@contextfort-ai/openclaw-secure 0.1.0

package/bin/openclaw-secure.js

@@ -0,0 +1,101 @@
+#!/usr/bin/env node
+const { execFileSync } = require('child_process');
+const path = require('path');
+const fs = require('fs');
+
+const os = require('os');
+const hook = path.join(__dirname, '..', 'openclaw-secure.js');
+const args = process.argv.slice(2);
+const CONFIG_DIR = path.join(os.homedir(), '.contextfort');
+const CONFIG_FILE = path.join(CONFIG_DIR, 'config');
+
+const binLink = process.argv[1];
+let installedScript;
+try {
+  const target = fs.readlinkSync(binLink);
+  installedScript = path.resolve(path.dirname(binLink), target);
+} catch {
+  installedScript = binLink;
+}
+const installedBinDir = path.dirname(installedScript);
+const packageDir = path.dirname(installedBinDir);
+const nodeModules = path.dirname(packageDir);
+const prefixDir = path.dirname(path.dirname(nodeModules));
+const binDir = path.join(prefixDir, 'bin');
+const realOpenclaw = path.join(nodeModules, 'openclaw', 'openclaw.mjs');
+const openclawLink = path.join(binDir, 'openclaw');
+const backupLink = path.join(binDir, '.openclaw-original');
+
+if (args[0] === 'set-key') {
+  const key = args[1];
+  if (!key) {
+    console.error('Usage: openclaw-secure set-key <your-api-key>');
+    console.error('Get your key at https://contextfort.ai');
+    process.exit(1);
+  }
+  fs.mkdirSync(CONFIG_DIR, { recursive: true });
+  fs.writeFileSync(CONFIG_FILE, key + '\n', { mode: 0o600 });
+  console.log('API key saved to ~/.contextfort/config');
+  process.exit(0);
+}
+
+if (args[0] === 'enable') {
+  // Check for API key first
+  let hasKey = false;
+  try { hasKey = fs.readFileSync(CONFIG_FILE, 'utf8').trim().length > 0; } catch {}
+  if (!hasKey) {
+    console.error('No API key found. Get your key at https://contextfort.ai and run:');
+    console.error('  openclaw-secure set-key <your-key>');
+    process.exit(1);
+  }
+  if (!process.env.ANTHROPIC_API_KEY) {
+    console.warn('Warning: ANTHROPIC_API_KEY not set. PostToolUse prompt injection scanning will be disabled.');
+    console.warn('Set it in your shell profile: export ANTHROPIC_API_KEY="sk-ant-..."');
+  }
+  if (!fs.existsSync(realOpenclaw)) {
+    console.error('openclaw not found. Install it first: npm install -g openclaw');
+    process.exit(1);
+  }
+  try {
+    const original = fs.readlinkSync(openclawLink);
+    fs.writeFileSync(backupLink, original);
+  } catch {}
+  const wrapper = path.relative(binDir, path.join(installedBinDir, 'openclaw-secure.js'));
+  fs.unlinkSync(openclawLink);
+  fs.symlinkSync(wrapper, openclawLink);
+  console.log('openclaw-secure enabled. `openclaw` is now guarded.');
+  process.exit(0);
+}
+
+if (args[0] === 'disable') {
+  try {
+    const original = fs.readFileSync(backupLink, 'utf8').trim();
+    fs.unlinkSync(openclawLink);
+    fs.symlinkSync(original, openclawLink);
+    fs.unlinkSync(backupLink);
+    console.log('openclaw-secure disabled. `openclaw` restored to original.');
+  } catch {
+    const rel = path.relative(binDir, realOpenclaw);
+    try { fs.unlinkSync(openclawLink); } catch {}
+    fs.symlinkSync(rel, openclawLink);
+    console.log('openclaw-secure disabled. `openclaw` restored.');
+  }
+  process.exit(0);
+}
+
+if (!fs.existsSync(realOpenclaw)) {
+  console.error('openclaw not found. Install it first: npm install -g openclaw');
+  process.exit(1);
+}
+
+try {
+  execFileSync('node', [realOpenclaw, ...args], {
+    stdio: 'inherit',
+    env: {
+      ...process.env,
+      NODE_OPTIONS: `--require ${hook} ${process.env.NODE_OPTIONS || ''}`
+    }
+  });
+} catch (e) {
+  process.exit(e.status || 1);
+}

package/monitor/analytics.js

@@ -0,0 +1,60 @@
+'use strict';
+
+const path = require('path');
+const crypto = require('crypto');
+
+const POSTHOG_API_KEY = 'phc_cZWMssbzbe6xXRAb0iO6aHTCaNTc50Tfvd60K8eMIwT';
+const POSTHOG_HOST = 'us.i.posthog.com';
+const ANALYTICS_DISABLED = ['1', 'true', 'yes'].includes(
+  (process.env.CONTEXTFORT_NO_ANALYTICS || '').toLowerCase()
+);
+
+module.exports = function createAnalytics({ httpsRequest, readFileSync, baseDir }) {
+  if (ANALYTICS_DISABLED || !httpsRequest) {
+    return { track() {} };
+  }
+
+  let installId = null;
+  const idFile = path.join(baseDir, 'monitor', '.install_id');
+  try {
+    installId = readFileSync(idFile, 'utf8').trim();
+  } catch {
+    installId = crypto.randomUUID();
+    try {
+      require('fs').writeFileSync(idFile, installId + '\n');
+    } catch {}
+  }
+
+  function track(event, properties) {
+    if (!installId) return;
+    const body = JSON.stringify({
+      api_key: POSTHOG_API_KEY,
+      event,
+      properties: {
+        distinct_id: installId,
+        ...properties,
+      },
+      timestamp: new Date().toISOString(),
+    });
+
+    try {
+      const req = httpsRequest({
+        hostname: POSTHOG_HOST,
+        port: 443,
+        path: '/capture/',
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'Content-Length': Buffer.byteLength(body),
+        },
+        timeout: 5000,
+      });
+      req.on('error', () => {});
+      req.on('timeout', () => { req.destroy(); });
+      req.write(body);
+      req.end();
+    } catch {}
+  }
+
+  return { track };
+};

package/monitor/analytics.py

@@ -0,0 +1,62 @@
+import os
+import uuid
+from pathlib import Path
+
+ANALYTICS_DISABLED = os.environ.get("CONTEXTFORT_NO_ANALYTICS", "").lower() in ("1", "true", "yes")
+
+POSTHOG_API_KEY = "phc_cZWMssbzbe6xXRAb0iO6aHTCaNTc50Tfvd60K8eMIwT"
+POSTHOG_HOST = "https://us.i.posthog.com"
+
+ID_FILE = Path(__file__).parent / ".install_id"
+
+_posthog = None
+
+def _get_posthog():
+    global _posthog
+    if _posthog is None and not ANALYTICS_DISABLED:
+        try:
+            from posthog import Posthog
+            _posthog = Posthog(project_api_key=POSTHOG_API_KEY, host=POSTHOG_HOST)
+        except ImportError:
+            pass
+    return _posthog
+
+def _get_install_id():
+    if ID_FILE.exists():
+        return ID_FILE.read_text().strip(), False
+    install_id = str(uuid.uuid4())
+    try:
+        ID_FILE.write_text(install_id)
+    except:
+        pass
+    return install_id, True
+
+_install_result = _get_install_id() if not ANALYTICS_DISABLED else (None, False)
+INSTALL_ID, _is_new_install = _install_result
+
+if _is_new_install and INSTALL_ID:
+    ph = _get_posthog()
+    if ph:
+        ph.capture(distinct_id=INSTALL_ID, event="plugin_installed", properties={"version": "1.0.0"})
+        ph.flush()
+
+
+def track(event: str, properties: dict = None):
+    if ANALYTICS_DISABLED or not INSTALL_ID:
+        return
+    try:
+        ph = _get_posthog()
+        if ph:
+            props = properties or {}
+            ph.capture(distinct_id=INSTALL_ID, event=event, properties=props)
+            ph.flush()
+    except:
+        pass
+
+
+def track_hook(hook_type: str):
+    track("hook_invoked", {"hook_type": hook_type})
+
+
+def track_block(rule_type: str):
+    track("security_event", {"rule_type": rule_type})

package/monitor/bash_guard/__init__.py

@@ -0,0 +1,7 @@
+"""
+Ported from Tirith (https://github.com/sheeki03/tirith)
+"""
+
+from .checker import check_command
+
+__all__ = ["check_command"]

package/monitor/bash_guard/checker.py

@@ -0,0 +1,13 @@
+from .checks import ALL_CHECKS
+
+
+def check_command(command: str):
+    """
+    Returns (rule_id, description) if threat detected, None otherwise.
+    """
+    for check in ALL_CHECKS:
+        result = check(command)
+        if result:
+            return result
+
+    return None

package/monitor/bash_guard/checks/__init__.py

@@ -0,0 +1,110 @@
+"""
+Bash security checks organized by category.
+"""
+
+from .command_shape import (
+    check_pipe_to_interpreter,
+    check_dotfile_overwrite,
+    check_archive_extract,
+)
+from .terminal import (
+    check_terminal_injection,
+    check_hidden_multiline,
+)
+from .transport import (
+    check_insecure_tls_flags,
+    check_shortened_url,
+    check_plain_http_to_sink,
+    check_schemeless_to_sink,
+    check_curl_upload,
+)
+from .ecosystem import (
+    check_docker_untrusted_registry,
+    check_pip_url_install,
+    check_npm_url_install,
+    check_web3_rpc,
+    check_web3_address,
+    check_git_typosquat,
+)
+from .environment import (
+    check_proxy_env_set,
+)
+from .path import (
+    check_non_ascii_path,
+    check_homoglyph_in_path,
+    check_double_encoding,
+)
+from .hostname import (
+    check_non_ascii_hostname,
+    check_mixed_script_in_label,
+    check_userinfo_trick,
+    check_confusable_domain,
+    check_invalid_host_chars,
+    check_trailing_dot_whitespace,
+    check_non_standard_port,
+    check_lookalike_tld,
+    check_punycode_domain,
+    check_raw_ip_url,
+)
+
+# All checks in recommended order
+COMMAND_SHAPE_CHECKS = [
+    check_pipe_to_interpreter,
+    check_dotfile_overwrite,
+    check_archive_extract,
+]
+
+TERMINAL_CHECKS = [
+    check_terminal_injection,
+    check_hidden_multiline,
+]
+
+TRANSPORT_CHECKS = [
+    check_insecure_tls_flags,
+    check_shortened_url,
+    check_plain_http_to_sink,
+    check_schemeless_to_sink,
+    check_curl_upload,
+]
+
+ECOSYSTEM_CHECKS = [
+    check_docker_untrusted_registry,
+    check_pip_url_install,
+    check_npm_url_install,
+    check_web3_rpc,
+    check_web3_address,
+    check_git_typosquat,
+]
+
+ENVIRONMENT_CHECKS = [
+    check_proxy_env_set,
+]
+
+PATH_CHECKS = [
+    check_non_ascii_path,
+    check_homoglyph_in_path,
+    check_double_encoding,
+]
+
+HOSTNAME_CHECKS = [
+    check_non_ascii_hostname,
+    check_mixed_script_in_label,
+    check_userinfo_trick,
+    check_confusable_domain,
+    check_invalid_host_chars,
+    check_trailing_dot_whitespace,
+    check_non_standard_port,
+    check_lookalike_tld,
+    check_punycode_domain,
+    check_raw_ip_url,
+]
+
+ALL_CHECKS = (
+    COMMAND_SHAPE_CHECKS +
+    TERMINAL_CHECKS +
+    TRANSPORT_CHECKS +
+    ECOSYSTEM_CHECKS +
+    ENVIRONMENT_CHECKS +
+    PATH_CHECKS +
+    HOSTNAME_CHECKS
+)

package/monitor/bash_guard/checks/command_shape.py

@@ -0,0 +1,84 @@
+from ..patterns import (
+    SOURCE_COMMANDS,
+    INTERPRETERS,
+    ARCHIVE_COMMANDS,
+    ARCHIVE_SENSITIVE_TARGETS,
+    DOTFILE_OVERWRITE_PATTERNS,
+)
+from .utils import split_commands
+
+
+def _check_pipe_to_interpreter_single(command):
+    """Check a single command (no && or ;) for pipe to interpreter."""
+    if "|" not in command:
+        return None
+
+    parts = command.split("|")
+    for i, part in enumerate(parts[1:], 1):
+        part_stripped = part.strip()
+        words = part_stripped.split()
+        if not words:
+            continue
+
+        cmd = words[0].lower().rsplit("/", 1)[-1]
+
+        if cmd in INTERPRETERS:
+            source_part = parts[i-1].strip().split()[0] if parts[i-1].strip() else "unknown"
+            source_cmd = source_part.rsplit("/", 1)[-1].lower()
+
+            if source_cmd == "curl":
+                return ("curl_pipe_shell", f"curl output piped to {cmd}")
+            elif source_cmd == "wget":
+                return ("wget_pipe_shell", f"wget output piped to {cmd}")
+            elif source_cmd in SOURCE_COMMANDS:
+                return ("pipe_to_interpreter", f"{source_cmd} output piped to interpreter: {cmd}")
+            else:
+                return ("pipe_to_interpreter", f"Output piped to interpreter: {cmd}")
+
+        if cmd in ("sudo", "env"):
+            for word in words[1:]:
+                word_lower = word.lower().rsplit("/", 1)[-1]
+                if word_lower in INTERPRETERS:
+                    return ("pipe_to_interpreter", f"Output piped to {cmd} {word_lower}")
+                if not word.startswith("-") and "=" not in word:
+                    break
+
+    return None
+
+
+def check_pipe_to_interpreter(command):
+    """Check for pipe to interpreter, handling && and ; separators."""
+    for subcmd in split_commands(command):
+        result = _check_pipe_to_interpreter_single(subcmd)
+        if result:
+            return result
+    return None
+
+
+def check_dotfile_overwrite(command):
+    if "> /dev/null" in command:
+        return None
+
+    for subcmd in split_commands(command):
+        for pattern in DOTFILE_OVERWRITE_PATTERNS:
+            if pattern in subcmd:
+                return ("dotfile_overwrite", f"Redirect to dotfile detected: {pattern}")
+
+    return None
+
+
+def check_archive_extract(command):
+    for subcmd in split_commands(command):
+        words = subcmd.split()
+        if not words:
+            continue
+
+        cmd = words[0].lower().rsplit("/", 1)[-1]
+        if cmd not in ARCHIVE_COMMANDS:
+            continue
+
+        for target in ARCHIVE_SENSITIVE_TARGETS:
+            if target in subcmd:
+                return ("archive_extract", f"Archive extraction to sensitive path: {target}")
+
+    return None

package/monitor/bash_guard/checks/ecosystem.py

@@ -0,0 +1,153 @@
+import re
+from ..patterns import (
+    TRUSTED_DOCKER_REGISTRIES,
+    TRUSTED_PIP_HOSTS,
+    TRUSTED_NPM_HOSTS,
+    WEB3_INDICATORS,
+    POPULAR_REPOS,
+)
+from .utils import levenshtein
+
+
+def check_docker_untrusted_registry(command):
+    words = command.split()
+    if len(words) < 3:
+        return None
+
+    cmd = words[0].lower()
+    if cmd not in ("docker", "podman", "nerdctl"):
+        return None
+
+    subcmd = words[1].lower()
+    if subcmd not in ("pull", "run", "create"):
+        return None
+
+    for word in words[2:]:
+        if word.startswith("-"):
+            continue
+
+        if "/" in word and ":" not in word.split("/")[0]:
+            registry = word.split("/")[0].lower()
+            if registry not in TRUSTED_DOCKER_REGISTRIES:
+                trusted = any(registry.endswith(f".{r}") for r in TRUSTED_DOCKER_REGISTRIES)
+                if not trusted and "." in registry:
+                    return ("docker_untrusted_registry", f"Docker image from untrusted registry: {registry}")
+        break
+
+    return None
+
+
+def check_pip_url_install(command):
+    words = command.split()
+    if len(words) < 2:
+        return None
+
+    cmd = words[0].lower()
+    if cmd not in ("pip", "pip3"):
+        return None
+
+    if "install" not in [w.lower() for w in words]:
+        return None
+
+    urls = re.findall(r'https?://([^/\s]+)', command)
+    for host in urls:
+        host_lower = host.lower()
+        if host_lower not in TRUSTED_PIP_HOSTS and not host_lower.endswith(".pypi.org"):
+            return ("pip_url_install", f"pip install from non-PyPI source: {host}")
+
+    for i, word in enumerate(words):
+        if word in ("--index-url", "-i", "--extra-index-url"):
+            if i + 1 < len(words):
+                url = words[i + 1]
+                match = re.search(r'https?://([^/\s]+)', url)
+                if match:
+                    host = match.group(1).lower()
+                    if host not in TRUSTED_PIP_HOSTS and not host.endswith(".pypi.org"):
+                        return ("pip_url_install", f"pip using non-PyPI index: {host}")
+
+    return None
+
+
+def check_npm_url_install(command):
+    words = command.split()
+    if len(words) < 2:
+        return None
+
+    cmd = words[0].lower()
+    if cmd not in ("npm", "npx", "yarn", "pnpm"):
+        return None
+
+    if "install" not in [w.lower() for w in words] and "add" not in [w.lower() for w in words]:
+        return None
+
+    for word in words:
+        if ".tgz" in word or "/npm/" in word:
+            match = re.search(r'https?://([^/\s]+)', word)
+            if match:
+                host = match.group(1).lower()
+                if host not in TRUSTED_NPM_HOSTS and not host.endswith(".npmjs.org"):
+                    return ("npm_url_install", f"npm install from non-registry source: {host}")
+
+    for i, word in enumerate(words):
+        if word == "--registry":
+            if i + 1 < len(words):
+                url = words[i + 1]
+                match = re.search(r'https?://([^/\s]+)', url)
+                if match:
+                    host = match.group(1).lower()
+                    if host not in TRUSTED_NPM_HOSTS and not host.endswith(".npmjs.org"):
+                        return ("npm_url_install", f"npm using non-registry source: {host}")
+
+    return None
+
+
+def check_web3_rpc(command):
+    if not any(ind in command for ind in ["/v1/", "/rpc", "/jsonrpc"]):
+        return None
+
+    command_lower = command.lower()
+    for indicator in WEB3_INDICATORS:
+        if indicator in command_lower:
+            return ("web3_rpc_endpoint", f"Web3 RPC endpoint detected: {indicator}")
+
+    return None
+
+
+def check_web3_address(command):
+    if re.search(r'0x[0-9a-fA-F]{40}', command):
+        return ("web3_address_in_url", "Ethereum address detected in command")
+
+    return None
+
+
+def check_git_typosquat(command):
+    words = command.split()
+    if len(words) < 2:
+        return None
+
+    cmd = words[0].lower()
+    if cmd != "git":
+        return None
+
+    if "clone" not in [w.lower() for w in words]:
+        return None
+
+    urls = re.findall(r'(?:https?://|git@)([^/\s:]+)[:/]([^/\s]+)/([^/\s]+?)(?:\.git)?(?:\s|$)', command)
+    for host, owner, repo in urls:
+        host_lower = host.lower()
+        if host_lower not in ("github.com", "gitlab.com", "bitbucket.org"):
+            continue
+
+        owner_lower = owner.lower()
+        repo_lower = repo.lower().rstrip('.git')
+
+        for pop_owner, pop_repo in POPULAR_REPOS:
+            po = pop_owner.lower()
+            pr = pop_repo.lower()
+
+            if owner_lower == po and levenshtein(repo_lower, pr) == 1:
+                return ("git_typosquat", f"Possible typosquat: {owner}/{repo} is 1 edit from {pop_owner}/{pop_repo}")
+            if repo_lower == pr and levenshtein(owner_lower, po) == 1:
+                return ("git_typosquat", f"Possible typosquat: {owner}/{repo} is 1 edit from {pop_owner}/{pop_repo}")
+
+    return None

package/monitor/bash_guard/checks/environment.py

@@ -0,0 +1,15 @@
+from ..patterns import PROXY_ENV_VARS
+
+
+def check_proxy_env_set(command):
+    for var in PROXY_ENV_VARS:
+        patterns = [
+            f"export {var}=",
+            f"{var}=",
+            f"set {var}=",
+        ]
+        for pattern in patterns:
+            if pattern in command:
+                return ("proxy_env_set", f"Proxy environment variable being set: {var}")
+
+    return None