@lowwattlabs/clawsec 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.md +223 -0
- package/api/public/index.html +87 -0
- package/api/src/badge.js +60 -0
- package/api/src/middleware.js +104 -0
- package/api/src/routes.js +184 -0
- package/api/src/server.js +58 -0
- package/api/src/verify-wrapper.sh +16 -0
- package/bin/clawsec-api.js +19 -0
- package/bin/clawsec.js +99 -0
- package/bin/setup-venv.js +35 -0
- package/cli/clawsec.py +263 -0
- package/lib/common/__init__.py +2 -0
- package/lib/common/colors.sh +17 -0
- package/lib/common/config.py +12 -0
- package/lib/common/config.sh +8 -0
- package/lib/common/log.sh +24 -0
- package/lib/common/utils.sh +69 -0
- package/lib/intel-sync/manifest.py +103 -0
- package/lib/intel-sync/sources/cisa-kev.sh +24 -0
- package/lib/intel-sync/sources/epss.sh +34 -0
- package/lib/intel-sync/sources/feodo.sh +27 -0
- package/lib/intel-sync/sources/malwarebazaar.sh +22 -0
- package/lib/intel-sync/sources/osv.sh +101 -0
- package/lib/intel-sync/sources/semgrep-rules.sh +28 -0
- package/lib/intel-sync/sources/threatfox.sh +28 -0
- package/lib/intel-sync/sources/urlhaus.sh +42 -0
- package/lib/intel-sync/sources/yara-rules.sh +38 -0
- package/lib/intel-sync/sync.sh +96 -0
- package/lib/skill-verify/checks/behavioral.py +252 -0
- package/lib/skill-verify/checks/dep-scan.py +456 -0
- package/lib/skill-verify/checks/ioc-match.py +382 -0
- package/lib/skill-verify/checks/prompt-inject.py +158 -0
- package/lib/skill-verify/checks/secret-scan.sh +61 -0
- package/lib/skill-verify/checks/static-analysis.sh +73 -0
- package/lib/skill-verify/checks/yara-scan.sh +73 -0
- package/lib/skill-verify/report.py +119 -0
- package/lib/skill-verify/verify.sh +326 -0
- package/package.json +42 -0
- package/requirements.txt +6 -0
- package/setup.sh +200 -0
package/setup.sh
ADDED
|
@@ -0,0 +1,200 @@
|
|
|
1
|
+
#!/usr/bin/env bash
|
|
2
|
+
# ⚡ ClawSec v2 Dependency Setup
|
|
3
|
+
# Installs all required tools for intel-sync and skill-verify
|
|
4
|
+
set -euo pipefail
|
|
5
|
+
|
|
6
|
+
VERSION="2.0.0"
|
|
7
|
+
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
|
|
8
|
+
source "${SCRIPT_DIR}/lib/common/config.sh"
|
|
9
|
+
INTEL_DIR="${CLAWSEC_INTEL_DIR}"
|
|
10
|
+
CLAWSEC_USER="$(whoami)"
|
|
11
|
+
|
|
12
|
+
RED='\033[0;31m'
|
|
13
|
+
GREEN='\033[0;32m'
|
|
14
|
+
YELLOW='\033[0;33m'
|
|
15
|
+
BLUE='\033[0;34m'
|
|
16
|
+
BOLD='\033[1m'
|
|
17
|
+
RESET='\033[0m'
|
|
18
|
+
|
|
19
|
+
log_info() { echo -e "${BLUE}[INFO]${RESET} $*"; }
|
|
20
|
+
log_ok() { echo -e "${GREEN}[ OK ]${RESET} $*"; }
|
|
21
|
+
log_warn() { echo -e "${YELLOW}[WARN]${RESET} $*"; }
|
|
22
|
+
log_err() { echo -e "${RED}[ERR ]${RESET} $*"; }
|
|
23
|
+
|
|
24
|
+
banner() {
|
|
25
|
+
echo -e "${BOLD}"
|
|
26
|
+
echo " ╔═══════════════════════════════════════╗"
|
|
27
|
+
echo " ║ ClawSec v${VERSION} Setup ║"
|
|
28
|
+
echo " ║ ⚡ Security Verification for Skills ║"
|
|
29
|
+
echo " ╚═══════════════════════════════════════╝"
|
|
30
|
+
echo -e "${RESET}"
|
|
31
|
+
}
|
|
32
|
+
|
|
33
|
+
check_cmd() {
|
|
34
|
+
if command -v "$1" &>/dev/null; then
|
|
35
|
+
log_ok "$1 already installed: $(command -v "$1")"
|
|
36
|
+
return 0
|
|
37
|
+
else
|
|
38
|
+
return 1
|
|
39
|
+
fi
|
|
40
|
+
}
|
|
41
|
+
|
|
42
|
+
install_system_deps() {
|
|
43
|
+
log_info "Installing system dependencies..."
|
|
44
|
+
local needed=()
|
|
45
|
+
for pkg in curl wget git jq python3 python3-pip python3-venv libyara-dev yara; do
|
|
46
|
+
if ! dpkg -l "$pkg" &>/dev/null 2>&1; then
|
|
47
|
+
needed+=("$pkg")
|
|
48
|
+
fi
|
|
49
|
+
done
|
|
50
|
+
|
|
51
|
+
if [[ ${#needed[@]} -gt 0 ]]; then
|
|
52
|
+
sudo apt-get update -qq
|
|
53
|
+
sudo apt-get install -y -qq "${needed[@]}"
|
|
54
|
+
log_ok "System packages installed: ${needed[*]}"
|
|
55
|
+
else
|
|
56
|
+
log_ok "All system packages already installed"
|
|
57
|
+
fi
|
|
58
|
+
}
|
|
59
|
+
|
|
60
|
+
install_semgrep() {
|
|
61
|
+
if check_cmd semgrep; then return 0; fi
|
|
62
|
+
log_info "Installing Semgrep..."
|
|
63
|
+
pip3 install --user semgrep 2>/dev/null || pip install --user semgrep 2>/dev/null
|
|
64
|
+
export PATH="$HOME/.local/bin:$PATH"
|
|
65
|
+
if check_cmd semgrep; then
|
|
66
|
+
log_ok "Semgrep installed"
|
|
67
|
+
else
|
|
68
|
+
log_warn "Semgrep pip install failed, trying direct binary..."
|
|
69
|
+
curl -fsSL https://raw.githubusercontent.com/returntocorp/semgrep/main/install.sh | bash
|
|
70
|
+
log_ok "Semgrep installed via script"
|
|
71
|
+
fi
|
|
72
|
+
}
|
|
73
|
+
|
|
74
|
+
install_gitleaks() {
|
|
75
|
+
if check_cmd gitleaks; then return 0; fi
|
|
76
|
+
log_info "Installing Gitleaks..."
|
|
77
|
+
local arch="$(uname -m)"
|
|
78
|
+
local gitleaks_arch="x64"
|
|
79
|
+
[[ "$arch" == "aarch64" ]] && gitleaks_arch="arm64"
|
|
80
|
+
|
|
81
|
+
local latest
|
|
82
|
+
latest=$(curl -fsSL https://api.github.com/repos/gitleaks/gitleaks/releases/latest | jq -r '.tag_name')
|
|
83
|
+
local url="https://github.com/gitleaks/gitleaks/releases/download/${latest}/gitleaks_${latest:1}_linux_${gitleaks_arch}.tar.gz"
|
|
84
|
+
|
|
85
|
+
local tmpdir
|
|
86
|
+
tmpdir=$(mktemp -d)
|
|
87
|
+
curl -fsSL "$url" | tar -xz -C "$tmpdir"
|
|
88
|
+
mkdir -p "$HOME/.local/bin"
|
|
89
|
+
mv "$tmpdir/gitleaks" "$HOME/.local/bin/gitleaks"
|
|
90
|
+
chmod +x "$HOME/.local/bin/gitleaks"
|
|
91
|
+
rm -rf "$tmpdir"
|
|
92
|
+
log_ok "Gitleaks ${latest} installed"
|
|
93
|
+
}
|
|
94
|
+
|
|
95
|
+
install_yara_python() {
|
|
96
|
+
log_info "Checking yara-python..."
|
|
97
|
+
if python3 -c "import yara" 2>/dev/null; then
|
|
98
|
+
log_ok "yara-python already available"
|
|
99
|
+
return 0
|
|
100
|
+
fi
|
|
101
|
+
pip3 install --user yara-python 2>/dev/null || pip install --user yara-python 2>/dev/null
|
|
102
|
+
if python3 -c "import yara" 2>/dev/null; then
|
|
103
|
+
log_ok "yara-python installed"
|
|
104
|
+
else
|
|
105
|
+
log_warn "yara-python install failed — YARA scans may not work"
|
|
106
|
+
fi
|
|
107
|
+
}
|
|
108
|
+
|
|
109
|
+
setup_dirs() {
|
|
110
|
+
log_info "Setting up directory structure at ${CLAWSEC_HOME}..."
|
|
111
|
+
mkdir -p "${INTEL_DIR}"/{cisa-kev,osv,epss,malwarebazaar,urlhaus,threatfox,feodo,yara-rules,semgrep-rules}
|
|
112
|
+
mkdir -p "${CLAWSEC_HOME}/reports"
|
|
113
|
+
mkdir -p "${CLAWSEC_HOME}/venv"
|
|
114
|
+
log_ok "Directory structure ready at ${CLAWSEC_HOME}"
|
|
115
|
+
}
|
|
116
|
+
|
|
117
|
+
clone_rule_repos() {
|
|
118
|
+
log_info "Cloning/pulling rule repos..."
|
|
119
|
+
|
|
120
|
+
# YARA rules - Neo23x0/signature-base
|
|
121
|
+
local yara_dir="${INTEL_DIR}/yara-rules/repo"
|
|
122
|
+
if [[ -d "$yara_dir/.git" ]]; then
|
|
123
|
+
git -C "$yara_dir" pull --quiet 2>/dev/null && log_ok "YARA rules updated" || log_warn "YARA rules pull failed"
|
|
124
|
+
else
|
|
125
|
+
rm -rf "$yara_dir"
|
|
126
|
+
git clone --depth 1 https://github.com/Neo23x0/signature-base.git "$yara_dir" 2>/dev/null && log_ok "YARA rules cloned" || log_warn "YARA rules clone failed"
|
|
127
|
+
fi
|
|
128
|
+
|
|
129
|
+
# Semgrep rules
|
|
130
|
+
local semgrep_dir="${INTEL_DIR}/semgrep-rules/repo"
|
|
131
|
+
if [[ -d "$semgrep_dir/.git" ]]; then
|
|
132
|
+
git -C "$semgrep_dir" pull --quiet 2>/dev/null && log_ok "Semgrep rules updated" || log_warn "Semgrep rules pull failed"
|
|
133
|
+
else
|
|
134
|
+
rm -rf "$semgrep_dir"
|
|
135
|
+
git clone --depth 1 https://github.com/returntocorp/semgrep-rules.git "$semgrep_dir" 2>/dev/null && log_ok "Semgrep rules cloned" || log_warn "Semgrep rules clone failed"
|
|
136
|
+
fi
|
|
137
|
+
}
|
|
138
|
+
|
|
139
|
+
setup_python_env() {
|
|
140
|
+
log_info "Setting up Python virtual environment..."
|
|
141
|
+
local venv_dir="${CLAWSEC_HOME}/venv"
|
|
142
|
+
if [[ ! -d "$venv_dir" ]] || [[ ! -f "$venv_dir/bin/python3" ]]; then
|
|
143
|
+
python3 -m venv "$venv_dir"
|
|
144
|
+
fi
|
|
145
|
+
source "$venv_dir/bin/activate"
|
|
146
|
+
pip install --quiet --upgrade pip
|
|
147
|
+
if [[ -f "${SCRIPT_DIR}/requirements.txt" ]]; then
|
|
148
|
+
pip install --quiet -r "${SCRIPT_DIR}/requirements.txt"
|
|
149
|
+
fi
|
|
150
|
+
deactivate
|
|
151
|
+
log_ok "Python venv ready at $venv_dir"
|
|
152
|
+
}
|
|
153
|
+
|
|
154
|
+
verify_install() {
|
|
155
|
+
echo ""
|
|
156
|
+
log_info "Verifying installations..."
|
|
157
|
+
echo ""
|
|
158
|
+
local all_ok=true
|
|
159
|
+
|
|
160
|
+
for cmd in python3 jq curl git; do
|
|
161
|
+
if check_cmd "$cmd"; then :; else
|
|
162
|
+
log_err "$cmd NOT found"
|
|
163
|
+
all_ok=false
|
|
164
|
+
fi
|
|
165
|
+
done
|
|
166
|
+
|
|
167
|
+
for cmd in semgrep gitleaks yara; do
|
|
168
|
+
if check_cmd "$cmd"; then :; else
|
|
169
|
+
log_warn "$cmd NOT found — some checks will be unavailable"
|
|
170
|
+
fi
|
|
171
|
+
done
|
|
172
|
+
|
|
173
|
+
echo ""
|
|
174
|
+
if $all_ok; then
|
|
175
|
+
log_ok "Core dependencies verified"
|
|
176
|
+
else
|
|
177
|
+
log_err "Some core dependencies missing — review above"
|
|
178
|
+
fi
|
|
179
|
+
}
|
|
180
|
+
|
|
181
|
+
main() {
|
|
182
|
+
banner
|
|
183
|
+
|
|
184
|
+
export PATH="$HOME/.local/bin:$PATH"
|
|
185
|
+
|
|
186
|
+
install_system_deps
|
|
187
|
+
install_semgrep
|
|
188
|
+
install_gitleaks
|
|
189
|
+
install_yara_python
|
|
190
|
+
setup_dirs
|
|
191
|
+
clone_rule_repos
|
|
192
|
+
setup_python_env
|
|
193
|
+
verify_install
|
|
194
|
+
|
|
195
|
+
echo ""
|
|
196
|
+
log_ok "Setup complete. Run: clawsec scan <path> (to verify a skill)"
|
|
197
|
+
log_ok " clawsec sync (to populate intel cache)"
|
|
198
|
+
}
|
|
199
|
+
|
|
200
|
+
main "$@"
|