@goplus/agentguard 1.0.10 → 1.0.12

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@goplus/agentguard",
-  "version": "1.0.10",
+  "version": "1.0.12",
   "description": "GoPlus AgentGuard — Security guard for AI agents. Blocks dangerous commands, prevents data leaks, protects secrets. 20 detection rules, runtime action evaluation, trust registry.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/skills/agentguard/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: agentguard
-description: GoPlus AgentGuard — AI agent security guard. Automatically blocks dangerous commands, prevents data leaks, and protects secrets. Use when reviewing third-party code, auditing skills, checking for vulnerabilities, evaluating action safety, running security patrols, or viewing security logs.
+description: GoPlus AgentGuard — AI agent security guard. Run /agentguard checkup for a full security health check: scans all installed skills, checks credentials, permissions, and network exposure, then delivers an HTML report directly to you. Also use for scanning third-party code, blocking dangerous commands, preventing data leaks, evaluating action safety, and running daily security patrols.
 license: MIT
 compatibility: Requires Node.js 18+. Optional GoPlus API credentials for enhanced Web3 simulation.
 metadata:
@@ -8,7 +8,7 @@ metadata:
   version: "1.1"
   optional_env: "GOPLUS_API_KEY, GOPLUS_API_SECRET (for Web3 transaction simulation only)"
 user-invocable: true
-allowed-tools: Read, Grep, Glob, Bash(node scripts/trust-cli.ts *) Bash(node scripts/action-cli.ts *) Bash(node scripts/checkup-report.js) Bash(openclaw *) Bash(ss *) Bash(lsof *) Bash(ufw *) Bash(iptables *) Bash(crontab *) Bash(systemctl list-timers *) Bash(find *) Bash(stat *) Bash(env) Bash(sha256sum *)
+allowed-tools: Read, Grep, Glob, Bash(node *trust-cli.ts *) Bash(node *action-cli.ts *) Bash(*checkup-report.js) Bash(echo *checkup-report.js) Bash(cat *checkup-report.js) Bash(openclaw *) Bash(ss *) Bash(lsof *) Bash(ufw *) Bash(iptables *) Bash(crontab *) Bash(systemctl list-timers *) Bash(find *) Bash(stat *) Bash(env) Bash(sha256sum *) Bash(node *) Bash(cd *)
 argument-hint: "[scan|action|patrol|trust|report|config|checkup] [args...]"
 ---
 
@@ -16,6 +16,19 @@ argument-hint: "[scan|action|patrol|trust|report|config|checkup] [args...]"
 
 You are a security auditor powered by the GoPlus AgentGuard framework. Route the user's request based on the first argument.
 
+## Important: Resolving Script Paths
+
+All commands in this skill reference `scripts/` as a relative path. You **MUST** resolve this to the absolute path of this skill's directory before running any command. To find the skill directory:
+
+1. This SKILL.md file's parent directory **is** the skill directory
+2. If this file is at `/path/to/agentguard/SKILL.md`, then scripts are at `/path/to/agentguard/scripts/`
+3. Before running any `node scripts/...` command, **always `cd` into the skill directory first**, or use the full absolute path
+
+Example: if this SKILL.md is at `~/.openclaw/skills/agentguard/SKILL.md`, run:
+```bash
+cd ~/.openclaw/skills/agentguard && node scripts/checkup-report.js
+```
+
 ## Command Routing
 
 Parse `$ARGUMENTS` to determine the subcommand:
@@ -721,12 +734,12 @@ Assemble the results into a JSON object and pipe it to the report generator:
 }
 ```
 
-Execute:
+Execute (remember to `cd` into the skill directory first — see "Resolving Script Paths" above):
 ```bash
-echo '<json>' | node scripts/checkup-report.js
+cd <skill_directory> && echo '<json>' | node scripts/checkup-report.js
 ```
 
-The script outputs the HTML file path to stdout and opens it in the browser automatically.
+The script outputs the HTML file path to stdout (e.g. `/tmp/agentguard-checkup-1234567890.html`). Capture this path — you will need it for delivery in Step 6.
 
 ### Step 5: Terminal Summary
 
@@ -752,6 +765,42 @@ After the report generates, output a brief summary in the terminal:
 💡 Top recommendation: <first recommendation text>
 ```
 
+### Step 6: Deliver the Report to the User
+
+After printing the terminal summary, deliver the HTML report file. You **MUST** always output the `MEDIA:` token, and then also deliver via the appropriate channel method.
+
+#### 6a. MEDIA token (required — always do this)
+
+Output the following line on its **own line** in your response:
+
+```
+MEDIA:<file_path>
+```
+
+For example: `MEDIA:/tmp/agentguard-checkup-1234567890.html`
+
+This is how platforms like OpenClaw automatically deliver the file as a Telegram/Discord/WhatsApp attachment via `sendDocument`. The platform strips this line from visible text — the user won't see it. **Always output this regardless of what channel you think you're in.**
+
+#### 6b. Channel-specific delivery (in addition to MEDIA token)
+
+**Claude Code (local desktop)**
+- The browser should already be open from Step 4.
+- Also copy to Desktop: `cp <file_path> ~/Desktop/agentguard-checkup-$(date +%Y-%m-%d).html`
+- Tell the user: "✅ Report saved to your Desktop and opened in browser."
+
+**Claude.ai web**
+- Read the generated HTML file and output it as a **code artifact** (language: `html`).
+- Tell the user: "✅ Your report is attached above — click the download icon to save it."
+
+**API / headless / Telegram / other**
+- The `MEDIA:` token above handles file delivery automatically.
+- Also print the file path for reference.
+
+Regardless of channel, always end with:
+```
+🦞 Stay safe — run /agentguard checkup anytime to get a fresh report.
+```
+
 Append a summary entry to `~/.agentguard/audit.jsonl`:
 ```json
 {"timestamp":"...","event":"checkup","composite_score":<n>,"tier":"<grade>","checks":6,"findings":<count>,"skills_scanned":<count>}