opendatahub-io/python-packaging-license-finder
helpers/skills/python-packaging-license-finder/SKILL.md
Use this skill to deterministically find license information for Python packages by checking PyPI metadata first, then falling back to Git repository LICENSE files using shallow cloning.
$ install --global
skillsauthnpx skillsauth add opendatahub-io/ai-helpers python-packaging-license-finderInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 5, 2026, 7:25 AM248.4s2 files scanned
SKILL.md
- name:
- python-packaging-license-finder
- description:
- Use this skill to deterministically find license information for Python packages by checking PyPI metadata first, then falling back to Git repository LICENSE files using shallow cloning.
- allowed-tools:
- Bash Skill
Python Package License Finder
This skill helps you deterministically find license information for Python packages using a two-step approach: first checking PyPI metadata, then searching the source repository if needed.
Instructions
When a user asks to find the license for a Python package, follow this deterministic process:
Step 0: Source URL Priority
If a source repository URL is provided by the caller, skip PyPI lookup entirely:
- Pass the URL directly to the
git:shallow-cloneskill - Search for LICENSE files in the cloned repository (see Step 2.3-2.4 below)
- Report the license found
You can also use the script with a source URL to trigger this flow:
./scripts/find_license.py <package_name> --source-url <url>
If no source URL is provided, proceed with Step 1.
Step 1: Check PyPI Metadata
First, attempt to find the license from PyPI using the package inspection script:
./scripts/find_license.py <package_name> [version]
If the script finds a license in the PyPI metadata, stop here and return the license name.
Step 2: Search Git Repository (if PyPI fails)
If no license is found in PyPI metadata, search the package's source repository:
- Get the source repository URL from the PyPI metadata (the script will provide it)
- Use the shallow-clone skill to clone the repository:
Skill: git:shallow-clone - Search for LICENSE files in the cloned repository:
find . -iname "license*" -o -iname "copying*" -o -iname "copyright*" | head -10 - Read the license file to identify the license type:
head -20 <license_file>
Step 3: Report Results
- License Found: Return the license name (e.g., "MIT License", "Apache-2.0", "GPL-3.0")
- License Not Found: Report that the license could not be determined
Usage Examples
Find License for Popular Package
./scripts/find_license.py requests
Expected: Find "Apache-2.0" from PyPI metadata
Find License for Package with Missing PyPI License
./scripts/find_license.py some-package
Expected: Fall back to repository search if PyPI metadata is incomplete
Specific Version Analysis
./scripts/find_license.py django 4.2.0
Expected: Find license for specific Django version
Error Handling
Package Not Found
- Verify package name spelling
- Check package availability on PyPI
- Suggest alternative package names
Repository Access Issues
- Report if source repository is unavailable
- Note private/restricted repositories
- Suggest manual license verification
License File Parsing
- Handle non-standard license file formats
- Report unclear or multiple licenses
- Recommend manual review for complex cases
Integration Notes
This skill complements:
- python-packaging-complexity - License info helps assess redistribution complexity
- python-packaging-license-checker - Provides license names for compatibility assessment
- python-packaging-source-finder - Uses similar PyPI metadata analysis
The skill focuses on finding license information, while license-checker focuses on assessing license compatibility for redistribution.
Related Skills
opendatahub-io/security-alert
tools
VerifiedTrustedCommunity
Use this skill to filter a pre-fetched set of Hacker News stories down to those that report supply-chain security threats relevant to software developers — including malicious packages on npm or PyPI, compromised developer tooling, and attacks targeting source code repositories or CI/CD infrastructure. Reads stories from stories.json in the workspace, performs semantic analysis (fetching HN threads when the title alone is ambiguous), and writes the stories worth alerting on to findings.json.
33SKILL.mdUpdated May 22, 2026
opendatahub-io/python-packaging-static-audit
development
VerifiedTrustedCommunity
Run hexora static analysis on a Python package repository to detect suspicious code patterns, then triage findings with deterministic rules and AI reasoning to produce a structured risk report section.
30SKILL.mdUpdated May 30, 2026
opendatahub-io/python-packaging-git-audit
development
VerifiedTrustedCommunity
Inspect recent git history of a Python package repository for suspicious commits touching supply-chain-sensitive files, then triage findings with AI reasoning to produce a structured risk report section.
30SKILL.mdUpdated May 30, 2026
opendatahub-io/python-packaging-binary-audit
development
VerifiedTrustedCommunity
Scan a Python package repository for compiled/binary files using Fromager-style detection and malcontent YARA analysis, then triage findings with deterministic rules and AI reasoning to produce a structured risk report section.
30SKILL.mdUpdated May 30, 2026