Dependency integrity verifiable
What this checks
Checks that the dependency integrity status is verifiable (not a known failure state).
Why it matters
Unverifiable dependency integrity means supply-chain attacks could go undetected.
How to fix it
This is an experimental informational control. It fires when OpenClaw's dependency lockfile is missing or mismatched, making it impossible to verify that installed packages match the expected versions.
Step 1 Check what's missing. Run the update status command to see the specific issue:
openclaw update status --json | jq '.update.deps'Step 2 Run an update. The most reliable fix is to run a clean update, which will reinstall dependencies and regenerate the lockfile:
openclaw updateStep 3 If you installed via pnpm/npm manually, regenerate the lockfile from the OpenClaw install directory:
cd $(openclaw config path --dir)
pnpm install # or npm installNote: on standard Homebrew installs, deps.status = "unknown" is expected and is not flagged as a finding. Only explicit error or mismatch states trigger this control.
Technical details
| Field | Value |
|---|---|
| Control ID | NC-OC-007 |
| Domain | OC |
| Severity | Medium |
| Status | Experimental |
| Data source | update_status_json |
| Source type | contextual |
| Mode | Mode 1 (OpenClaw native) |
| Introduced in | Library v0.1.0 |
False positive notes
Standard pnpm installs may show 'unknown' status due to missing lockfiles this is expected and does not indicate a problem.
Suppress this finding
If this finding is intentional or not applicable to your setup, you can exclude it:
clawvitals exclude NC-OC-007 reason "your reason here"Exclusions are auditable and expire automatically. See the exclusions guide.