echo "=== Adding License Check to CI/CD ===" echo "" # GitHub Actions workflow if [ -d ".github/workflows" ]; then cat > .github/workflows/license-check.yml << 'EOF' name: License Compliance Check on: pull_request: branches: [main, master] push: branches: [main, master] schedule: - cron: '0 0 * * 0' # Weekly on Sunday jobs: license-check: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Setup Node.js uses: actions/setup-node@v4 with: node-version: '20' - name: Install dependencies run: npm ci - name: Install license-checker run: npm install -g license-checker - name: Check licenses run: | license-checker --production --failOn "GPL-2.0;GPL-3.0;AGPL-3.0" - name: Generate license report if: always() run: | license-checker --json --production > licenses.json - name: Upload license report if: always() uses: actions/upload-artifact@v4 with: name: license-report path: licenses.json EOF echo "✓ GitHub Actions workflow created" fi # Pre-commit hook if [ -d ".git/hooks" ]; then cat > .git/hooks/pre-commit-license-check << 'EOF' #!/bin/bash # Pre-commit license compliance check echo "Checking license compliance..." if [ -f "package.json" ]; then license-checker --production --failOn "GPL-2.0;GPL-3.0;AGPL-3.0" || { echo "" echo "❌ License compliance check failed!" echo "Run: /license-check to review licenses" exit 1 } fi echo "✓ License compliance check passed" EOF chmod +x .git/hooks/pre-commit-license-check echo "✓ Pre-commit hook created" fi echo "" } add_license_check_to_ci
Practical Examples
Full compliance check:
/license-check /license-check --report
Specific focus:
/license-check --commercial # Check for commercial compatibility /license-check --gpl # Find GPL licenses /license-check --conflicts # Detect conflicts
Generate documentation:
/license-check --generate-report /license-check --third-party-licenses
Best Practices
License Management:
- ✅ Check licenses before adding dependencies
- ✅ Document all third-party software
- ✅ Review licenses quarterly
- ✅ Update LICENSE file when dependencies change
- ✅ Automate checks in CI/CD
Red Flags:
- ❌ GPL/AGPL in proprietary software
- ❌ Unlicensed dependencies
- ❌ Custom licenses without review
- ❌ License changes in updates
Integration Points
- Combined security and license audit/dependency-audit
- Add license checks to CI pipeline/ci-setup
- Generate compliance documentation/docs
What I'll Actually Do
- Detect licenses - Scan all dependencies
- Categorize - Group by license type
- Find conflicts - Check compatibility
- Generate reports - Create compliance documentation
- Provide guidance - Actionable recommendations
Important: I will NEVER:
- Provide legal advice (consult a lawyer)
- Ignore license violations
- Auto-accept copyleft licenses
- Add AI attribution
All license analysis will be thorough, accurate, and well-documented. This is informational only - consult legal counsel for compliance decisions.
Credits: Based on license-checker, pip-licenses, and OSI license compatibility guidelines.