npm - @contextfort-ai/openclaw-secure - Versions diffs - 0.1.9 → 0.1.12 - Mend

@contextfort-ai/openclaw-secure 0.1.9 → 0.1.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/README.md +65 -0
package/bin/openclaw-secure.js +71 -0
package/monitor/dashboard/public/index.html +1125 -42
package/monitor/dashboard/scan-worker.js +21 -0
package/monitor/dashboard/server.js +258 -7
package/monitor/exfil_guard/index.js +79 -7
package/monitor/plugin_guard/index.js +194 -0
package/monitor/prompt_injection_guard/index.js +17 -2
package/monitor/secrets_guard/index.js +148 -96
package/monitor/skills_guard/index.js +170 -30
package/openclaw-secure.js +178 -37
package/package.json +1 -1
package/test/guard-test-200.js +1312 -0

package/README.md ADDED Viewed

@@ -0,0 +1,65 @@
+# AntiVirus for ClawdBot: Prompt Injection Prevention (ashwin@contextfort.ai)
+Runtime controls for OpenClaw that intercepts child_process calls, enforces approval for external commands via Telegram, and detects prompt injection in command outputs.
+https://github.com/user-attachments/assets/93064c17-9644-403b-8328-1da8014dae89
+The runtime control live on Telegram.
+## Usage
+```bash
+./start-gateway-with-hook.sh
+```
+## Requirements
+- `~/.claude/hooks/.env` with `ANTHROPIC_API_KEY=sk-ant-...`
+- Telegram channel configured in OpenClaw
+## How It Works
+1. Hooks Node.js `child_process` module at startup
+2. Every spawn/exec call is intercepted before execution
+3. Read-only commands pass through immediately
+4. External/write commands require human approval on Telegram
+5. Command outputs are checked for prompt injection
+6. If injection detected, next external command is blocked with warning
+## Code References
+| What | Line |
+|------|------|
+| Command categories | `spawn-hook.js:104-108` |
+| Notion read-only detection | `spawn-hook.js:117-122` |
+| GitHub CLI read-only detection | `spawn-hook.js:124-130` |
+| Notion content extraction | `spawn-hook.js:141-156` |
+| Claude injection check | `spawn-hook.js:168-195` |
+| Main intercept logic | `spawn-hook.js:230-280` |
+## Command Categories
+**SKIP_USER_CONFIRMATION** (line 106) - Read-only, no external writes:
+- System info: `whoami`, `pwd`, `hostname`, `uname`, `sw_vers`
+- File reads: `ls`, `cat`, `head`, `tail`, `file`, `wc`
+- Network info: `arp`, `ifconfig`, `networksetup`, `scutil`
+- Notion/GitHub: GET requests, search queries, list/view subcommands
+**SKIP_RESPONSE_CHECK** (line 105) - Output cannot be attacker-influenced:
+- `whoami`, `pwd`, `echo`, `hostname`, `uname`
+**INTERNAL_COMMANDS** (line 107) - Always pass through, even with injection warning:
+- All local system commands that don't touch external services
+## Debug Mode
+```bash
+SPAWN_GATE_DEBUG=1 ./start-gateway-with-hook.sh
+```
+Logs to `spawn-gate.log`, audit trail in `spawn-audit.jsonl`.

package/bin/openclaw-secure.js CHANGED Viewed

@@ -254,6 +254,77 @@ if (args[0] === 'scan' || args[0] === 'solve') {
   return; // don't fall through — raw mode is async
 }
+if (args[0] === 'exfil-allow') {
+  const ALLOWLIST_FILE = path.join(CONFIG_DIR, 'exfil_allowlist.json');
+  const sub = args[1];
+  function readAllowlist() {
+    try { return JSON.parse(fs.readFileSync(ALLOWLIST_FILE, 'utf8')); }
+    catch { return { enabled: false, domains: [] }; }
+  }
+  function writeAllowlist(data) {
+    fs.mkdirSync(CONFIG_DIR, { recursive: true });
+    fs.writeFileSync(ALLOWLIST_FILE, JSON.stringify(data, null, 2) + '\n', { mode: 0o600 });
+  }
+  if (sub === 'list') {
+    const al = readAllowlist();
+    console.log(`\n  Exfil destination allowlist: ${al.enabled ? '\x1b[32menabled\x1b[0m (blocking non-allowed)' : '\x1b[33mdisabled\x1b[0m (log-only mode)'}`);
+    if (al.domains.length === 0) {
+      console.log('  No domains configured.\n');
+    } else {
+      console.log('  Allowed destinations:');
+      for (const d of al.domains) console.log(`    - ${d}`);
+      console.log();
+    }
+    process.exit(0);
+  }
+  if (sub === 'add') {
+    const domain = args[2];
+    if (!domain) { console.error('Usage: openclaw-secure exfil-allow add <domain>'); process.exit(1); }
+    const al = readAllowlist();
+    if (!al.domains.includes(domain)) al.domains.push(domain);
+    al.enabled = true;
+    writeAllowlist(al);
+    console.log(`  Added ${domain} to exfil allowlist. Blocking mode enabled.`);
+    console.log('  Restart your openclaw session for changes to take effect.');
+    process.exit(0);
+  }
+  if (sub === 'remove') {
+    const domain = args[2];
+    if (!domain) { console.error('Usage: openclaw-secure exfil-allow remove <domain>'); process.exit(1); }
+    const al = readAllowlist();
+    al.domains = al.domains.filter(d => d !== domain);
+    writeAllowlist(al);
+    console.log(`  Removed ${domain} from exfil allowlist.`);
+    if (al.domains.length === 0) console.log('  No domains left — consider disabling with: openclaw-secure exfil-allow disable');
+    process.exit(0);
+  }
+  if (sub === 'enable') {
+    const al = readAllowlist();
+    al.enabled = true;
+    writeAllowlist(al);
+    console.log('  Exfil allowlist blocking enabled. Only allowlisted destinations will be permitted.');
+    console.log('  Restart your openclaw session for changes to take effect.');
+    process.exit(0);
+  }
+  if (sub === 'disable') {
+    const al = readAllowlist();
+    al.enabled = false;
+    writeAllowlist(al);
+    console.log('  Exfil allowlist blocking disabled. All exfil detections will be log-only.');
+    process.exit(0);
+  }
+  console.error('Usage: openclaw-secure exfil-allow <list|add|remove|enable|disable> [domain]');
+  process.exit(1);
+}
 if (args[0] === 'disable') {
   try {
     const original = fs.readFileSync(backupLink, 'utf8').trim();