@poolzin/pool-bot 2026.2.23 → 2026.2.25

package/dist/security/audit-extra.async.js

@@ -3,19 +3,25 @@
  *
  * These functions perform I/O (filesystem, config reads) to detect security issues.
  */
-import JSON5 from "json5";
 import fs from "node:fs/promises";
 import path from "node:path";
-import { resolveAgentWorkspaceDir, resolveDefaultAgentId } from "../agents/agent-scope.js";
+import { resolveDefaultAgentId } from "../agents/agent-scope.js";
+import { isToolAllowedByPolicies } from "../agents/pi-tools.policy.js";
+import { resolveSandboxConfigForAgent, resolveSandboxToolPolicyForAgent, } from "../agents/sandbox.js";
 import { loadWorkspaceSkillEntries } from "../agents/skills.js";
-import { LEGACY_MANIFEST_KEY } from "../compat/legacy-names.js";
+import { resolveToolProfilePolicy } from "../agents/tool-policy.js";
+import { listAgentWorkspaceDirs } from "../agents/workspace-dirs.js";
+import { MANIFEST_KEY } from "../compat/legacy-names.js";
 import { resolveNativeSkillsEnabled } from "../config/commands.js";
 import { createConfigIO } from "../config/config.js";
-import { INCLUDE_KEY, MAX_INCLUDE_DEPTH } from "../config/includes.js";
+import { collectIncludePathsRecursive } from "../config/includes-scan.js";
 import { resolveOAuthDir } from "../config/paths.js";
+import { normalizePluginsConfig } from "../plugins/config-state.js";
 import { normalizeAgentId } from "../routing/session-key.js";
 import { formatPermissionDetail, formatPermissionRemediation, inspectPathPermissions, safeStat, } from "./audit-fs.js";
-import { scanDirectoryWithSummary } from "./skill-scanner.js";
+import { pickSandboxToolPolicy } from "./audit-tool-policy.js";
+import { extensionUsesSkippedScannerPath, isPathInside } from "./scan-paths.js";
+import * as skillScanner from "./skill-scanner.js";
 // --------------------------------------------------------------------------
 // Helpers
 // --------------------------------------------------------------------------
@@ -35,91 +41,6 @@ function expandTilde(p, env) {
     }
     return null;
 }
-function resolveIncludePath(baseConfigPath, includePath) {
-    return path.normalize(path.isAbsolute(includePath)
-        ? includePath
-        : path.resolve(path.dirname(baseConfigPath), includePath));
-}
-function listDirectIncludes(parsed) {
-    const out = [];
-    const visit = (value) => {
-        if (!value) {
-            return;
-        }
-        if (Array.isArray(value)) {
-            for (const item of value) {
-                visit(item);
-            }
-            return;
-        }
-        if (typeof value !== "object") {
-            return;
-        }
-        const rec = value;
-        const includeVal = rec[INCLUDE_KEY];
-        if (typeof includeVal === "string") {
-            out.push(includeVal);
-        }
-        else if (Array.isArray(includeVal)) {
-            for (const item of includeVal) {
-                if (typeof item === "string") {
-                    out.push(item);
-                }
-            }
-        }
-        for (const v of Object.values(rec)) {
-            visit(v);
-        }
-    };
-    visit(parsed);
-    return out;
-}
-async function collectIncludePathsRecursive(params) {
-    const visited = new Set();
-    const result = [];
-    const walk = async (basePath, parsed, depth) => {
-        if (depth > MAX_INCLUDE_DEPTH) {
-            return;
-        }
-        for (const raw of listDirectIncludes(parsed)) {
-            const resolved = resolveIncludePath(basePath, raw);
-            if (visited.has(resolved)) {
-                continue;
-            }
-            visited.add(resolved);
-            result.push(resolved);
-            const rawText = await fs.readFile(resolved, "utf-8").catch(() => null);
-            if (!rawText) {
-                continue;
-            }
-            const nestedParsed = (() => {
-                try {
-                    return JSON5.parse(rawText);
-                }
-                catch {
-                    return null;
-                }
-            })();
-            if (nestedParsed) {
-                // eslint-disable-next-line no-await-in-loop
-                await walk(resolved, nestedParsed, depth + 1);
-            }
-        }
-    };
-    await walk(params.configPath, params.parsed, 0);
-    return result;
-}
-function isPathInside(basePath, candidatePath) {
-    const base = path.resolve(basePath);
-    const candidate = path.resolve(candidatePath);
-    const rel = path.relative(base, candidate);
-    return rel === "" || (!rel.startsWith(`..${path.sep}`) && rel !== ".." && !path.isAbsolute(rel));
-}
-function extensionUsesSkippedScannerPath(entry) {
-    const segments = entry.split(/[\\/]+/).filter(Boolean);
-    return segments.some((segment) => segment === "node_modules" ||
-        (segment.startsWith(".") && segment !== "." && segment !== ".."));
-}
 async function readPluginManifestExtensions(pluginPath) {
     const manifestPath = path.join(pluginPath, "package.json");
     const raw = await fs.readFile(manifestPath, "utf-8").catch(() => "");
@@ -127,25 +48,12 @@ async function readPluginManifestExtensions(pluginPath) {
         return [];
     }
     const parsed = JSON.parse(raw);
-    const extensions = parsed?.[LEGACY_MANIFEST_KEY]?.extensions;
+    const extensions = parsed?.[MANIFEST_KEY]?.extensions;
     if (!Array.isArray(extensions)) {
         return [];
     }
     return extensions.map((entry) => (typeof entry === "string" ? entry.trim() : "")).filter(Boolean);
 }
-function listWorkspaceDirs(cfg) {
-    const dirs = new Set();
-    const list = cfg.agents?.list;
-    if (Array.isArray(list)) {
-        for (const entry of list) {
-            if (entry && typeof entry === "object" && typeof entry.id === "string") {
-                dirs.add(resolveAgentWorkspaceDir(cfg, entry.id));
-            }
-        }
-    }
-    dirs.add(resolveAgentWorkspaceDir(cfg, resolveDefaultAgentId(cfg)));
-    return [...dirs];
-}
 function formatCodeSafetyDetails(findings, rootDir) {
     return findings
         .map((finding) => {
@@ -158,74 +66,340 @@ function formatCodeSafetyDetails(findings, rootDir) {
     })
         .join("\n");
 }
-// --------------------------------------------------------------------------
-// Exported collectors
-// --------------------------------------------------------------------------
-export async function collectPluginsTrustFindings(params) {
-    const findings = [];
+async function listInstalledPluginDirs(params) {
     const extensionsDir = path.join(params.stateDir, "extensions");
     const st = await safeStat(extensionsDir);
     if (!st.ok || !st.isDir) {
-        return findings;
+        return { extensionsDir, pluginDirs: [] };
     }
-    const entries = await fs.readdir(extensionsDir, { withFileTypes: true }).catch(() => []);
+    const entries = await fs.readdir(extensionsDir, { withFileTypes: true }).catch((err) => {
+        params.onReadError?.(err);
+        return [];
+    });
     const pluginDirs = entries
-        .filter((e) => e.isDirectory())
-        .map((e) => e.name)
+        .filter((entry) => entry.isDirectory())
+        .map((entry) => entry.name)
         .filter(Boolean);
-    if (pluginDirs.length === 0) {
-        return findings;
+    return { extensionsDir, pluginDirs };
+}
+function resolveToolPolicies(params) {
+    const profile = params.agentTools?.profile ?? params.cfg.tools?.profile;
+    const profilePolicy = resolveToolProfilePolicy(profile);
+    const policies = [
+        profilePolicy,
+        pickSandboxToolPolicy(params.cfg.tools ?? undefined),
+        pickSandboxToolPolicy(params.agentTools),
+    ];
+    if (params.sandboxMode === "all") {
+        policies.push(resolveSandboxToolPolicyForAgent(params.cfg, params.agentId ?? undefined));
+    }
+    return policies;
+}
+function normalizePluginIdSet(entries) {
+    return new Set(entries.map((entry) => entry.trim().toLowerCase()).filter(Boolean));
+}
+function resolveEnabledExtensionPluginIds(params) {
+    const normalized = normalizePluginsConfig(params.cfg.plugins);
+    if (!normalized.enabled) {
+        return [];
+    }
+    const allowSet = normalizePluginIdSet(normalized.allow);
+    const denySet = normalizePluginIdSet(normalized.deny);
+    const entryById = new Map();
+    for (const [id, entry] of Object.entries(normalized.entries)) {
+        entryById.set(id.trim().toLowerCase(), entry);
+    }
+    const enabled = [];
+    for (const id of params.pluginDirs) {
+        const normalizedId = id.trim().toLowerCase();
+        if (!normalizedId) {
+            continue;
+        }
+        if (denySet.has(normalizedId)) {
+            continue;
+        }
+        if (allowSet.size > 0 && !allowSet.has(normalizedId)) {
+            continue;
+        }
+        if (entryById.get(normalizedId)?.enabled === false) {
+            continue;
+        }
+        enabled.push(normalizedId);
     }
-    const allow = params.cfg.plugins?.allow;
-    const allowConfigured = Array.isArray(allow) && allow.length > 0;
-    if (!allowConfigured) {
-        const hasString = (value) => typeof value === "string" && value.trim().length > 0;
-        const hasAccountStringKey = (account, key) => Boolean(account &&
-            typeof account === "object" &&
-            hasString(account[key]));
-        const discordConfigured = hasString(params.cfg.channels?.discord?.token) ||
-            Boolean(params.cfg.channels?.discord?.accounts &&
-                Object.values(params.cfg.channels.discord.accounts).some((a) => hasAccountStringKey(a, "token"))) ||
-            hasString(process.env.DISCORD_BOT_TOKEN);
-        const telegramConfigured = hasString(params.cfg.channels?.telegram?.botToken) ||
-            hasString(params.cfg.channels?.telegram?.tokenFile) ||
-            Boolean(params.cfg.channels?.telegram?.accounts &&
-                Object.values(params.cfg.channels.telegram.accounts).some((a) => hasAccountStringKey(a, "botToken") || hasAccountStringKey(a, "tokenFile"))) ||
-            hasString(process.env.TELEGRAM_BOT_TOKEN);
-        const slackConfigured = hasString(params.cfg.channels?.slack?.botToken) ||
-            hasString(params.cfg.channels?.slack?.appToken) ||
-            Boolean(params.cfg.channels?.slack?.accounts &&
-                Object.values(params.cfg.channels.slack.accounts).some((a) => hasAccountStringKey(a, "botToken") || hasAccountStringKey(a, "appToken"))) ||
-            hasString(process.env.SLACK_BOT_TOKEN) ||
-            hasString(process.env.SLACK_APP_TOKEN);
-        const skillCommandsLikelyExposed = (discordConfigured &&
-            resolveNativeSkillsEnabled({
-                providerId: "discord",
-                providerSetting: params.cfg.channels?.discord?.commands?.nativeSkills,
-                globalSetting: params.cfg.commands?.nativeSkills,
-            })) ||
-            (telegramConfigured &&
+    return enabled;
+}
+function collectAllowEntries(config) {
+    const out = [];
+    if (Array.isArray(config?.allow)) {
+        out.push(...config.allow);
+    }
+    if (Array.isArray(config?.alsoAllow)) {
+        out.push(...config.alsoAllow);
+    }
+    return out.map((entry) => entry.trim().toLowerCase()).filter(Boolean);
+}
+function hasExplicitPluginAllow(params) {
+    return params.allowEntries.some((entry) => entry === "group:plugins" || params.enabledPluginIds.has(entry));
+}
+function hasProviderPluginAllow(params) {
+    if (!params.byProvider) {
+        return false;
+    }
+    for (const policy of Object.values(params.byProvider)) {
+        if (hasExplicitPluginAllow({
+            allowEntries: collectAllowEntries(policy),
+            enabledPluginIds: params.enabledPluginIds,
+        })) {
+            return true;
+        }
+    }
+    return false;
+}
+function isPinnedRegistrySpec(spec) {
+    const value = spec.trim();
+    if (!value) {
+        return false;
+    }
+    const at = value.lastIndexOf("@");
+    if (at <= 0 || at >= value.length - 1) {
+        return false;
+    }
+    const version = value.slice(at + 1).trim();
+    return /^v?\d+\.\d+\.\d+(?:-[0-9A-Za-z.-]+)?(?:\+[0-9A-Za-z.-]+)?$/.test(version);
+}
+async function readInstalledPackageVersion(dir) {
+    try {
+        const raw = await fs.readFile(path.join(dir, "package.json"), "utf-8");
+        const parsed = JSON.parse(raw);
+        return typeof parsed.version === "string" ? parsed.version : undefined;
+    }
+    catch {
+        return undefined;
+    }
+}
+// --------------------------------------------------------------------------
+// Exported collectors
+// --------------------------------------------------------------------------
+export async function collectPluginsTrustFindings(params) {
+    const findings = [];
+    const { extensionsDir, pluginDirs } = await listInstalledPluginDirs({
+        stateDir: params.stateDir,
+    });
+    if (pluginDirs.length > 0) {
+        const allow = params.cfg.plugins?.allow;
+        const allowConfigured = Array.isArray(allow) && allow.length > 0;
+        if (!allowConfigured) {
+            const hasString = (value) => typeof value === "string" && value.trim().length > 0;
+            const hasAccountStringKey = (account, key) => Boolean(account &&
+                typeof account === "object" &&
+                hasString(account[key]));
+            const discordConfigured = hasString(params.cfg.channels?.discord?.token) ||
+                Boolean(params.cfg.channels?.discord?.accounts &&
+                    Object.values(params.cfg.channels.discord.accounts).some((a) => hasAccountStringKey(a, "token"))) ||
+                hasString(process.env.DISCORD_BOT_TOKEN);
+            const telegramConfigured = hasString(params.cfg.channels?.telegram?.botToken) ||
+                hasString(params.cfg.channels?.telegram?.tokenFile) ||
+                Boolean(params.cfg.channels?.telegram?.accounts &&
+                    Object.values(params.cfg.channels.telegram.accounts).some((a) => hasAccountStringKey(a, "botToken") || hasAccountStringKey(a, "tokenFile"))) ||
+                hasString(process.env.TELEGRAM_BOT_TOKEN);
+            const slackConfigured = hasString(params.cfg.channels?.slack?.botToken) ||
+                hasString(params.cfg.channels?.slack?.appToken) ||
+                Boolean(params.cfg.channels?.slack?.accounts &&
+                    Object.values(params.cfg.channels.slack.accounts).some((a) => hasAccountStringKey(a, "botToken") || hasAccountStringKey(a, "appToken"))) ||
+                hasString(process.env.SLACK_BOT_TOKEN) ||
+                hasString(process.env.SLACK_APP_TOKEN);
+            const skillCommandsLikelyExposed = (discordConfigured &&
                 resolveNativeSkillsEnabled({
-                    providerId: "telegram",
-                    providerSetting: params.cfg.channels?.telegram?.commands?.nativeSkills,
+                    providerId: "discord",
+                    providerSetting: params.cfg.channels?.discord?.commands?.nativeSkills,
                     globalSetting: params.cfg.commands?.nativeSkills,
                 })) ||
-            (slackConfigured &&
-                resolveNativeSkillsEnabled({
-                    providerId: "slack",
-                    providerSetting: params.cfg.channels?.slack?.commands?.nativeSkills,
-                    globalSetting: params.cfg.commands?.nativeSkills,
-                }));
-        findings.push({
-            checkId: "plugins.extensions_no_allowlist",
-            severity: skillCommandsLikelyExposed ? "critical" : "warn",
-            title: "Extensions exist but plugins.allow is not set",
-            detail: `Found ${pluginDirs.length} extension(s) under ${extensionsDir}. Without plugins.allow, any discovered plugin id may load (depending on config and plugin behavior).` +
-                (skillCommandsLikelyExposed
-                    ? "\nNative skill commands are enabled on at least one configured chat surface; treat unpinned/unallowlisted extensions as high risk."
-                    : ""),
-            remediation: "Set plugins.allow to an explicit list of plugin ids you trust.",
+                (telegramConfigured &&
+                    resolveNativeSkillsEnabled({
+                        providerId: "telegram",
+                        providerSetting: params.cfg.channels?.telegram?.commands?.nativeSkills,
+                        globalSetting: params.cfg.commands?.nativeSkills,
+                    })) ||
+                (slackConfigured &&
+                    resolveNativeSkillsEnabled({
+                        providerId: "slack",
+                        providerSetting: params.cfg.channels?.slack?.commands?.nativeSkills,
+                        globalSetting: params.cfg.commands?.nativeSkills,
+                    }));
+            findings.push({
+                checkId: "plugins.extensions_no_allowlist",
+                severity: skillCommandsLikelyExposed ? "critical" : "warn",
+                title: "Extensions exist but plugins.allow is not set",
+                detail: `Found ${pluginDirs.length} extension(s) under ${extensionsDir}. Without plugins.allow, any discovered plugin id may load (depending on config and plugin behavior).` +
+                    (skillCommandsLikelyExposed
+                        ? "\nNative skill commands are enabled on at least one configured chat surface; treat unpinned/unallowlisted extensions as high risk."
+                        : ""),
+                remediation: "Set plugins.allow to an explicit list of plugin ids you trust.",
+            });
+        }
+        const enabledExtensionPluginIds = resolveEnabledExtensionPluginIds({
+            cfg: params.cfg,
+            pluginDirs,
         });
+        if (enabledExtensionPluginIds.length > 0) {
+            const enabledPluginSet = new Set(enabledExtensionPluginIds);
+            const contexts = [{ label: "default" }];
+            for (const entry of params.cfg.agents?.list ?? []) {
+                if (!entry || typeof entry !== "object" || typeof entry.id !== "string") {
+                    continue;
+                }
+                contexts.push({
+                    label: `agents.list.${entry.id}`,
+                    agentId: entry.id,
+                    tools: entry.tools,
+                });
+            }
+            const permissiveContexts = [];
+            for (const context of contexts) {
+                const profile = context.tools?.profile ?? params.cfg.tools?.profile;
+                const restrictiveProfile = Boolean(resolveToolProfilePolicy(profile));
+                const sandboxMode = resolveSandboxConfigForAgent(params.cfg, context.agentId).mode;
+                const policies = resolveToolPolicies({
+                    cfg: params.cfg,
+                    agentTools: context.tools,
+                    sandboxMode,
+                    agentId: context.agentId,
+                });
+                const broadPolicy = isToolAllowedByPolicies("__openclaw_plugin_probe__", policies);
+                const explicitPluginAllow = !restrictiveProfile &&
+                    (hasExplicitPluginAllow({
+                        allowEntries: collectAllowEntries(params.cfg.tools),
+                        enabledPluginIds: enabledPluginSet,
+                    }) ||
+                        hasProviderPluginAllow({
+                            byProvider: params.cfg.tools?.byProvider,
+                            enabledPluginIds: enabledPluginSet,
+                        }) ||
+                        hasExplicitPluginAllow({
+                            allowEntries: collectAllowEntries(context.tools),
+                            enabledPluginIds: enabledPluginSet,
+                        }) ||
+                        hasProviderPluginAllow({
+                            byProvider: context.tools?.byProvider,
+                            enabledPluginIds: enabledPluginSet,
+                        }));
+                if (broadPolicy || explicitPluginAllow) {
+                    permissiveContexts.push(context.label);
+                }
+            }
+            if (permissiveContexts.length > 0) {
+                findings.push({
+                    checkId: "plugins.tools_reachable_permissive_policy",
+                    severity: "warn",
+                    title: "Extension plugin tools may be reachable under permissive tool policy",
+                    detail: `Enabled extension plugins: ${enabledExtensionPluginIds.join(", ")}.\n` +
+                        `Permissive tool policy contexts:\n${permissiveContexts.map((entry) => `- ${entry}`).join("\n")}`,
+                    remediation: "Use restrictive profiles (`minimal`/`coding`) or explicit tool allowlists that exclude plugin tools for agents handling untrusted input.",
+                });
+            }
+        }
+    }
+    const pluginInstalls = params.cfg.plugins?.installs ?? {};
+    const npmPluginInstalls = Object.entries(pluginInstalls).filter(([, record]) => record?.source === "npm");
+    if (npmPluginInstalls.length > 0) {
+        const unpinned = npmPluginInstalls
+            .filter(([, record]) => typeof record.spec === "string" && !isPinnedRegistrySpec(record.spec))
+            .map(([pluginId, record]) => `${pluginId} (${record.spec})`);
+        if (unpinned.length > 0) {
+            findings.push({
+                checkId: "plugins.installs_unpinned_npm_specs",
+                severity: "warn",
+                title: "Plugin installs include unpinned npm specs",
+                detail: `Unpinned plugin install records:\n${unpinned.map((entry) => `- ${entry}`).join("\n")}`,
+                remediation: "Pin install specs to exact versions (for example, `@scope/pkg@1.2.3`) for higher supply-chain stability.",
+            });
+        }
+        const missingIntegrity = npmPluginInstalls
+            .filter(([, record]) => typeof record.integrity !== "string" || record.integrity.trim() === "")
+            .map(([pluginId]) => pluginId);
+        if (missingIntegrity.length > 0) {
+            findings.push({
+                checkId: "plugins.installs_missing_integrity",
+                severity: "warn",
+                title: "Plugin installs are missing integrity metadata",
+                detail: `Plugin install records missing integrity:\n${missingIntegrity.map((entry) => `- ${entry}`).join("\n")}`,
+                remediation: "Reinstall or update plugins to refresh install metadata with resolved integrity hashes.",
+            });
+        }
+        const pluginVersionDrift = [];
+        for (const [pluginId, record] of npmPluginInstalls) {
+            const recordedVersion = record.resolvedVersion ?? record.version;
+            if (!recordedVersion) {
+                continue;
+            }
+            const installPath = record.installPath ?? path.join(params.stateDir, "extensions", pluginId);
+            // eslint-disable-next-line no-await-in-loop
+            const installedVersion = await readInstalledPackageVersion(installPath);
+            if (!installedVersion || installedVersion === recordedVersion) {
+                continue;
+            }
+            pluginVersionDrift.push(`${pluginId} (recorded ${recordedVersion}, installed ${installedVersion})`);
+        }
+        if (pluginVersionDrift.length > 0) {
+            findings.push({
+                checkId: "plugins.installs_version_drift",
+                severity: "warn",
+                title: "Plugin install records drift from installed package versions",
+                detail: `Detected plugin install metadata drift:\n${pluginVersionDrift.map((entry) => `- ${entry}`).join("\n")}`,
+                remediation: "Run `openclaw plugins update --all` (or reinstall affected plugins) to refresh install metadata.",
+            });
+        }
+    }
+    const hookInstalls = params.cfg.hooks?.internal?.installs ?? {};
+    const npmHookInstalls = Object.entries(hookInstalls).filter(([, record]) => record?.source === "npm");
+    if (npmHookInstalls.length > 0) {
+        const unpinned = npmHookInstalls
+            .filter(([, record]) => typeof record.spec === "string" && !isPinnedRegistrySpec(record.spec))
+            .map(([hookId, record]) => `${hookId} (${record.spec})`);
+        if (unpinned.length > 0) {
+            findings.push({
+                checkId: "hooks.installs_unpinned_npm_specs",
+                severity: "warn",
+                title: "Hook installs include unpinned npm specs",
+                detail: `Unpinned hook install records:\n${unpinned.map((entry) => `- ${entry}`).join("\n")}`,
+                remediation: "Pin hook install specs to exact versions (for example, `@scope/pkg@1.2.3`) for higher supply-chain stability.",
+            });
+        }
+        const missingIntegrity = npmHookInstalls
+            .filter(([, record]) => typeof record.integrity !== "string" || record.integrity.trim() === "")
+            .map(([hookId]) => hookId);
+        if (missingIntegrity.length > 0) {
+            findings.push({
+                checkId: "hooks.installs_missing_integrity",
+                severity: "warn",
+                title: "Hook installs are missing integrity metadata",
+                detail: `Hook install records missing integrity:\n${missingIntegrity.map((entry) => `- ${entry}`).join("\n")}`,
+                remediation: "Reinstall or update hooks to refresh install metadata with resolved integrity hashes.",
+            });
+        }
+        const hookVersionDrift = [];
+        for (const [hookId, record] of npmHookInstalls) {
+            const recordedVersion = record.resolvedVersion ?? record.version;
+            if (!recordedVersion) {
+                continue;
+            }
+            const installPath = record.installPath ?? path.join(params.stateDir, "hooks", hookId);
+            // eslint-disable-next-line no-await-in-loop
+            const installedVersion = await readInstalledPackageVersion(installPath);
+            if (!installedVersion || installedVersion === recordedVersion) {
+                continue;
+            }
+            hookVersionDrift.push(`${hookId} (recorded ${recordedVersion}, installed ${installedVersion})`);
+        }
+        if (hookVersionDrift.length > 0) {
+            findings.push({
+                checkId: "hooks.installs_version_drift",
+                severity: "warn",
+                title: "Hook install records drift from installed package versions",
+                detail: `Detected hook install metadata drift:\n${hookVersionDrift.map((entry) => `- ${entry}`).join("\n")}`,
+                remediation: "Run `openclaw hooks update --all` (or reinstall affected hooks) to refresh install metadata.",
+            });
+        }
     }
     return findings;
 }
@@ -452,22 +626,18 @@ export async function readConfigSnapshotForAudit(params) {
 }
 export async function collectPluginsCodeSafetyFindings(params) {
     const findings = [];
-    const extensionsDir = path.join(params.stateDir, "extensions");
-    const st = await safeStat(extensionsDir);
-    if (!st.ok || !st.isDir) {
-        return findings;
-    }
-    const entries = await fs.readdir(extensionsDir, { withFileTypes: true }).catch((err) => {
-        findings.push({
-            checkId: "plugins.code_safety.scan_failed",
-            severity: "warn",
-            title: "Plugin extensions directory scan failed",
-            detail: `Static code scan could not list extensions directory: ${String(err)}`,
-            remediation: "Check file permissions and plugin layout, then rerun `poolbot security audit --deep`.",
-        });
-        return [];
+    const { extensionsDir, pluginDirs } = await listInstalledPluginDirs({
+        stateDir: params.stateDir,
+        onReadError: (err) => {
+            findings.push({
+                checkId: "plugins.code_safety.scan_failed",
+                severity: "warn",
+                title: "Plugin extensions directory scan failed",
+                detail: `Static code scan could not list extensions directory: ${String(err)}`,
+                remediation: "Check file permissions and plugin layout, then rerun `poolbot security audit --deep`.",
+            });
+        },
     });
-    const pluginDirs = entries.filter((e) => e.isDirectory()).map((e) => e.name);
     for (const pluginName of pluginDirs) {
         const pluginPath = path.join(extensionsDir, pluginName);
         const extensionEntries = await readPluginManifestExtensions(pluginPath).catch(() => []);
@@ -496,12 +666,14 @@ export async function collectPluginsCodeSafetyFindings(params) {
                 severity: "critical",
                 title: `Plugin "${pluginName}" has extension entry path traversal`,
                 detail: `Found extension entries that escape the plugin directory:\n${escapedEntries.map((entry) => `  - ${entry}`).join("\n")}`,
-                remediation: "Update the plugin manifest so all poolbot.extensions entries stay inside the plugin directory.",
+                remediation: "Update the plugin manifest so all openclaw.extensions entries stay inside the plugin directory.",
             });
         }
-        const summary = await scanDirectoryWithSummary(pluginPath, {
+        const summary = await skillScanner
+            .scanDirectoryWithSummary(pluginPath, {
             includeFiles: forcedScanEntries,
-        }).catch((err) => {
+        })
+            .catch((err) => {
             findings.push({
                 checkId: "plugins.code_safety.scan_failed",
                 severity: "warn",
@@ -522,7 +694,7 @@ export async function collectPluginsCodeSafetyFindings(params) {
                 severity: "critical",
                 title: `Plugin "${pluginName}" contains dangerous code patterns`,
                 detail: `Found ${summary.critical} critical issue(s) in ${summary.scannedFiles} scanned file(s):\n${details}`,
-                remediation: "Review the plugin source code carefully before use. If untrusted, remove the plugin from your Pool Bot extensions state directory.",
+                remediation: "Review the plugin source code carefully before use. If untrusted, remove the plugin from your OpenClaw extensions state directory.",
             });
         }
         else if (summary.warn > 0) {
@@ -543,7 +715,7 @@ export async function collectInstalledSkillsCodeSafetyFindings(params) {
     const findings = [];
     const pluginExtensionsDir = path.join(params.stateDir, "extensions");
     const scannedSkillDirs = new Set();
-    const workspaceDirs = listWorkspaceDirs(params.cfg);
+    const workspaceDirs = listAgentWorkspaceDirs(params.cfg);
     for (const workspaceDir of workspaceDirs) {
         const entries = loadWorkspaceSkillEntries(workspaceDir, { config: params.cfg });
         for (const entry of entries) {
@@ -560,7 +732,7 @@ export async function collectInstalledSkillsCodeSafetyFindings(params) {
             }
             scannedSkillDirs.add(skillDir);
             const skillName = entry.skill.name;
-            const summary = await scanDirectoryWithSummary(skillDir).catch((err) => {
+            const summary = await skillScanner.scanDirectoryWithSummary(skillDir).catch((err) => {
                 findings.push({
                     checkId: "skills.code_safety.scan_failed",
                     severity: "warn",

package/dist/security/audit-extra.js

@@ -1,2 +1,12 @@
-export { collectAttackSurfaceSummaryFindings, collectExposureMatrixFindings, collectHooksHardeningFindings, collectModelHygieneFindings, collectSecretsInConfigFindings, collectSmallModelRiskFindings, collectSyncedFolderFindings, } from "./audit-extra.sync.js";
+/**
+ * Re-export barrel for security audit collector functions.
+ *
+ * Maintains backward compatibility with existing imports from audit-extra.
+ * Implementation split into:
+ * - audit-extra.sync.ts: Config-based checks (no I/O)
+ * - audit-extra.async.ts: Filesystem/plugin checks (async I/O)
+ */
+// Sync collectors
+export { collectAttackSurfaceSummaryFindings, collectExposureMatrixFindings, collectGatewayHttpNoAuthFindings, collectGatewayHttpSessionKeyOverrideFindings, collectHooksHardeningFindings, collectMinimalProfileOverrideFindings, collectModelHygieneFindings, collectNodeDenyCommandPatternFindings, collectSandboxDangerousConfigFindings, collectSandboxDockerNoopFindings, collectSecretsInConfigFindings, collectSmallModelRiskFindings, collectSyncedFolderFindings, } from "./audit-extra.sync.js";
+// Async collectors
 export { collectIncludeFilePermFindings, collectInstalledSkillsCodeSafetyFindings, collectPluginsCodeSafetyFindings, collectPluginsTrustFindings, collectStateDeepFilesystemFindings, readConfigSnapshotForAudit, } from "./audit-extra.async.js";