@contextfort-ai/openclaw-secure 0.1.8 → 0.1.9

package/bin/openclaw-secure.js

@@ -96,7 +96,11 @@ if (args[0] === 'dashboard') {
     else if (process.platform === 'win32') execSync(`start "" "${openUrl}"`);
   } catch {}
 
-  process.on('SIGINT', () => { server.close(); process.exit(0); });
+  process.on('SIGINT', () => {
+    if (server._tunnel) try { server._tunnel.kill(); } catch {}
+    server.close();
+    process.exit(0);
+  });
   // Keep alive — don't fall through
   return;
 }

package/monitor/dashboard/public/index.html

@@ -48,7 +48,7 @@
     .card-sub { font-size: 12px; color: #a1a1aa; margin-top: 4px; }
 
     /* Guard summary cards on home */
-    .guard-cards { display: grid; grid-template-columns: repeat(4, 1fr); gap: 16px; }
+    .guard-cards { display: grid; grid-template-columns: repeat(5, 1fr); gap: 16px; }
     .guard-card { border: 1px solid rgba(255,255,255,0.1); border-radius: 8px; padding: 16px; background: rgba(255,255,255,0.02); cursor: pointer; transition: all 0.15s; }
     .guard-card:hover { background: rgba(255,255,255,0.05); border-color: rgba(255,255,255,0.2); }
     .guard-card-header { display: flex; align-items: center; gap: 8px; margin-bottom: 10px; }
@@ -59,6 +59,7 @@
     .dot { width: 8px; height: 8px; border-radius: 50%; display: inline-block; }
     .dot-green { background: #22c55e; box-shadow: 0 0 6px rgba(34,197,94,0.4); }
     .dot-red { background: #ef4444; box-shadow: 0 0 6px rgba(239,68,68,0.4); }
+    .dot-yellow { background: #eab308; box-shadow: 0 0 6px rgba(234,179,8,0.4); }
     .dot-gray { background: #52525b; }
 
     /* Page header */
@@ -107,7 +108,8 @@
 
     /* Responsive */
     @media (max-width: 900px) {
-      .cards, .guard-cards { grid-template-columns: repeat(2, 1fr); }
+      .cards { grid-template-columns: repeat(2, 1fr); }
+      .guard-cards { grid-template-columns: repeat(3, 1fr); }
       .sidebar { width: 170px; }
     }
   </style>
@@ -169,6 +171,11 @@
           Secrets Guard
           <span class="dot dot-green" id="sb-sec-dot" style="margin-left:auto"></span>
         </button>
+        <button class="sidebar-btn" data-page="exfil" onclick="switchPage('exfil')">
+          <svg fill="none" stroke="currentColor" stroke-width="2" viewBox="0 0 24 24"><path d="M17 3a2.85 2.85 0 1 1 4 4L7.5 20.5 2 22l1.5-5.5Z"/></svg>
+          Exfil Monitor
+          <span class="dot dot-green" id="sb-exfil-dot" style="margin-left:auto"></span>
+        </button>
       </div>
     </aside>
 
@@ -222,6 +229,14 @@
             </div>
             <div class="guard-stat"><b id="g-sec-blocks">0</b> blocks &middot; <b id="g-sec-redactions">0</b> redactions</div>
           </div>
+          <div class="guard-card" onclick="switchPage('exfil')">
+            <div class="guard-card-header">
+              <svg fill="none" stroke="currentColor" stroke-width="2" viewBox="0 0 24 24"><path d="M17 3a2.85 2.85 0 1 1 4 4L7.5 20.5 2 22l1.5-5.5Z"/></svg>
+              <span>Exfil Monitor</span>
+              <span class="dot dot-green" id="g-exfil-dot" style="margin-left:auto"></span>
+            </div>
+            <div class="guard-stat"><b id="g-exfil-detections">0</b> detections</div>
+          </div>
         </div>
       </div>
 
@@ -235,7 +250,8 @@
           <div class="table-header">
             <h3>Events</h3>
             <div class="filter-row">
-              <label class="check-label"><input type="checkbox" id="skill-server-only" onchange="renderGuardPage('skill')"> View only server sent events</label>
+              <label class="check-label"><input type="checkbox" id="skill-blocked-only" onchange="renderGuardPage('skill')"> Only show blocked</label>
+              <label class="check-label"><input type="checkbox" id="skill-server-only" onchange="renderGuardPage('skill')"> Server sent events</label>
             </div>
           </div>
           <div class="table-body" id="skill-table-body"></div>
@@ -252,7 +268,8 @@
           <div class="table-header">
             <h3>Events</h3>
             <div class="filter-row">
-              <label class="check-label"><input type="checkbox" id="bash-server-only" onchange="renderGuardPage('bash')"> View only server sent events</label>
+              <label class="check-label"><input type="checkbox" id="bash-blocked-only" onchange="renderGuardPage('bash')"> Only show blocked</label>
+              <label class="check-label"><input type="checkbox" id="bash-server-only" onchange="renderGuardPage('bash')"> Server sent events</label>
             </div>
           </div>
           <div class="table-body" id="bash-table-body"></div>
@@ -269,7 +286,8 @@
           <div class="table-header">
             <h3>Events</h3>
             <div class="filter-row">
-              <label class="check-label"><input type="checkbox" id="pi-server-only" onchange="renderGuardPage('pi')"> View only server sent events</label>
+              <label class="check-label"><input type="checkbox" id="pi-blocked-only" onchange="renderGuardPage('pi')"> Only show blocked</label>
+              <label class="check-label"><input type="checkbox" id="pi-server-only" onchange="renderGuardPage('pi')"> Server sent events</label>
             </div>
           </div>
           <div class="table-body" id="pi-table-body"></div>
@@ -286,13 +304,32 @@
           <div class="table-header">
             <h3>Events</h3>
             <div class="filter-row">
-              <label class="check-label"><input type="checkbox" id="secrets-server-only" onchange="renderGuardPage('secrets')"> View only server sent events</label>
+              <label class="check-label"><input type="checkbox" id="secrets-blocked-only" onchange="renderGuardPage('secrets')"> Only show blocked</label>
+              <label class="check-label"><input type="checkbox" id="secrets-server-only" onchange="renderGuardPage('secrets')"> Server sent events</label>
             </div>
           </div>
           <div class="table-body" id="secrets-table-body"></div>
         </div>
       </div>
 
+      <!-- EXFIL MONITOR PAGE -->
+      <div id="page-exfil" style="display:none">
+        <div class="page-header">
+          <h1>Exfil Monitor</h1>
+          <p>Detects when sensitive environment variables are transmitted to external servers via curl, wget, or nc.</p>
+        </div>
+        <div class="table-wrap">
+          <div class="table-header">
+            <h3>Events</h3>
+            <div class="filter-row">
+              <label class="check-label"><input type="checkbox" id="exfil-blocked-only" onchange="renderGuardPage('exfil')"> Only show blocked</label>
+              <label class="check-label"><input type="checkbox" id="exfil-server-only" onchange="renderGuardPage('exfil')"> Server sent events</label>
+            </div>
+          </div>
+          <div class="table-body" id="exfil-table-body"></div>
+        </div>
+      </div>
+
     </main>
   </div>
 
@@ -310,12 +347,14 @@ const GUARD_EVENTS = {
   bash: e => e.blocker === 'tirith',
   pi: e => e.blocker === 'prompt_injection',
   secrets: e => e.blocker === 'env_var' || e.event === 'output_redacted',
+  exfil: e => e.event === 'exfil_attempt',
 };
 const SERVER_GUARD = {
   skill: e => e.destination === 'supabase' || (e.destination === 'posthog' && e.event && e.event.includes('skill')),
   bash: e => e.destination === 'posthog' && e.properties?.blocker === 'tirith',
   pi: e => e.destination === 'posthog' && (e.event === 'output_scan_started' || e.event === 'output_scan_result' || e.properties?.blocker === 'prompt_injection'),
   secrets: e => e.destination === 'posthog' && (e.properties?.blocker === 'env_var_leak' || e.event === 'output_secrets_redacted'),
+  exfil: e => e.destination === 'posthog' && e.event === 'exfil_attempt',
 };
 
 function setDays(d) {
@@ -327,7 +366,7 @@ function setDays(d) {
 function switchPage(page) {
   currentPage = page;
   document.querySelectorAll('.sidebar-btn').forEach(b => b.classList.toggle('active', b.dataset.page === page));
-  ['home','skill','bash','pi','secrets'].forEach(p => {
+  ['home','skill','bash','pi','secrets','exfil'].forEach(p => {
     document.getElementById('page-' + p).style.display = p === page ? '' : 'none';
   });
   if (page !== 'home') renderGuardPage(page);
@@ -365,12 +404,14 @@ function renderOverview(ov) {
   document.getElementById('g-pi-blocks').textContent = gs.prompt_injection?.blocks || 0;
   document.getElementById('g-sec-blocks').textContent = gs.secrets_guard?.blocks || 0;
   document.getElementById('g-sec-redactions').textContent = gs.secrets_guard?.redactions || 0;
+  document.getElementById('g-exfil-detections').textContent = gs.exfil_monitor?.detections || 0;
 
   const hasData = ov.total > 0;
   setDot('g-skill-dot', hasData, gs.skill_scanner?.blocks > 0);
   setDot('g-bash-dot', hasData, gs.bash_guard?.blocks > 0);
   setDot('g-pi-dot', hasData, gs.prompt_injection?.blocks > 0);
   setDot('g-sec-dot', hasData, (gs.secrets_guard?.blocks > 0) || (gs.secrets_guard?.redactions > 0));
+  setDot('g-exfil-dot', hasData, gs.exfil_monitor?.detections > 0, 'dot-yellow');
 }
 
 function renderSidebarDots(ov) {
@@ -380,16 +421,18 @@ function renderSidebarDots(ov) {
   setDot('sb-bash-dot', hasData, gs.bash_guard?.blocks > 0);
   setDot('sb-pi-dot', hasData, gs.prompt_injection?.blocks > 0);
   setDot('sb-sec-dot', hasData, (gs.secrets_guard?.blocks > 0) || (gs.secrets_guard?.redactions > 0));
+  setDot('sb-exfil-dot', hasData, gs.exfil_monitor?.detections > 0, 'dot-yellow');
 }
 
-function setDot(id, hasData, hasBlocks) {
+function setDot(id, hasData, hasBlocks, activeClass) {
   const el = document.getElementById(id);
   if (!el) return;
-  el.className = 'dot ' + (hasData ? (hasBlocks ? 'dot-red' : 'dot-green') : 'dot-gray');
+  el.className = 'dot ' + (hasData ? (hasBlocks ? (activeClass || 'dot-red') : 'dot-green') : 'dot-gray');
 }
 
 function renderGuardPage(guard) {
   const serverOnly = document.getElementById(guard + '-server-only')?.checked;
+  const blockedOnly = document.getElementById(guard + '-blocked-only')?.checked;
   const container = document.getElementById(guard + '-table-body');
 
   if (serverOnly) {
@@ -412,22 +455,30 @@ function renderGuardPage(guard) {
         </tr>`;
       }).join('') + '</tbody></table>';
   } else {
-    // Show local events filtered to this guard
-    const filterFn = GUARD_EVENTS[guard] || (() => false);
-    const filtered = localEvents.filter(e => filterFn(e));
+    // Show all command events; optionally filter to only blocked by this guard
+    const guardBlockerFn = GUARD_EVENTS[guard] || (() => false);
+    let filtered;
+    if (blockedOnly) {
+      filtered = localEvents.filter(e => guardBlockerFn(e));
+    } else {
+      // Show all command_check + command_blocked + output_redacted events
+      filtered = localEvents.filter(e => e.event === 'command_check' || e.event === 'command_blocked' || e.event === 'output_redacted');
+    }
     if (filtered.length === 0) {
-      container.innerHTML = '<div class="empty">No events for this guard yet. Events appear when openclaw-secure is active.</div>';
+      container.innerHTML = '<div class="empty">' + (blockedOnly ? 'No blocked events for this guard.' : 'No events yet. Events appear when openclaw-secure is active.') + '</div>';
       return;
     }
-    container.innerHTML = `<table><thead><tr><th>Time</th><th>Decision</th><th>Command</th><th>Detail</th></tr></thead><tbody>` +
+    container.innerHTML = `<table><thead><tr><th>Time</th><th>Decision</th><th>Command</th><th>Blocker</th><th>Detail</th></tr></thead><tbody>` +
       filtered.map(e => {
         const badge = e.decision === 'block' ? 'badge-red' : e.decision === 'redact' ? 'badge-yellow' : 'badge-green';
         const label = e.decision === 'block' ? 'Blocked' : e.decision === 'redact' ? 'Redacted' : 'Allowed';
+        const blocker = e.blocker ? esc(e.blocker) : '-';
         const detail = e.reason ? esc(e.reason) : (e.secrets_count ? `${e.secrets_count} secret(s) redacted` : '');
         return `<tr>
           <td style="white-space:nowrap;color:#a1a1aa">${formatTime(e.ts)}</td>
           <td><span class="badge ${badge}">${label}</span></td>
           <td class="cmd" title="${esc(e.command || '')}">${esc(e.command || '-')}</td>
+          <td style="font-size:12px">${blocker}</td>
           <td style="font-size:12px;color:#a1a1aa;max-width:300px;overflow:hidden;text-overflow:ellipsis">${detail}</td>
         </tr>`;
       }).join('') + '</tbody></table>';

package/monitor/dashboard/server.js

@@ -82,11 +82,14 @@ module.exports = function startDashboard({ port = 9009 } = {}) {
       if (events[i].event === 'hook_loaded') { activeSince = events[i].ts; break; }
     }
 
+    const exfilDetections = events.filter(e => e.event === 'exfil_attempt').length;
+
     const guardStatus = {
       skill_scanner: { blocks: byGuard.skill || 0, active: true },
       bash_guard: { blocks: byGuard.tirith || 0, active: true },
       prompt_injection: { blocks: byGuard.prompt_injection || 0, active: true },
       secrets_guard: { blocks: (byGuard.env_var || 0), redactions: redacted, active: true },
+      exfil_monitor: { detections: exfilDetections, active: true },
     };
 
     json(res, { total, blocked, allowed: total - blocked, redacted, byGuard, guardStatus, activeSince });
@@ -114,8 +117,48 @@ module.exports = function startDashboard({ port = 9009 } = {}) {
 
   server.listen(port, '127.0.0.1', () => {
     console.log(`\n  ContextFort Security Dashboard`);
-    console.log(`  http://localhost:${port}\n`);
-    console.log(`  Press Ctrl+C to stop.\n`);
+    console.log(`  http://localhost:${port}`);
+
+    // Try to start a cloudflared quick tunnel
+    server._tunnel = null;
+    try {
+      const { spawn } = require('child_process');
+      const cf = spawn('cloudflared', ['tunnel', '--url', `http://localhost:${port}`], {
+        stdio: ['ignore', 'pipe', 'pipe'],
+      });
+      server._tunnel = cf;
+
+      let urlFound = false;
+      const extractUrl = (data) => {
+        if (urlFound) return;
+        const text = data.toString();
+        const match = text.match(/https:\/\/[a-z0-9-]+\.trycloudflare\.com/);
+        if (match) {
+          urlFound = true;
+          console.log(`  ${match[0]}  (public tunnel)\n`);
+          console.log(`  Press Ctrl+C to stop.\n`);
+        }
+      };
+      cf.stdout.on('data', extractUrl);
+      cf.stderr.on('data', extractUrl);
+
+      // If tunnel fails or no URL found after 10s, show fallback
+      setTimeout(() => {
+        if (!urlFound) {
+          console.log(`  (tunnel unavailable — local only)\n`);
+          console.log(`  Press Ctrl+C to stop.\n`);
+        }
+      }, 10000);
+
+      cf.on('error', () => {
+        if (!urlFound) {
+          console.log(`  (cloudflared not found — local only)\n`);
+          console.log(`  Press Ctrl+C to stop.\n`);
+        }
+      });
+    } catch {
+      console.log(`\n  Press Ctrl+C to stop.\n`);
+    }
   });
 
   return server;

package/monitor/exfil_guard/index.js

@@ -0,0 +1,253 @@
+'use strict';
+
+/**
+ * Exfil Guard — detects when sensitive environment variables are being
+ * transmitted to external servers via curl/wget/nc/httpie.
+ *
+ * This is a LOGGING-ONLY guard. It does not block commands.
+ * We can't yet distinguish legitimate from malicious destinations,
+ * so we log all detections for visibility in the dashboard.
+ */
+module.exports = function createExfilGuard({ analytics, localLogger }) {
+  const track = analytics ? analytics.track.bind(analytics) : () => {};
+
+  // --- Env var extraction (duplicated from secrets_guard to avoid coupling) ---
+
+  const ENV_VAR_PATTERN = /\$([A-Z_][A-Z0-9_]{2,})\b|\$\{([A-Z_][A-Z0-9_]{2,})(?:[:#%\/]|:-|:\+|:=)[^}]*\}|\$\{([A-Z_][A-Z0-9_]{2,})\}/g;
+
+  const SAFE_ENV_VARS = new Set([
+    'HOME', 'USER', 'USERNAME', 'LOGNAME', 'SHELL', 'TERM', 'TERM_PROGRAM',
+    'PATH', 'PWD', 'OLDPWD', 'HOSTNAME', 'LANG', 'LC_ALL', 'LC_CTYPE',
+    'EDITOR', 'VISUAL', 'PAGER', 'BROWSER', 'DISPLAY', 'XDG_RUNTIME_DIR',
+    'XDG_CONFIG_HOME', 'XDG_DATA_HOME', 'XDG_CACHE_HOME', 'XDG_STATE_HOME',
+    'TMPDIR', 'TEMP', 'TMP', 'COLORTERM', 'COLUMNS', 'LINES',
+    'SHLVL', 'HISTSIZE', 'HISTFILESIZE', 'HISTFILE', 'HISTCONTROL',
+    'NODE_ENV', 'RAILS_ENV', 'RACK_ENV', 'FLASK_ENV', 'DJANGO_SETTINGS_MODULE',
+    'GOPATH', 'GOROOT', 'CARGO_HOME', 'RUSTUP_HOME', 'JAVA_HOME',
+    'NVM_DIR', 'PYENV_ROOT', 'RBENV_ROOT', 'VIRTUAL_ENV', 'CONDA_DEFAULT_ENV',
+    'CI', 'GITHUB_ACTIONS', 'GITLAB_CI', 'CIRCLECI', 'TRAVIS',
+    'ARCH', 'MACHTYPE', 'OSTYPE', 'VENDOR',
+    'SSH_TTY', 'SSH_CONNECTION', 'SSH_CLIENT',
+    'GPG_TTY', 'GNUPGHOME',
+  ]);
+
+  function extractEnvVarRefs(cmd) {
+    if (!cmd || typeof cmd !== 'string') return [];
+    const vars = new Set();
+    let match;
+    const regex = new RegExp(ENV_VAR_PATTERN.source, 'g');
+    while ((match = regex.exec(cmd)) !== null) {
+      vars.add(match[1] || match[2] || match[3]);
+    }
+    return [...vars];
+  }
+
+  function filterSensitiveVars(vars) {
+    return vars.filter(v => !SAFE_ENV_VARS.has(v));
+  }
+
+  // --- Exfil tool detection ---
+
+  const EXFIL_TOOLS = [
+    { name: 'curl', pattern: /\bcurl\b/ },
+    { name: 'wget', pattern: /\bwget\b/ },
+    { name: 'nc', pattern: /\b(?:nc|ncat|netcat)\b/ },
+    { name: 'httpie', pattern: /\b(?:http|https)\s+(?:GET|POST|PUT|PATCH|DELETE|HEAD)\b/ },
+    { name: 'openssl', pattern: /\bopenssl\s+s_client\b/ },
+    { name: 'socat', pattern: /\bsocat\b/ },
+    { name: 'telnet', pattern: /\btelnet\b/ },
+  ];
+
+  // Commands where the tool word appears but is NOT being invoked as a network tool.
+  // These are string-context false positives.
+  const NON_EXEC_PREFIXES = [
+    /^\s*(?:git\s+(?:commit|log|show|diff|grep|blame))\b/,  // git commit -m "...curl..."
+    /^\s*(?:grep|rg|ag|ack)\b/,         // grep for curl patterns
+    /^\s*(?:sed|awk|perl\s+-[pi]e)\b/,  // sed/awk text processing
+    /^\s*(?:man|info|whatis|apropos)\b/, // man curl
+    /^\s*(?:which|where|type|command\s+-v|hash)\b/, // which curl
+    /^\s*(?:brew|apt-get|apt|yum|dnf|pacman|apk|port)\s+(?:install|remove|uninstall|info|search)\b/, // package managers
+    /^\s*[A-Z_][A-Z0-9_]*\s*=\s*/,      // VAR=... assignment
+  ];
+
+  // Commands where tool word appears in string-only context (no pipe involved).
+  // echo/printf are OK as prefixes ONLY when there's no pipe to a network tool.
+  const STRING_ONLY_PREFIXES = [
+    /^\s*(?:echo|printf)\b/,            // echo "use curl ..." (but NOT echo $VAR | curl)
+  ];
+
+  // Flags that take a local file/path argument (env var after these is NOT transmitted)
+  const LOCAL_PATH_FLAGS = {
+    curl: [
+      /\s-o\s+/, /\s--output\s+/, /\s--output=/, // output file
+      /\s-K\s+/, /\s--config\s+/,                 // config file
+      /\s--cacert\s+/, /\s--capath\s+/,           // CA cert paths
+      /\s-E\s+/, /\s--cert\s+/,                   // client cert
+      /\s--key\s+/,                                // client key file
+      /\s--ciphers\s+/,                            // cipher list
+      /\s-D\s+/, /\s--dump-header\s+/,             // dump header to file
+      /\s--trace\s+/, /\s--trace-ascii\s+/,        // trace output file
+      /\s-T\s+/, /\s--upload-file\s+/,             // upload from file
+    ],
+    wget: [
+      /\s-O\s+/, /\s--output-document\s+/, /\s--output-document=/,
+      /\s-o\s+/, /\s--output-file\s+/,
+      /\s-P\s+/, /\s--directory-prefix\s+/,
+      /\s--ca-certificate\s+/,
+    ],
+  };
+
+  // Filter out sensitive vars that only appear as the direct argument to a local-path flag
+  // (e.g. curl -o $VAR). Returns the subset of vars that are in transmit positions.
+  function filterVarsNotInLocalPaths(cmd, tool, sensitiveVars) {
+    const flags = LOCAL_PATH_FLAGS[tool];
+    if (!flags) return sensitiveVars;
+
+    // Build a set of character ranges that are "local path" argument positions.
+    // For each local-path flag match, the argument immediately after it is local.
+    const localRanges = [];
+    for (const fp of flags) {
+      const regex = new RegExp(fp.source, 'g');
+      let m;
+      while ((m = regex.exec(cmd)) !== null) {
+        // The argument starts right after the flag match
+        const argStart = m.index + m[0].length;
+        // The argument ends at the next whitespace (or end of string)
+        const rest = cmd.slice(argStart);
+        const argEnd = rest.search(/\s/) === -1 ? cmd.length : argStart + rest.search(/\s/);
+        localRanges.push([argStart, argEnd]);
+      }
+    }
+
+    return sensitiveVars.filter(varName => {
+      const varPatterns = [
+        new RegExp('\\$' + varName + '\\b', 'g'),
+        new RegExp('\\$\\{' + varName + '[^}]*\\}', 'g'),
+      ];
+
+      for (const vp of varPatterns) {
+        let match;
+        while ((match = vp.exec(cmd)) !== null) {
+          const pos = match.index;
+          // Check if this var position falls inside any local-path argument range
+          const inLocalRange = localRanges.some(([s, e]) => pos >= s && pos < e);
+          if (!inLocalRange) return true; // at least one occurrence is NOT a local path arg
+        }
+      }
+      return false; // all occurrences are in local-path argument positions
+    });
+  }
+
+  // Extract destination hostname from a command
+  function extractDestination(cmd) {
+    // Match URLs: https://host.com/... or http://host.com/...
+    const urlMatch = cmd.match(/https?:\/\/([^\/\s'"\\]+)/);
+    if (urlMatch) return urlMatch[1];
+
+    // For nc/ncat/telnet/openssl: tool hostname port
+    const socketMatch = cmd.match(/\b(?:nc|ncat|netcat|telnet)\s+(?:-[a-z]+\s+)*([a-zA-Z0-9.-]+)\s+\d+/);
+    if (socketMatch) return socketMatch[1];
+
+    // openssl s_client -connect host:port
+    const sslMatch = cmd.match(/s_client\s+.*-connect\s+([a-zA-Z0-9.-]+):\d+/);
+    if (sslMatch) return sslMatch[1];
+
+    // socat - TCP:host:port
+    const socatMatch = cmd.match(/TCP[46]?:([a-zA-Z0-9.-]+):\d+/i);
+    if (socatMatch) return socatMatch[1];
+
+    return null;
+  }
+
+  // Determine the transmission method
+  function detectMethod(cmd, tool) {
+    if (tool === 'curl') {
+      if (/\s-[Hh]\s/.test(cmd) || /--header\b/.test(cmd)) return 'header';
+      if (/\s-[dD]\s/.test(cmd) || /--data\b/.test(cmd) || /--data-raw\b/.test(cmd)) return 'body';
+      if (/\s-u\s/.test(cmd) || /--user\b/.test(cmd)) return 'auth';
+      if (/\s-F\s/.test(cmd) || /--form\b/.test(cmd)) return 'form';
+      return 'url';
+    }
+    if (tool === 'wget') {
+      if (/--header\b/.test(cmd)) return 'header';
+      if (/--post-data\b/.test(cmd) || /--post-file\b/.test(cmd)) return 'body';
+      if (/--user\b/.test(cmd) || /--password\b/.test(cmd)) return 'auth';
+      return 'url';
+    }
+    if (tool === 'nc' || tool === 'telnet' || tool === 'socat' || tool === 'openssl') return 'socket';
+    if (tool === 'httpie') return 'httpie';
+    return 'unknown';
+  }
+
+  /**
+   * Check if a command transmits sensitive env vars to an external server.
+   * Returns detection object or null.
+   */
+  function checkExfilAttempt(cmd) {
+    if (!cmd || typeof cmd !== 'string') return null;
+
+    // Skip commands where the tool word appears in a non-execution context
+    for (const prefix of NON_EXEC_PREFIXES) {
+      if (prefix.test(cmd)) return null;
+    }
+
+    // echo/printf are string-only IF there's no pipe to a network tool after them
+    const hasPipeToNetwork = /\|\s*(?:curl|wget|nc|ncat|netcat|openssl|socat|telnet)\b/.test(cmd);
+    if (!hasPipeToNetwork) {
+      for (const prefix of STRING_ONLY_PREFIXES) {
+        if (prefix.test(cmd)) return null;
+      }
+    }
+
+    // Detect which exfil tool is present
+    let detectedTool = null;
+    for (const tool of EXFIL_TOOLS) {
+      if (tool.pattern.test(cmd)) {
+        detectedTool = tool.name;
+        break;
+      }
+    }
+
+    // Also detect pipe-to-exfil patterns: ... | curl, ... | nc, ... | openssl, ... | socat, ... | telnet
+    if (!detectedTool) {
+      const pipeMatch = cmd.match(/\|\s*(?:curl|wget|nc|ncat|netcat|openssl|socat|telnet)\b/);
+      if (pipeMatch) {
+        detectedTool = pipeMatch[0].replace(/^\|\s*/, '').trim();
+        if (detectedTool === 'ncat' || detectedTool === 'netcat') detectedTool = 'nc';
+      }
+    }
+
+    if (!detectedTool) return null;
+
+    // Extract env var references and filter to sensitive ones
+    const allVars = extractEnvVarRefs(cmd);
+    if (allVars.length === 0) return null;
+
+    const sensitiveVars = filterSensitiveVars(allVars);
+    if (sensitiveVars.length === 0) return null;
+
+    // Filter out vars that only appear in local-path positions (e.g. curl -o $VAR)
+    const transmitVars = filterVarsNotInLocalPaths(cmd, detectedTool, sensitiveVars);
+    if (transmitVars.length === 0) return null;
+
+    // We have a network tool + sensitive env vars in transmit positions → detection
+    const destination = extractDestination(cmd);
+    const method = detectMethod(cmd, detectedTool);
+
+    return {
+      vars: transmitVars,
+      destination: destination || 'unknown',
+      tool: detectedTool,
+      method,
+    };
+  }
+
+  function init() {}
+  function cleanup() {}
+
+  return {
+    checkExfilAttempt,
+    init,
+    cleanup,
+  };
+};

package/openclaw-secure.js

@@ -72,6 +72,12 @@ const secretsGuard = require('./monitor/secrets_guard')({
   analytics,
 });
 
+// === Exfil Guard (logging-only) ===
+const exfilGuard = require('./monitor/exfil_guard')({
+  analytics,
+  localLogger,
+});
+
 // === Prompt Injection Guard (PostToolUse) ===
 const ANTHROPIC_KEY = process.env.ANTHROPIC_API_KEY || null;
 const promptInjectionGuard = require('./monitor/prompt_injection_guard')({
@@ -166,6 +172,13 @@ function shouldBlockCommand(cmd) {
   }
   guards.push('env_var');
 
+  const exfilCheck = exfilGuard.checkExfilAttempt(cmd);
+  if (exfilCheck) {
+    analytics.track('exfil_attempt', { tool: exfilCheck.tool, destination: exfilCheck.destination, vars_count: exfilCheck.vars.length });
+    localLogger.logLocal({ event: 'exfil_attempt', command: cmdSlice, guards: [...guards, 'exfil'], decision: 'log', blocker: 'exfil', reason: null, detection: exfilCheck });
+  }
+  guards.push('exfil');
+
   const result = checkCommandWithMonitor(cmd);
   if (result?.blocked) {
     analytics.track('command_blocked', { blocker: 'tirith', reason: result.reason });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contextfort-ai/openclaw-secure",
-  "version": "0.1.8",
+  "version": "0.1.9",
   "description": "Runtime security guard for OpenClaw — blocks malicious commands before they execute",
   "bin": {
     "openclaw-secure": "./bin/openclaw-secure.js"

package/monitor/secrets_guard/.trufflehog-exclude

@@ -1,9 +0,0 @@
-node_modules/
-\.git/
-__pycache__/
-\.pyc$
-\.next/
-dist/
-build/
-\.venv/
-venv/