Automate Dependency Vulnerability Scanning with Paradime, OpenClaw, and OSV/NVD APIs

Every open-source dependency you ship is a liability until you prove it's clean. Most data teams discover critical CVEs only after an incident—not before. This guide gives you a repeatable, outcome-driven workflow: measure → identify → fix → validate savings—wired into Paradime's Bolt scheduler and powered by an OpenClaw AI agent that scans your GitHub repos against the NVD and OSV vulnerability databases daily.

By the end of this walkthrough, you will have a fully operational pipeline that:

• Reads dependency files (requirements.txt, package.json, packages.yml) from every repo in your GitHub org

• Checks each package and version against the NIST NVD and Google OSV vulnerability databases

• Alerts your team on Slack whenever a Critical or High severity CVE is found

• Runs on a daily cron schedule via Paradime Bolt—zero manual babysitting

What Is Paradime?

Paradime is the all-in-one AI platform that replaces dbt Cloud™. It provides a dbt™-native workspace where analytics and data engineering teams code, ship, fix, and scale data pipelines—all from one place.

Key capabilities relevant to this guide:

Bolt is the scheduling backbone of this workflow. It supports cron-based triggers, on-merge triggers, API triggers, and chained schedule triggers—all configurable as code via YAML or through the UI.

What Is OpenClaw?

OpenClaw is an open-source autonomous AI agent that runs on your own hardware and integrates with messaging platforms like Slack, WhatsApp, Telegram, Discord, and Microsoft Teams.

OpenClaw uses Skills—directories containing a SKILL.md file with YAML frontmatter and Markdown instructions—to teach the agent how to use tools. Skills can invoke bash commands, call APIs, and chain complex workflows.

Skills are configured in ~/.openclaw/openclaw.json:

The key advantage: OpenClaw agents can execute real commands on your infrastructure, making them ideal for automated security scanning workflows that need to call multiple APIs and parse structured data.

Architecture Overview

Before diving into the implementation, here's the end-to-end architecture:

Figure 1: End-to-end dependency vulnerability scanning workflow orchestrated by Paradime Bolt and executed by an OpenClaw agent.

Setup: openclaw-sdk + GitHub API + NVD/OSV API

Prerequisites

Step 1: Install OpenClaw

Verify the installation:

Step 2: Create the Skill Directory

Step 3: Obtain API Credentials

1. GitHub Personal Access Token: Go to github.com/settings/tokens → Generate new token → Select repo scope.

2. NVD API Key (optional but recommended for rate limits): Request at nvd.nist.gov.

3. Slack Incoming Webhook: Create a Slack App → Enable Incoming Webhooks → Add to channel → Copy URL.

Environment Variables: GITHUB_TOKEN, OPENCLAW_API_KEY, SLACK_WEBHOOK_URL

Configure in OpenClaw

Add your credentials to ~/.openclaw/openclaw.json:

Configure in Paradime Bolt

For Bolt to trigger the OpenClaw agent, it needs the same secrets at the schedule level:

1. Navigate to Settings → Workspaces → Environment Variables in Paradime

2. In the Bolt Schedules section, click Add New

3. Add each variable:

Tip: You can override environment variables at the schedule level if you need different credentials per schedule—for example, scanning staging vs. production repos.

Figure 2: Environment variable precedence—schedule-level overrides take priority over global workspace values.

Script: Read Dependency Files, Check Vulnerability Databases, Alert on Critical/High CVEs

This is the core of the workflow. We'll build an OpenClaw skill that:

1. Fetches dependency files from GitHub repos

2. Parses package names and versions

3. Queries OSV and NVD for known vulnerabilities

4. Filters for Critical and High severity

5. Sends a Slack alert

The SKILL.md File

Create ~/.openclaw/workspace/skills/vuln-scanner/SKILL.md:

The scan_deps.sh Script

Create ~/.openclaw/workspace/skills/vuln-scanner/scan_deps.sh:

Make the script executable:

The Measure → Identify → Fix → Validate Workflow

Figure 3: The repeatable Measure → Identify → Fix → Validate loop that runs every day via Bolt.

Each phase maps directly to the script:

Bolt Schedule: Cron Daily

Now wire the OpenClaw vulnerability scanner into Paradime Bolt so it runs automatically every day.

Option 1: Schedules as Code (YAML)

Add the following to your paradime_schedules.yml:

Verify the schedule configuration:

Perform a dry run:

Option 2: Bolt UI

1. Navigate to Bolt in Paradime

2. Click Create Schedule

3. Configure:

4. Click Deploy

Trigger Type Cheatsheet

Bolt supports four trigger types:

Pro tip: For maximum coverage, combine a daily cron schedule with an On Merge trigger. The daily scan catches existing vulnerabilities; the on-merge scan catches new dependencies the moment they land.

Figure 4: Multiple trigger types feeding into a single Bolt schedule for comprehensive coverage.

Monitoring and Debugging

Once your schedule is live, Paradime provides rich observability tools to ensure your vulnerability scanner runs reliably.

Run Log History

Navigate to Bolt → Schedules → daily-dependency-vuln-scan → Run History to access:

• Execution Time History: A 30-day graphical view showing success/error rates, execution duration trends, and skipped runs

• Run History Table: Detailed list of all executions with Run ID, status (Success/Error/Skipped), trigger source, branch, timestamp, and duration

Analyzing Individual Runs

Click any Run ID to drill into:

Artifacts

Each run produces downloadable artifacts:

• Run SQL / Compiled SQL: Not applicable for this custom command, but available for dbt™ schedules

• run_results.json: Execution outcomes

• manifest.json: Project structure

Setting Up Alerts on Bolt Failures

If the scanner itself fails (network error, API rate limit, auth issue), configure Bolt notifications:

1. In the schedule configuration, set Notifications → On Failure to your team's Slack channel or email

2. This is separate from the vulnerability alerts—it monitors the health of the scanner itself

Figure 5: Dual notification strategy—the script alerts on vulnerabilities, Bolt alerts on scanner failures.

Troubleshooting Common Issues

1. GitHub API Rate Limiting

Symptom: 403 Forbidden or rate limit exceeded errors in Console Logs.

Fix:

• Ensure GITHUB_TOKEN is set correctly—authenticated requests get 5,000 requests/hour vs. 60 unauthenticated

• If scanning 100+ repos with many dependency files, add pagination and backoff logic to the script

• Verify the token has repo scope

2. NVD API Throttling

Symptom: Empty responses or 403 from NVD after ~5 requests.

Fix:

• Without an API key: 5 requests per 30-second window

• With an API key: 50 requests per 30-second window

• The script includes a sleep 1 between requests—increase to sleep 6 if running without a key

• Request a free NVD API key

3. OSV API Returns No Results

Symptom: {"vulns": []} for packages you know are vulnerable.

Fix:

• Ecosystem names are case-sensitive: use PyPI (not pypi), npm (not NPM)

• Ensure the version string is an exact match (e.g., 3.1.3 not >=3.1.0)

• Test manually:

4. Slack Webhook Not Delivering

Symptom: Script says [VALIDATE] Slack alert sent successfully but no message in channel.

Fix:

• Verify the webhook URL is still active (Slack deactivates unused webhooks)

• Check the channel still exists and the Slack App is installed in it

• Test the webhook directly:

5. OpenClaw Skill Not Loading

Symptom: Agent doesn't recognize the vuln_scanner skill.

Fix:

• Verify the directory structure: ~/.openclaw/workspace/skills/vuln-scanner/SKILL.md must exist

• Check that name in YAML frontmatter matches what you're invoking

• Restart the OpenClaw gateway or ask the agent to "refresh skills"

• Ensure enabled: true in ~/.openclaw/openclaw.json under skills.entries.vuln-scanner

6. Environment Variables Not Available in Bolt

Symptom: GITHUB_TOKEN is required error when Bolt runs the schedule.

Fix:

• Environment variables must be created in Settings → Environment Variables → Bolt Schedules before they can be used

• Only Admin roles can add or override environment variables

• Schedule-level overrides take precedence over workspace-level values—check if an empty override is masking the global value

Quick Diagnostic Checklist

Figure 6: Step-by-step diagnostic flowchart for the most common failure modes.

Wrapping Up

You now have a production-grade dependency vulnerability scanner that:

✅ Measures — Enumerates every dependency across your GitHub org automatically✅ Identifies — Cross-references each package+version against both NVD and OSV databases✅ Fixes — Surfaces only Critical and High severity CVEs with actionable context✅ Validates — Delivers Slack alerts and structured reports you can audit

The entire workflow runs hands-free on a daily Bolt cron schedule, with full observability through Bolt's run log history and run detail analysis.

What to Do Next

1. Expand ecosystem coverage: Add parsers for go.mod, Cargo.toml, Gemfile.lock, and pom.xml to the scanner script

2. Integrate with Jira/Linear: Instead of (or in addition to) Slack, create tickets for each Critical CVE automatically using Bolt's integration capabilities

3. Add an On Merge trigger: Catch new vulnerable dependencies the moment they're merged, not just on the daily scan

4. Track trends with dbt™: Store scan results in your warehouse and build dbt™ models to track vulnerability trends over time—measure whether your mean-time-to-remediation is actually improving

Key Resources

Stop discovering vulnerabilities after the breach. Start scanning proactively—every single day.