npm - @pwddd/skills-scanner - Versions diffs - 1.0.0-beta.2 → 1.0.0-beta.22 - Mend

@pwddd/skills-scanner 1.0.0-beta.2 → 1.0.0-beta.22

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

package/README.md +4 -255
package/index.ts +13 -266
package/openclaw.plugin.json +1 -11
package/package.json +4 -4
package/skills/skills-scanner/SKILL.md +15 -51
package/src/api-client.ts +32 -2
package/src/before-install-hook.ts +42 -9
package/src/commands.ts +21 -98
package/src/config-validator.ts +0 -16
package/src/config.ts +8 -50
package/src/cron-manager.ts +117 -169
package/src/prompt-guidance.ts +8 -18
package/src/state.ts +0 -17
package/src/types.ts +0 -4
package/src/high-risk-operation-guard.ts +0 -62
package/src/prompt-injection-guard.ts +0 -56
package/src/report.ts +0 -128
package/src/watcher.ts +0 -178

package/README.md CHANGED Viewed

@@ -1,255 +1,4 @@
-# Skills Scanner Plugin
-OpenClaw Skills 安全扫描插件，用于检测 Skills 中的潜在安全威胁。
-## 功能特性
-- 🔍 **自动扫描**: 监听 Skills 目录，自动扫描新安装的 Skill
-- 🛡️ **安装前拦截**: 使用 before_install hook 在安装前强制拦截不安全的 Skills
-- 🌐 **ClawHub 扫描**: 直接扫描 ClawHub 上的 Skill，无需手动下载
-- 📊 **定时周报**: 每周一自动生成安全扫描报告
-- 🛡️ **多种策略**: 支持 strict/balanced/permissive 三种扫描策略
-- 🤖 **LLM 分析**: 可选的 LLM 语义分析
-- 🔒 **自动隔离**: 检测到不安全的 Skill 自动隔离或删除
-## 安装
-```bash
-# 从本地安装（开发）
-openclaw plugins install ./skills-scanner
-# 从 npm 安装（发布后）
-openclaw plugins install @pwddd/skills-scanner
-```
-## 配置
-在 `~/.openclaw/openclaw.json` 或工作区配置中添加：
-```json
-{
-  "plugins": {
-    "entries": {
-      "skills-scanner": {
-        "enabled": true,
-        "config": {
-          "apiUrl": "https://110.vemic.com/skills-scanner",
-          "scanDirs": ["~/.openclaw/skills", "~/.openclaw/workspace/skills"],
-          "behavioral": false,
-          "useLLM": false,
-          "policy": "balanced",
-          "preInstallScan": "on",
-          "onUnsafe": "warn",
-          "enableBeforeInstallHook": true
-        }
-      }
-    }
-  }
-}
-```
-### 配置说明
-- `apiUrl`: 扫描 API 服务地址
-- `scanDirs`: 要监控的 Skills 目录列表
-- `behavioral`: 是否启用行为分析（深度扫描，较慢）
-- `useLLM`: 是否使用 LLM 进行语义分析
-- `policy`: 扫描策略
-  - `strict`: 严格模式，发现任何可疑行为都标记为不安全
-  - `balanced`: 平衡模式（推荐）
-  - `permissive`: 宽松模式，只标记明确的威胁
-- `preInstallScan`: 是否启用文件监控（安装后扫描）
-  - `on`: 启用
-  - `off`: 禁用
-- `onUnsafe`: 发现不安全 Skill 的处理方式
-  - `warn`: 仅警告，不处理（推荐）
-  - `quarantine`: 移入隔离目录
-  - `delete`: 直接删除
-- `enableBeforeInstallHook`: 是否启用 before_install hook（安装前拦截）
-  - `true`: 启用（强烈推荐）
-  - `false`: 禁用
-- `scanTimeoutMs`: 扫描超时时间（毫秒），默认 180000 (3分钟)
-- `reportDir`: 自定义报告目录
-- `quarantineDir`: 自定义隔离目录
-### 高级功能
-#### 配置热重载
-插件支持配置热重载，修改配置后无需重启 Gateway:
-```bash
-# 修改配置文件
-vim ~/.openclaw/config.json
-# 重载配置
-openclaw config reload
-```
-配置变更会自动:
-- 更新 API URL
-- 重启文件监控器（如果扫描目录变更）
-- 应用新的扫描策略
-#### 调试模式
-启用调试模式可以查看详细的运行日志:
-```bash
-# 启用调试模式
-export SKILLS_SCANNER_DEBUG=1
-openclaw gateway start
-# 或者一次性启用
-SKILLS_SCANNER_DEBUG=1 openclaw gateway start
-```
-调试模式会输出:
-- 完整的配置信息
-- 详细的扫描过程
-- API 请求和响应
-- 文件监控事件
-#### 健康检查端点
-插件提供 HTTP 健康检查端点:
-```bash
-# 通过 HTTP 访问
-curl http://localhost:3000/health/skills-scanner
-# 返回示例
-{
-  "status": "healthy",
-  "plugin": {
-    "version": "1.0.0",
-    "id": "skills-scanner",
-    "name": "Skills Scanner"
-  },
-  "api": {
-    "url": "https://110.vemic.com/skills-scanner",
-    "status": "available"
-  },
-  "watcher": {
-    "enabled": true,
-    "running": true,
-    "directories": 2
-  },
-  "metrics": {
-    "totalScans": 42,
-    "successRate": "95.24%",
-    "averageDurationMs": 1234
-  }
-}
-```
-## 使用方法
-### 聊天命令
-```
-/skills-scanner scan <路径> [选项]    # 扫描 Skill
-/skills-scanner scan clawhub <URL> [选项]  # 扫描 ClawHub Skill
-/skills-scanner health                # 健康检查
-/skills-scanner config [操作]         # 配置管理
-/skills-scanner cron [操作]           # 定时任务管理
-/skills-scanner help                  # 帮助信息
-```
-#### 扫描选项
-- `--detailed`: 显示详细的安全发现
-- `--behavioral`: 启用行为分析
-- `--recursive`: 递归扫描子目录
-- `--report`: 生成日报格式
-#### 示例
-```
-/skills-scanner scan ~/.openclaw/skills/my-skill
-/skills-scanner scan ~/.openclaw/skills --recursive
-/skills-scanner scan ~/.openclaw/skills --report
-/skills-scanner scan clawhub https://clawhub.ai/username/project
-/skills-scanner scan clawhub https://clawhub.ai/Asleep123/caldav-calendar --detailed
-/skills-scanner health
-```
-### CLI 命令
-```bash
-# 扫描单个 Skill
-openclaw skills-scanner scan <path> [--detailed] [--behavioral]
-# 扫描 ClawHub Skill
-openclaw skills-scanner clawhub <url> [--detailed] [--behavioral]
-# 批量扫描目录
-openclaw skills-scanner batch <directory> [--recursive] [--detailed]
-# 生成日报
-openclaw skills-scanner report
-# 检查 API 服务健康状态
-openclaw skills-scanner health
-```
-## 工作流程
-1. **插件启动**: 自动初始化并连接 API 服务
-2. **文件监控**: 监听配置的 Skills 目录
-3. **自动扫描**: 检测到新 Skill 时自动触发扫描
-4. **结果处理**: 根据配置隔离/删除/警告不安全的 Skill
-5. **定时周报**: 每周一 12:05 自动生成安全报告
-## 故障排除
-### API 服务连接失败
-1. 确保 API 服务地址配置正确
-2. 运行健康检查：`/skills-scanner health`
-3. 检查网络连接
-### 定时任务未注册
-定时任务会在插件启动时自动注册。如果需要手动注册：
-```bash
-# 手动注册定时任务
-/skills-scanner cron setup
-# 或使用 CLI
-openclaw cron add \
-  --name "skills-weekly-report" \
-  --cron "5 12 * * 1" \
-  --tz "Asia/Shanghai" \
-  --session isolated \
-  --message "请执行 /skills-scanner scan --report 并把结果发送到此渠道" \
-  --announce
-```
-## 开发
-### 目录结构
-```
-extensions/skills-scanner/
-├── package.json              # npm 包配置
-├── openclaw.plugin.json      # 插件元数据
-├── README.md                 # 文档
-├── index.ts                  # 插件入口
-├── src/                      # 源代码
-│   ├── api-client.ts        # HTTP API 客户端
-│   ├── config.ts            # 配置管理
-│   ├── scanner.ts           # 扫描逻辑
-│   ├── watcher.ts           # 文件监控
-│   ├── cron.ts              # 定时任务
-│   ├── commands.ts          # 命令处理
-│   └── types.ts             # 类型定义
-└── skills/
-    └── skills-scanner/
-        └── SKILL.md         # Skill 文档
-```
-## 许可证
-MIT
+# deprecated
+# 废弃
+该插件已被弃用，建议使用其他插件替代

package/index.ts CHANGED Viewed

@@ -6,27 +6,20 @@
 import { definePluginEntry } from "openclaw/plugin-sdk/plugin-entry";
 import { join } from "node:path";
-import os from "node:os";
-import { existsSync } from "node:fs";
 import type { ScannerConfig } from "./src/types.js";
 import { skillsScannerConfigSchema, generateConfigGuide } from "./src/config.js";
 import {
   loadState,
   saveState,
   expandPath,
-  defaultScanDirs,
   isFirstRun,
   markConfigReviewed,
   getStateDir,
 } from "./src/state.js";
 import { runScan } from "./src/scanner.js";
-import { buildDailyReport } from "./src/report.js";
-import { ensureCronJobViaGateway, checkCronJobStatus } from "./src/cron-manager.js";
-import { startWatcher } from "./src/watcher.js";
+import { ensureCronJob } from "./src/cron-manager.js";
 import { createCommandHandlers } from "./src/commands.js";
 import { SKILLS_SECURITY_GUIDANCE } from "./src/prompt-guidance.js";
-import { PROMPT_INJECTION_GUARD } from "./src/prompt-injection-guard.js";
-import { HIGH_RISK_OPERATION_GUARD } from "./src/high-risk-operation-guard.js";
 import { handleBeforeInstall } from "./src/before-install-hook.js";
 import type { BeforeInstallEvent } from "./src/before-install-hook.js";
 import { validateConfig } from "./src/config-validator.js";
@@ -57,24 +50,16 @@ export default definePluginEntry({
   }
   const apiUrl = cfg.apiUrl ?? "https://110.vemic.com/skills-scanner";
-  const scanDirs =
-    (cfg.scanDirs?.map(expandPath) ?? []).filter(existsSync).length > 0
-      ? cfg.scanDirs!.map(expandPath)
-      : defaultScanDirs();
   const behavioral = cfg.behavioral ?? false;
   const useLLM = cfg.useLLM ?? false;
   const policy = cfg.policy ?? "balanced";
-  const preInstallScan = cfg.preInstallScan ?? "on";
   const onUnsafe = cfg.onUnsafe ?? "warn";
   const injectSecurityGuidance = cfg.injectSecurityGuidance ?? true;
-  const enablePromptInjectionGuard = cfg.enablePromptInjectionGuard ?? false;
-  const enableHighRiskOperationGuard = cfg.enableHighRiskOperationGuard ?? false;
   const enableBeforeInstallHook = cfg.enableBeforeInstallHook ?? true;
   api.logger.info("[skills-scanner] ═══════════════════════════════════════");
   api.logger.info("[skills-scanner] Plugin loading...");
   api.logger.info(`[skills-scanner] API URL: ${apiUrl}`);
-  api.logger.info(`[skills-scanner] Scan directories: ${scanDirs.join(", ")}`);
   api.logger.info(`[skills-scanner] Before-install hook: ${enableBeforeInstallHook ? "✅ ENABLED" : "❌ DISABLED"}`);
   if (isDebugMode()) {
@@ -84,30 +69,11 @@ export default definePluginEntry({
   // Inject system prompt guidance (can be disabled via config)
   if (injectSecurityGuidance) {
-    // Build combined guidance
-    const guidanceParts = [SKILLS_SECURITY_GUIDANCE];
-    if (enablePromptInjectionGuard) {
-      guidanceParts.push(PROMPT_INJECTION_GUARD);
-    }
-    if (enableHighRiskOperationGuard) {
-      guidanceParts.push(HIGH_RISK_OPERATION_GUARD);
-    }
-    const combinedGuidance = guidanceParts.join("\n\n");
     api.on("before_prompt_build", async () => ({
-      prependSystemContext: combinedGuidance,
+      prependSystemContext: SKILLS_SECURITY_GUIDANCE,
     }));
     api.logger.info("[skills-scanner] ✅ Security guidance injected into system prompt");
-    if (enablePromptInjectionGuard) {
-      api.logger.info("[skills-scanner]    - Prompt injection guard enabled");
-    }
-    if (enableHighRiskOperationGuard) {
-      api.logger.info("[skills-scanner]    - High-risk operation guard enabled");
-    }
   } else {
     api.logger.info("[skills-scanner] ⏭️  Security guidance injection disabled");
   }
@@ -129,7 +95,9 @@ export default definePluginEntry({
         api.logger.error("[skills-scanner] ❌ before_install hook error", {
           error: err.message,
           stack: err.stack,
-          skillPath: event.skillPath,
+          sourcePath: event.sourcePath,
+          targetType: event.targetType,
+          targetName: event.targetName,
         });
         // Return safe default on error - allow installation but log the failure
         return { block: false };
@@ -141,80 +109,20 @@ export default definePluginEntry({
     api.logger.warn("[skills-scanner] ⚠️  before_install hook DISABLED - installations will NOT be intercepted!");
   }
-  // Register gateway_start hook for automatic cron job registration
-  api.on("gateway_start", async () => {
+  // 在插件启动时设置系统 crontab 清理任务
+  (async () => {
     try {
-      api.logger.info("[skills-scanner] 🚀 Gateway started, checking cron job...");
-      await ensureCronJobViaGateway({
+      await ensureCronJob({
         logger: api.logger,
-        callGateway: async (method: string, params: any) => {
-          return await api.callGateway(method, params);
-        },
-      });
-      api.logger.info("[skills-scanner] ✅ Cron job check completed");
-    } catch (err: any) {
-      api.logger.error("[skills-scanner] ❌ Cron job registration failed", {
-        error: err.message,
-        stack: err.stack,
+        config: api.config,
       });
-      // Don't throw - avoid blocking gateway startup
-    }
-  });
-  // Register plugin_uninstall hook for cleanup
-  api.on("plugin_uninstall", async () => {
-    api.logger.info("[skills-scanner] 🗑️  Plugin uninstalling, cleaning up...");
-    try {
-      // 1. Stop file watcher
-      if (stopWatcher) {
-        api.logger.debug("[skills-scanner] Stopping file watcher...");
-        stopWatcher();
-        stopWatcher = null;
-        api.logger.debug("[skills-scanner] ✅ File watcher stopped");
-      }
-      // 2. Remove cron jobs
-      try {
-        const listResult = await api.callGateway("cron.list", {});
-        const jobs = listResult?.jobs || [];
-        const ourJobs = jobs.filter((j: any) => j.name === "skills-weekly-report");
-        for (const job of ourJobs) {
-          const jobId = job.jobId || job.id;
-          await api.callGateway("cron.remove", { jobId });
-          api.logger.info("[skills-scanner] Removed cron job", { jobId });
-        }
-        if (ourJobs.length > 0) {
-          api.logger.info(`[skills-scanner] ✅ Removed ${ourJobs.length} cron job(s)`);
-        }
-      } catch (err: any) {
-        api.logger.warn("[skills-scanner] Failed to remove cron jobs", {
-          error: err.message,
-        });
-      }
-      // 3. Save final state
-      try {
-        const finalState = loadState(api.runtime);
-        finalState.lastUninstallAt = new Date().toISOString();
-        saveState(finalState, api.runtime);
-        api.logger.debug("[skills-scanner] ✅ Final state saved");
-      } catch (err: any) {
-        api.logger.warn("[skills-scanner] Failed to save final state", {
-          error: err.message,
-        });
-      }
-      api.logger.info("[skills-scanner] ✅ Cleanup completed successfully");
+      api.logger.info("[skills-scanner] ✅ System crontab cleanup task ensured");
     } catch (err: any) {
-      api.logger.error("[skills-scanner] ❌ Cleanup failed", {
+      api.logger.warn("[skills-scanner] ⚠️  Failed to setup system crontab", {
         error: err.message,
-        stack: err.stack,
       });
     }
-  });
+  })();
   // Register config_changed hook for hot reload
   api.on("config_changed", async (newConfig: any) => {
@@ -233,8 +141,6 @@ export default definePluginEntry({
       // Check what changed
       const apiUrlChanged = newCfg.apiUrl !== cfg.apiUrl;
-      const scanDirsChanged = JSON.stringify(newCfg.scanDirs) !== JSON.stringify(cfg.scanDirs);
-      const preInstallScanChanged = newCfg.preInstallScan !== cfg.preInstallScan;
       if (apiUrlChanged) {
         api.logger.info("[skills-scanner] API URL updated", {
@@ -245,42 +151,6 @@ export default definePluginEntry({
         Object.assign(cfg, { apiUrl: newCfg.apiUrl });
       }
-      if (scanDirsChanged || preInstallScanChanged) {
-        api.logger.info("[skills-scanner] Scan configuration updated, restarting watcher...");
-        // Stop old watcher
-        if (stopWatcher) {
-          stopWatcher();
-          stopWatcher = null;
-        }
-        // Start new watcher with updated config
-        const newScanDirs =
-          (newCfg.scanDirs?.map(expandPath) ?? []).filter(existsSync).length > 0
-            ? newCfg.scanDirs!.map(expandPath)
-            : defaultScanDirs();
-        if (newCfg.preInstallScan === "on" && newScanDirs.length > 0) {
-          stopWatcher = startWatcher(
-            newScanDirs,
-            newCfg.onUnsafe ?? "warn",
-            newCfg.behavioral ?? false,
-            newCfg.apiUrl ?? apiUrl,
-            newCfg.useLLM ?? false,
-            newCfg.policy ?? "balanced",
-            persistWatcherAlert,
-            api.logger,
-            QUARANTINE_DIR
-          );
-          api.logger.info("[skills-scanner] ✅ Watcher restarted with new configuration");
-        } else {
-          api.logger.info("[skills-scanner] ⏭️  Watcher disabled by new configuration");
-        }
-        // Update global config
-        Object.assign(cfg, newCfg);
-      }
       api.logger.info("[skills-scanner] ✅ Configuration reload completed");
     } catch (err: any) {
       api.logger.error("[skills-scanner] ❌ Configuration reload failed", {
@@ -297,93 +167,15 @@ export default definePluginEntry({
     const configGuide = generateConfigGuide(
       cfg,
       apiUrl,
-      scanDirs,
       behavioral,
       useLLM,
       policy,
-      preInstallScan,
       onUnsafe
     );
     console.log(configGuide);
     markConfigReviewed(api.runtime);
   }
-  // Helper for watcher alerts
-  function persistWatcherAlert(msg: string): void {
-    const state = loadState(api.runtime);
-    const alerts: string[] = (state as any).pendingAlerts ?? [];
-    alerts.push(`[${new Date().toLocaleString("en-US")}] ${msg}`);
-    saveState({ ...state, pendingAlerts: alerts } as any, api.runtime);
-    api.logger.warn(`[skills-scanner] ${msg}`);
-  }
-  // Service: start watcher
-  let stopWatcher: (() => void) | null = null;
-  api.registerService({
-    id: "skills-scanner-setup",
-    start: async () => {
-      api.logger.info("[skills-scanner] 🚀 Service starting...");
-      if (preInstallScan === "on" && scanDirs.length > 0) {
-        api.logger.info(`[skills-scanner] 📁 Starting file monitoring: ${scanDirs.length} directories`);
-        stopWatcher = startWatcher(
-          scanDirs,
-          onUnsafe,
-          behavioral,
-          apiUrl,
-          useLLM,
-          policy,
-          persistWatcherAlert,
-          api.logger,
-          QUARANTINE_DIR
-        );
-        api.logger.info("[skills-scanner] ✅ File monitoring started");
-      } else {
-        api.logger.info("[skills-scanner] ⏭️  Pre-install scan disabled");
-      }
-    },
-    stop: async () => {
-      api.logger.info("[skills-scanner] 🛑 Service stopping...");
-      try {
-        // 1. Stop file watcher
-        if (stopWatcher) {
-          api.logger.debug("[skills-scanner] Stopping file watcher...");
-          stopWatcher();
-          stopWatcher = null;
-          api.logger.debug("[skills-scanner] ✅ File watcher stopped");
-        }
-        // 2. Save final state
-        try {
-          const finalState = loadState(api.runtime);
-          finalState.lastShutdownAt = new Date().toISOString();
-          saveState(finalState, api.runtime);
-          api.logger.debug("[skills-scanner] ✅ Final state saved");
-        } catch (err: any) {
-          api.logger.warn("[skills-scanner] Failed to save final state", {
-            error: err.message,
-          });
-        }
-        // 3. Clear pending alerts (optional - keep for next run)
-        // This is intentionally commented out to preserve alerts
-        // const state = loadState(api.runtime);
-        // if ((state as any).pendingAlerts?.length > 0) {
-        //   saveState({ ...state, pendingAlerts: [] } as any, api.runtime);
-        // }
-        api.logger.info("[skills-scanner] ✅ Service stopped cleanly");
-      } catch (err: any) {
-        api.logger.error("[skills-scanner] ❌ Error during shutdown", {
-          error: err.message,
-          stack: err.stack,
-        });
-      }
-    },
-  });
   // Health check endpoint
   api.registerHttpRoute({
     method: "GET",
@@ -417,11 +209,6 @@ export default definePluginEntry({
             url: apiUrl,
             status: apiStatus,
           },
-          watcher: {
-            enabled: preInstallScan === "on",
-            running: stopWatcher !== null,
-            directories: scanDirs.length,
-          },
           state: {
             lastScanAt: state.lastScanAt || null,
             lastShutdownAt: state.lastShutdownAt || null,
@@ -461,16 +248,12 @@ export default definePluginEntry({
   const handlers = createCommandHandlers(
     cfg,
     apiUrl,
-    scanDirs,
     behavioral,
     useLLM,
     policy,
-    preInstallScan,
     onUnsafe,
     api.logger,
-    async (method: string, params: any) => {
-      return await api.callGateway(method, params);
-    }
+    api.config
   );
   // Chat command: /skills-scanner
@@ -492,13 +275,11 @@ export default definePluginEntry({
             "• `/skills-scanner scan clawhub <URL> [选项]` - 扫描 ClawHub Skill",
             "• `/skills-scanner health` - 健康检查",
             "• `/skills-scanner config [操作]` - 配置管理",
-            "• `/skills-scanner cron [操作]` - 定时任务管理",
             "",
             "扫描选项:",
             "• `--detailed` - 显示详细发现",
             "• `--behavioral` - 启用行为分析",
             "• `--recursive` - 递归扫描子目录",
-            "• `--report` - 生成日报格式",
             "",
             "示例:",
             "```",
@@ -523,8 +304,6 @@ export default definePluginEntry({
         return await handlers.handleHealthCommand();
       } else if (subCommand === "config") {
         return await handlers.handleConfigCommand(subArgs);
-      } else if (subCommand === "cron") {
-        return await handlers.handleCronCommand(subArgs);
       } else if (subCommand === "help" || subCommand === "--help" || subCommand === "-h") {
         return { text: handlers.getHelpText() };
       } else {
@@ -560,23 +339,6 @@ export default definePluginEntry({
     }
   });
-  api.registerGatewayMethod("skillsScanner.report", async ({ respond }: any) => {
-    if (scanDirs.length === 0) return respond(false, { error: "No scan directories found" });
-    try {
-      const report = await buildDailyReport(
-        scanDirs,
-        behavioral,
-        apiUrl,
-        useLLM,
-        policy,
-        api.logger
-      );
-      respond(true, { report, state: loadState() });
-    } catch (err: any) {
-      respond(false, { error: err.message });
-    }
-  });
   // CLI commands
   api.registerCli(
     ({ program }: any) => {
@@ -615,21 +377,6 @@ export default definePluginEntry({
           process.exit(res.exitCode);
         });
-      cmd
-        .command("report")
-        .description("生成日报")
-        .action(async () => {
-          const report = await buildDailyReport(
-            scanDirs,
-            behavioral,
-            apiUrl,
-            useLLM,
-            policy,
-            console
-          );
-          console.log(report);
-        });
       cmd
         .command("health")
         .description("检查 API 服务健康状态")