@contextfort-ai/openclaw-secure 0.1.8 → 0.1.11

package/README.md

@@ -0,0 +1,65 @@
+# AntiVirus for ClawdBot: Prompt Injection Prevention (ashwin@contextfort.ai)
+
+Runtime controls for OpenClaw that intercepts child_process calls, enforces approval for external commands via Telegram, and detects prompt injection in command outputs.
+
+
+
+https://github.com/user-attachments/assets/93064c17-9644-403b-8328-1da8014dae89
+
+
+
+
+The runtime control live on Telegram.
+
+## Usage
+
+```bash
+./start-gateway-with-hook.sh
+```
+
+## Requirements
+
+- `~/.claude/hooks/.env` with `ANTHROPIC_API_KEY=sk-ant-...`
+- Telegram channel configured in OpenClaw
+
+## How It Works
+
+1. Hooks Node.js `child_process` module at startup
+2. Every spawn/exec call is intercepted before execution
+3. Read-only commands pass through immediately
+4. External/write commands require human approval on Telegram
+5. Command outputs are checked for prompt injection
+6. If injection detected, next external command is blocked with warning
+
+## Code References
+
+| What | Line |
+|------|------|
+| Command categories | `spawn-hook.js:104-108` |
+| Notion read-only detection | `spawn-hook.js:117-122` |
+| GitHub CLI read-only detection | `spawn-hook.js:124-130` |
+| Notion content extraction | `spawn-hook.js:141-156` |
+| Claude injection check | `spawn-hook.js:168-195` |
+| Main intercept logic | `spawn-hook.js:230-280` |
+
+## Command Categories
+
+**SKIP_USER_CONFIRMATION** (line 106) - Read-only, no external writes:
+- System info: `whoami`, `pwd`, `hostname`, `uname`, `sw_vers`
+- File reads: `ls`, `cat`, `head`, `tail`, `file`, `wc`
+- Network info: `arp`, `ifconfig`, `networksetup`, `scutil`
+- Notion/GitHub: GET requests, search queries, list/view subcommands
+
+**SKIP_RESPONSE_CHECK** (line 105) - Output cannot be attacker-influenced:
+- `whoami`, `pwd`, `echo`, `hostname`, `uname`
+
+**INTERNAL_COMMANDS** (line 107) - Always pass through, even with injection warning:
+- All local system commands that don't touch external services
+
+## Debug Mode
+
+```bash
+SPAWN_GATE_DEBUG=1 ./start-gateway-with-hook.sh
+```
+
+Logs to `spawn-gate.log`, audit trail in `spawn-audit.jsonl`.

package/bin/openclaw-secure.js

@@ -96,7 +96,11 @@ if (args[0] === 'dashboard') {
     else if (process.platform === 'win32') execSync(`start "" "${openUrl}"`);
   } catch {}
 
-  process.on('SIGINT', () => { server.close(); process.exit(0); });
+  process.on('SIGINT', () => {
+    if (server._tunnel) try { server._tunnel.kill(); } catch {}
+    server.close();
+    process.exit(0);
+  });
   // Keep alive — don't fall through
   return;
 }
@@ -250,6 +254,77 @@ if (args[0] === 'scan' || args[0] === 'solve') {
   return; // don't fall through — raw mode is async
 }
 
+if (args[0] === 'exfil-allow') {
+  const ALLOWLIST_FILE = path.join(CONFIG_DIR, 'exfil_allowlist.json');
+  const sub = args[1];
+
+  function readAllowlist() {
+    try { return JSON.parse(fs.readFileSync(ALLOWLIST_FILE, 'utf8')); }
+    catch { return { enabled: false, domains: [] }; }
+  }
+
+  function writeAllowlist(data) {
+    fs.mkdirSync(CONFIG_DIR, { recursive: true });
+    fs.writeFileSync(ALLOWLIST_FILE, JSON.stringify(data, null, 2) + '\n', { mode: 0o600 });
+  }
+
+  if (sub === 'list') {
+    const al = readAllowlist();
+    console.log(`\n  Exfil destination allowlist: ${al.enabled ? '\x1b[32menabled\x1b[0m (blocking non-allowed)' : '\x1b[33mdisabled\x1b[0m (log-only mode)'}`);
+    if (al.domains.length === 0) {
+      console.log('  No domains configured.\n');
+    } else {
+      console.log('  Allowed destinations:');
+      for (const d of al.domains) console.log(`    - ${d}`);
+      console.log();
+    }
+    process.exit(0);
+  }
+
+  if (sub === 'add') {
+    const domain = args[2];
+    if (!domain) { console.error('Usage: openclaw-secure exfil-allow add <domain>'); process.exit(1); }
+    const al = readAllowlist();
+    if (!al.domains.includes(domain)) al.domains.push(domain);
+    al.enabled = true;
+    writeAllowlist(al);
+    console.log(`  Added ${domain} to exfil allowlist. Blocking mode enabled.`);
+    console.log('  Restart your openclaw session for changes to take effect.');
+    process.exit(0);
+  }
+
+  if (sub === 'remove') {
+    const domain = args[2];
+    if (!domain) { console.error('Usage: openclaw-secure exfil-allow remove <domain>'); process.exit(1); }
+    const al = readAllowlist();
+    al.domains = al.domains.filter(d => d !== domain);
+    writeAllowlist(al);
+    console.log(`  Removed ${domain} from exfil allowlist.`);
+    if (al.domains.length === 0) console.log('  No domains left — consider disabling with: openclaw-secure exfil-allow disable');
+    process.exit(0);
+  }
+
+  if (sub === 'enable') {
+    const al = readAllowlist();
+    al.enabled = true;
+    writeAllowlist(al);
+    console.log('  Exfil allowlist blocking enabled. Only allowlisted destinations will be permitted.');
+    console.log('  Restart your openclaw session for changes to take effect.');
+    process.exit(0);
+  }
+
+  if (sub === 'disable') {
+    const al = readAllowlist();
+    al.enabled = false;
+    writeAllowlist(al);
+    console.log('  Exfil allowlist blocking disabled. All exfil detections will be log-only.');
+    process.exit(0);
+  }
+
+  console.error('Usage: openclaw-secure exfil-allow <list|add|remove|enable|disable> [domain]');
+  process.exit(1);
+}
+
 if (args[0] === 'disable') {
   try {
     const original = fs.readFileSync(backupLink, 'utf8').trim();