npm - @pwddd/skills-scanner - Versions diffs - 1.0.0-beta.1 - Mend

@pwddd/skills-scanner 1.0.0-beta.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (25) hide show

package/README.md +255 -0
package/index.ts +647 -0
package/openclaw.plugin.json +122 -0
package/package.json +64 -0
package/skills/skills-scanner/SKILL.md +281 -0
package/src/api-client.ts +245 -0
package/src/before-install-hook.ts +241 -0
package/src/cache.ts +138 -0
package/src/commands.ts +289 -0
package/src/config-validator.ts +110 -0
package/src/config.ts +230 -0
package/src/cron-manager.ts +210 -0
package/src/debug.ts +40 -0
package/src/error-handler.ts +103 -0
package/src/high-risk-operation-guard.ts +62 -0
package/src/metrics.ts +140 -0
package/src/prompt-guidance.ts +80 -0
package/src/prompt-injection-guard.ts +56 -0
package/src/rate-limiter.ts +102 -0
package/src/report.ts +128 -0
package/src/scanner.ts +230 -0
package/src/state.ts +136 -0
package/src/structured-logger.ts +97 -0
package/src/types.ts +76 -0
package/src/watcher.ts +178 -0

package/src/types.ts ADDED Viewed

@@ -0,0 +1,76 @@
+/**
+ * Skills Scanner 类型定义
+ */
+export interface ScannerConfig {
+  apiUrl?: string;
+  scanDirs?: string[];
+  behavioral?: boolean;
+  useLLM?: boolean;
+  policy?: "strict" | "balanced" | "permissive";
+  preInstallScan?: "on" | "off";
+  onUnsafe?: "quarantine" | "delete" | "warn";
+  injectSecurityGuidance?: boolean;
+  enablePromptInjectionGuard?: boolean;
+  enableHighRiskOperationGuard?: boolean;
+  enableBeforeInstallHook?: boolean;
+  scanTimeoutMs?: number; // Scan timeout in milliseconds (default: 180000)
+  reportDir?: string; // Custom report directory
+  quarantineDir?: string; // Custom quarantine directory
+}
+export interface ScanState {
+  version?: number; // State schema version
+  lastScanAt?: string;
+  lastShutdownAt?: string;
+  lastUninstallAt?: string; // Track when plugin was uninstalled
+  lastUnsafeSkills?: string[];
+  configReviewed?: boolean;
+  cronJobId?: string;
+  pendingAlerts?: string[];
+}
+export interface ScanOptions {
+  detailed?: boolean;
+  behavioral?: boolean;
+  recursive?: boolean;
+  jsonOut?: string;
+  apiUrl?: string;
+  useLLM?: boolean;
+  policy?: string;
+}
+export interface ScanResult {
+  exitCode: number;
+  output: string;
+  data?: ScanResultData;
+}
+export interface ScanResultData {
+  is_safe?: boolean;
+  max_severity?: string;
+  findings?: number;
+  error?: string;
+}
+export interface ScanRecord {
+  name?: string;
+  path?: string;
+  is_safe?: boolean;
+  error?: string;
+  max_severity?: string;
+  findings?: number;
+}
+export type OnUnsafeAction = "quarantine" | "delete" | "warn";
+export interface CommandResponse {
+  text: string;
+}
+export interface PluginLogger {
+  debug(message: string, data?: any): void;
+  info(message: string, data?: any): void;
+  warn(message: string, data?: any): void;
+  error(message: string, data?: any): void;
+}

package/src/watcher.ts ADDED Viewed

@@ -0,0 +1,178 @@
+/**
+ * File watcher module for pre-installation scanning
+ */
+import { watch as fsWatch, existsSync, renameSync, rmSync } from "node:fs";
+import { join, basename } from "node:path";
+import { mkdirSync } from "node:fs";
+import { runScan } from "./scanner.js";
+import type { OnUnsafeAction, PluginLogger } from "./types.js";
+// Debounce delay in milliseconds
+const DEBOUNCE_DELAY = 1000; // Increased from 500ms to 1000ms for better stability
+export async function handleNewSkill(
+  skillPath: string,
+  onUnsafe: OnUnsafeAction,
+  behavioral: boolean,
+  apiUrl: string,
+  useLLM: boolean,
+  policy: string,
+  notifyFn: (msg: string) => void,
+  logger: PluginLogger,
+  quarantineDir: string
+): Promise<void> {
+  if (!existsSync(join(skillPath, "SKILL.md"))) return;
+  const name = basename(skillPath);
+  logger.info(`[skills-scanner] 🔍 检测到新 Skill，开始安装前扫描：${name}`);
+  notifyFn(`🔍 检测到新 Skill \`${name}\`，正在安全扫描...`);
+  try {
+    const res = await runScan("scan", skillPath, {
+      behavioral,
+      detailed: true,
+      apiUrl,
+      useLLM,
+      policy,
+    });
+    if (res.exitCode === 0) {
+      notifyFn(`✅ \`${name}\` 安全检查通过，可以正常使用。`);
+      return;
+    }
+    let action = "";
+    try {
+      if (onUnsafe === "quarantine") {
+        mkdirSync(quarantineDir, { recursive: true });
+        const dest = join(quarantineDir, `${name}-${Date.now()}`);
+        renameSync(skillPath, dest);
+        action = `已移入隔离目录：\`${dest}\``;
+      } else if (onUnsafe === "delete") {
+        rmSync(skillPath, { recursive: true, force: true });
+        action = "已自动删除";
+      } else {
+        action = "仅警告，Skill 已保留（请谨慎使用）";
+      }
+    } catch (e: any) {
+      action = `处置失败：${e.message}`;
+      logger.error("[skills-scanner] Failed to handle unsafe skill", {
+        skill: name,
+        error: e.message,
+      });
+    }
+    notifyFn(
+      [
+        `❌ *安全警告：\`${name}\` 未通过扫描*`,
+        `处置：${action}`,
+        "```",
+        res.output.slice(0, 600),
+        "```",
+      ].join("\n")
+    );
+  } catch (err: any) {
+    logger.error("[skills-scanner] Scan failed for new skill", {
+      skill: name,
+      error: err.message,
+      stack: err.stack,
+    });
+    notifyFn(`⚠️ \`${name}\` 扫描失败：${err.message}`);
+  }
+}
+export function startWatcher(
+  dirs: string[],
+  onUnsafe: OnUnsafeAction,
+  behavioral: boolean,
+  apiUrl: string,
+  useLLM: boolean,
+  policy: string,
+  notifyFn: (msg: string) => void,
+  logger: PluginLogger,
+  quarantineDir: string
+): () => void {
+  const timers = new Map<string, NodeJS.Timeout>();
+  const processing = new Set<string>(); // Track files being processed
+  const watchers = dirs.map((dir) => {
+    if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
+    logger.info(`[skills-scanner] 👁  监听目录：${dir}`);
+    const watcher = fsWatch(dir, { persistent: false }, (_evt, filename) => {
+      if (!filename) return;
+      const skillPath = join(dir, filename);
+      // Skip if file doesn't exist or is already being processed
+      if (!existsSync(skillPath) || processing.has(skillPath)) return;
+      // Clear existing timer for this path (debounce)
+      const prev = timers.get(skillPath);
+      if (prev) clearTimeout(prev);
+      // Set new timer with debounce delay
+      timers.set(
+        skillPath,
+        setTimeout(async () => {
+          timers.delete(skillPath);
+          processing.add(skillPath);
+          try {
+            await handleNewSkill(
+              skillPath,
+              onUnsafe,
+              behavioral,
+              apiUrl,
+              useLLM,
+              policy,
+              notifyFn,
+              logger,
+              quarantineDir
+            );
+          } catch (err: any) {
+            logger.error("[skills-scanner] Watcher handler failed", {
+              path: skillPath,
+              error: err.message,
+            });
+          } finally {
+            processing.delete(skillPath);
+          }
+        }, DEBOUNCE_DELAY)
+      );
+    });
+    // Add error handler for watcher
+    watcher.on("error", (error: Error) => {
+      logger.error("[skills-scanner] Watcher error", {
+        directory: dir,
+        error: error.message,
+        stack: error.stack,
+      });
+    });
+    return watcher;
+  });
+  return () => {
+    try {
+      watchers.forEach((w) => {
+        try {
+          w.close();
+        } catch (err: any) {
+          logger.warn("[skills-scanner] Failed to close watcher", {
+            error: err.message,
+          });
+        }
+      });
+      timers.forEach((t) => clearTimeout(t));
+      timers.clear();
+      processing.clear();
+      logger.info("[skills-scanner] 目录监听已停止");
+    } catch (err: any) {
+      logger.error("[skills-scanner] Error stopping watcher", {
+        error: err.message,
+      });
+    }
+  };
+}