@pwddd/skills-scanner 1.0.0-beta.2 → 1.0.0-beta.22

package/openclaw.plugin.json

@@ -2,7 +2,7 @@
   "id": "skills-scanner",
   "name": "Skills Scanner",
   "description": "Security scanner for OpenClaw Skills to detect potential threats",
-  "version": "1.0.0-beta.2",
+  "version": "1.0.0-beta.22",
   "author": "pwddd",
   "skills": ["./skills"],
   "uiHints": {
@@ -27,10 +27,6 @@
       "label": "扫描策略",
       "help": "strict=严格 / balanced=平衡（推荐）/ permissive=宽松"
     },
-    "preInstallScan": {
-      "label": "安装前扫描",
-      "help": "监听新 Skill 并自动扫描"
-    },
     "onUnsafe": {
       "label": "不安全处理",
       "help": "warn=仅警告（推荐）/ quarantine=隔离 / delete=删除"
@@ -85,12 +81,6 @@
         "description": "Scanning policy: strict (more false positives) / balanced (recommended) / permissive (may miss threats)",
         "default": "balanced"
       },
-      "preInstallScan": {
-        "type": "string",
-        "enum": ["on", "off"],
-        "description": "Enable pre-installation scanning (monitors directories for new Skills)",
-        "default": "on"
-      },
       "onUnsafe": {
         "type": "string",
         "enum": ["quarantine", "delete", "warn"],

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pwddd/skills-scanner",
-  "version": "1.0.0-beta.2",
+  "version": "1.0.0-beta.22",
   "description": "OpenClaw Skills security scanner plugin - detect malicious code, data exfiltration, and prompt injection",
   "type": "module",
   "main": "./index.ts",
@@ -16,13 +16,13 @@
   ],
   "repository": {
     "type": "git",
-    "url": "https://github.com/openclaw/openclaw.git",
+    "url": "https://github.com/pwddd/test.git",
     "directory": "extensions/skills-scanner"
   },
   "bugs": {
-    "url": "https://github.com/openclaw/openclaw/issues"
+    "url": "https://github.com/pwddd/test/issues"
   },
-  "homepage": "https://github.com/openclaw/openclaw/tree/main/extensions/skills-scanner#readme",
+  "homepage": "https://github.com/pwddd/test/tree/main/extensions/skills-scanner#readme",
   "files": [
     "index.ts",
     "openclaw.plugin.json",

package/skills/skills-scanner/SKILL.md

@@ -23,27 +23,6 @@ OpenClaw Skills 安全扫描工具，检测恶意代码、数据窃取、提示
 
 **🔒 安全扫描是强制性的，不可跳过。在向用户展示扫描结果前，请务必：**
 
-### 🔄 插件版本检查 - 每次运行前必须执行
-
-**在执行任何扫描操作前，必须先检查并更新 skills-scanner 插件到最新版本。**
-
-**更新命令**：
-```bash
-openclaw plugins update skills-scanner
-```
-
-**执行时机**：
-- 每次用户请求扫描 Skill 时
-- 每次用户请求安装 Skill 时
-- 每次会话开始时（如果涉及 Skill 操作）
-
-**为什么要每次检查更新？**
-- 安全威胁不断演变，扫描规则需要持续更新
-- 新版本可能包含关键的安全修复
-- 确保使用最新的威胁检测能力
-
----
-
 ### 🎯 命令识别 - 自动触发安全扫描
 
 **当用户输入以下任何命令或类似表达时，你必须先扫描再执行：**
@@ -67,10 +46,6 @@ openclaw plugins update skills-scanner
        [执行：openclaw clawhub search caldav-calendar]
        找到：https://clawhub.ai/Asleep123/caldav-calendar
 
-       现在更新扫描插件...
-       [执行：openclaw plugins update skills-scanner]
-       ✅ 插件已更新
-
        扫描安全性...
        [执行扫描]
        ✅ 扫描通过，开始安装
@@ -80,11 +55,7 @@ openclaw plugins update skills-scanner
 
    ```
    用户：openclaw clawhub install https://clawhub.ai/Asleep123/caldav-calendar
-   AI: 我看到你想安装 caldav-calendar，让我先更新扫描插件...
-       [执行：openclaw plugins update skills-scanner]
-       ✅ 插件已更新
-
-       扫描安全性...
+   AI: 我看到你想安装 caldav-calendar，让我先扫描安全性...
        [执行扫描]
        ✅ 扫描通过，开始安装
    ```
@@ -92,9 +63,8 @@ openclaw plugins update skills-scanner
 3. **正确的处理流程**：
    ```
    步骤 1: 如果只有名称 → 使用 clawhub search 查找完整 URL
-   步骤 2: 更新 skills-scanner 插件
-   步骤 3: 使用完整 URL 进行安全扫描
-   步骤 4: 扫描通过后执行安装命令
+   步骤 2: 使用完整 URL 进行安全扫描
+   步骤 3: 扫描通过后执行安装命令
    ```
 
 ---
@@ -240,34 +210,28 @@ openclaw plugins update skills-scanner
 **在处理任何 Skill 相关操作时，请先问自己这些问题：**
 
 1. ✅ 如果是 ClawHub 安装且只有名称，我是否已经搜索了完整 URL？
-2. ✅ 我是否已经更新了 skills-scanner 插件到最新版本？
-3. ✅ 我是否已经扫描了这个 Skill？
-4. ✅ 扫描是否通过？
-5. ✅ 只有所有适用步骤都是 YES，才能继续操作
+2. ✅ 我是否已经扫描了这个 Skill？
+3. ✅ 扫描是否通过？
+4. ✅ 只有所有适用步骤都是 YES，才能继续操作
 
-**如果你忘记搜索、更新或扫描就执行了操作，你就让用户的系统暴露在风险之中。**
+**如果你忘记搜索或扫描就执行了操作，你就让用户的系统暴露在风险之中。**
 
 ### 🚨 强制性规则（永远不要忘记）
 
-1. **任何 Skill 操作前 → 先更新插件**
-   - 执行 `openclaw plugins update skills-scanner`
-   - 确保使用最新的威胁检测规则
-
-2. **看到安装命令 → 搜索（如需要）→ 更新插件 → 立即扫描**
-   - `openclaw clawhub install xxx` → 先搜索，再更新插件，再扫描
+1. **看到安装命令 → 搜索（如需要）→ 立即扫描**
+   - `openclaw clawhub install xxx` → 先搜索，再扫描
    - 任何包含 "install"、"add"、"download" + "skill" 的命令 → 完整流程
 
-3. **看到 Skill 路径 → 更新插件 → 立即扫描**
-   - 用户提到 `~/.openclaw/skills/xxx` → 先更新插件，再扫描
-   - 用户说 "我下载了一个 skill" → 先更新插件，再扫描
+2. **看到 Skill 路径 → 立即扫描**
+   - 用户提到 `~/.openclaw/skills/xxx` → 立即扫描
+   - 用户说 "我下载了一个 skill" → 立即扫描
 
-4. **看到 ClawHub URL → 更新插件 → 立即扫描**
-   - `https://clawhub.ai/username/project` → 先更新插件，再扫描
+3. **看到 ClawHub URL → 立即扫描**
+   - `https://clawhub.ai/username/project` → 立即扫描
 
 ### ❌ 绝对禁止的行为
 
-- ❌ 不更新插件就直接扫描
-- ❌ 直接执行安装命令而不先搜索、更新和扫描
+- ❌ 直接执行安装命令而不先搜索和扫描
 - ❌ 因为 "用户着急" 或 "看起来安全" 就跳过任何步骤
 
 ---

package/src/api-client.ts

@@ -84,11 +84,19 @@ export class SkillScannerApiClient {
    * Scan a local skill by uploading as ZIP
    */
   async scanUpload(skillPath: string, options: ScanOptions = {}): Promise<ScanResult> {
+    const startTime = Date.now();
+    console.log(`[API Client] 开始扫描: ${skillPath}`);
+    console.log(`[API Client] 创建 ZIP 文件...`);
+
     const zipPath = await this.createZip(skillPath);
+    const zipTime = Date.now() - startTime;
+    console.log(`[API Client] ZIP 创建完成: ${zipPath} (耗时 ${zipTime}ms)`);
 
     try {
       const formData = new FormData();
       const zipBlob = await this.readFileAsBlob(zipPath);
+      console.log(`[API Client] ZIP 文件大小: ${zipBlob.size} bytes`);
+
       formData.append("file", zipBlob, `${basename(skillPath)}.zip`);
       formData.append("policy", options.policy || "balanced");
       formData.append("use_llm", String(options.useLLM || false));
@@ -96,24 +104,46 @@ export class SkillScannerApiClient {
       formData.append("use_zip_virus", String(options.useZipVirus !== false));
       formData.append("enable_meta", String(options.enableMeta !== false));
 
+      console.log(`[API Client] 发送请求到: ${this.baseUrl}/scan-upload`);
+      console.log(`[API Client] 请求参数:`, {
+        policy: options.policy || "balanced",
+        use_llm: options.useLLM || false,
+        use_behavioral: options.useBehavioral || false,
+        timeout: this.timeout,
+      });
+
       const response = await fetch(`${this.baseUrl}/scan-upload`, {
         method: "POST",
         body: formData,
         signal: AbortSignal.timeout(this.timeout),
       });
 
+      const requestTime = Date.now() - startTime;
+      console.log(`[API Client] 收到响应: HTTP ${response.status} (总耗时 ${requestTime}ms)`);
+
       if (!response.ok) {
         const errorText = await response.text();
+        console.error(`[API Client] 请求失败: ${errorText}`);
         throw new Error(`HTTP ${response.status}: ${errorText}`);
       }
 
-      return await response.json();
+      const result = await response.json();
+      console.log(`[API Client] 扫描完成:`, {
+        skill_name: result.skill_name,
+        is_safe: result.is_safe,
+        findings_count: result.findings_count,
+      });
+
+      return result;
     } finally {
       // Cleanup temp zip
       try {
         const fs = await import("node:fs/promises");
         await fs.unlink(zipPath);
-      } catch {}
+        console.log(`[API Client] 清理临时文件: ${zipPath}`);
+      } catch (err) {
+        console.warn(`[API Client] 清理临时文件失败: ${err}`);
+      }
     }
   }
 

package/src/before-install-hook.ts

@@ -66,7 +66,7 @@ export interface BeforeInstallHandlerOptions {
   policy: "strict" | "balanced" | "permissive";
   logger: PluginLogger;
   enabled: boolean;
-  timeoutMs?: number; // Scan timeout in milliseconds (default: 30000)
+  timeoutMs?: number; // Scan timeout in milliseconds (default: 120000)
 }
 
 /**
@@ -79,17 +79,25 @@ export async function handleBeforeInstall(
   event: BeforeInstallEvent,
   options: BeforeInstallHandlerOptions
 ): Promise<BeforeInstallResult> {
-  const timeoutMs = options.timeoutMs || 30000; // Default 30 seconds
+  const timeoutMs = options.timeoutMs || 120000; // Default 120 seconds (2 minutes)
+
+  options.logger.debug("[before_install] 开始处理", {
+    targetName: event.targetName,
+    targetType: event.targetType,
+    sourcePath: event.sourcePath,
+    timeoutMs,
+  });
 
   // Wrap the scan in a timeout promise
   return Promise.race([
-    performScan(event, options),
+    performScan(event, options, timeoutMs),
     new Promise<BeforeInstallResult>((_, reject) =>
-      setTimeout(() => reject(new Error("Scan timeout")), timeoutMs)
+      setTimeout(() => reject(new Error(`扫描超时 (${timeoutMs}ms)`)), timeoutMs)
     ),
   ]).catch((err: any) => {
-    options.logger.error("[before_install] Scan failed or timed out", {
+    options.logger.error("[before_install] 扫描失败或超时", {
       error: err.message,
+      errorStack: err.stack,
       targetName: event.targetName,
       timeoutMs,
     });
@@ -115,7 +123,8 @@ export async function handleBeforeInstall(
  */
 async function performScan(
   event: BeforeInstallEvent,
-  options: BeforeInstallHandlerOptions
+  options: BeforeInstallHandlerOptions,
+  timeoutMs: number
 ): Promise<BeforeInstallResult> {
   const { targetType, targetName, sourcePath, builtinScan } = event;
   const { apiUrl, behavioral, useLLM, policy, logger, enabled } = options;
@@ -135,6 +144,8 @@ async function performScan(
   logger.info(`[安装前拦截] 🔍 拦截 Skill 安装: ${targetName}`);
   logger.info(`[安装前拦截]    来源: ${sourcePath}`);
   logger.info(`[安装前拦截]    内置扫描: ${builtinScan.status} (${builtinScan.critical} 严重, ${builtinScan.warn} 警告)`);
+  logger.debug(`[安装前拦截]    API URL: ${apiUrl}`);
+  logger.debug(`[安装前拦截]    超时设置: ${timeoutMs}ms`);
 
   // 首先检查内置扫描结果
   if (builtinScan.status === "error") {
@@ -158,13 +169,31 @@ async function performScan(
   // 运行增强扫描
   try {
     logger.info(`[安装前拦截] 🔬 正在运行增强安全扫描...`);
+    logger.debug(`[安装前拦截] 扫描参数`, {
+      mode: "scan",
+      target: sourcePath,
+      behavioral,
+      useLLM,
+      policy,
+      apiUrl,
+      timeoutMs,
+    });
+
+    const scanStartTime = Date.now();
 
     const scanResult = await runScan("scan", sourcePath, {
       behavioral,
       useLLM,
       policy,
       apiUrl,
-      detailed: true
+      detailed: true,
+      timeoutMs: timeoutMs - 10000, // Reserve 10s for overhead
+    });
+
+    const scanDuration = Date.now() - scanStartTime;
+    logger.debug(`[安装前拦截] 扫描完成`, {
+      exitCode: scanResult.exitCode,
+      durationMs: scanDuration,
     });
 
     if (scanResult.exitCode === 0) {
@@ -183,7 +212,7 @@ async function performScan(
 
     // 扫描失败 - 阻止安装
     const severity = scanResult.data?.max_severity || "未知";
-    const findingsCount = scanResult.data?.findings || 0;
+    const findingsCount = scanResult.data?.findings_count || 0;
 
     logger.warn(`[安装前拦截] ❌ ${targetName} 未通过安全扫描`);
     logger.warn(`[安装前拦截]    严重性: ${severity}, 发现数: ${findingsCount}`);
@@ -208,7 +237,11 @@ async function performScan(
 
   } catch (error: any) {
     // 扫描因错误失败 - 根据策略决定
-    logger.error(`[安装前拦截] ⚠️  ${targetName} 扫描错误: ${error.message}`);
+    logger.error(`[安装前拦截] ⚠️  ${targetName} 扫描错误`, {
+      error: error.message,
+      errorStack: error.stack,
+      errorCode: error.code,
+    });
 
     // 在严格模式下，扫描错误时阻止
     if (policy === "strict") {

package/src/commands.ts

@@ -5,28 +5,24 @@
 import { existsSync } from "node:fs";
 import { join, basename } from "node:path";
 import { runScan } from "./scanner.js";
-import { buildDailyReport } from "./report.js";
 import { loadState, saveState, expandPath } from "./state.js";
 import { generateConfigGuide } from "./config.js";
-import { ensureCronJobViaGateway, checkCronJobStatus } from "./cron-manager.js";
 import type { ScannerConfig, CommandResponse, PluginLogger } from "./types.js";
 
 export function createCommandHandlers(
   cfg: ScannerConfig,
   apiUrl: string,
-  scanDirs: string[],
   behavioral: boolean,
   useLLM: boolean,
   policy: string,
-  preInstallScan: string,
   onUnsafe: string,
   logger: PluginLogger,
-  callGateway: (method: string, params: any) => Promise<any>
+  apiConfig?: any
 ) {
   async function handleScanCommand(args: string): Promise<CommandResponse> {
     if (!args) {
       return {
-        text: "用法：`/skills-scanner scan <路径> [--detailed] [--behavioral] [--recursive] [--report]`\n或：`/skills-scanner scan clawhub <URL> [--detailed] [--behavioral]`",
+        text: "用法：`/skills-scanner scan <路径> [--detailed] [--behavioral] [--recursive]`\n或：`/skills-scanner scan clawhub <URL> [--detailed] [--behavioral]`",
       };
     }
 
@@ -57,23 +53,6 @@ export function createCommandHandlers(
     const detailed = parts.includes("--detailed");
     const useBehav = parts.includes("--behavioral") || behavioral;
     const recursive = parts.includes("--recursive");
-    const isReport = parts.includes("--report");
-
-    // Report mode: use configured scanDirs
-    if (isReport) {
-      if (scanDirs.length === 0) {
-        return { text: "⚠️ 未找到可扫描目录，请检查配置" };
-      }
-      const report = await buildDailyReport(
-        scanDirs,
-        useBehav,
-        apiUrl,
-        useLLM,
-        policy,
-        logger
-      );
-      return { text: report };
-    }
 
     // Regular scan mode: require path
     if (!targetPath) {
@@ -87,13 +66,31 @@ export function createCommandHandlers(
     const isSingleSkill = existsSync(join(targetPath, "SKILL.md"));
 
     if (isSingleSkill) {
+      logger.info(`[命令] 开始扫描单个 Skill: ${targetPath}`);
+      logger.debug(`[命令] 扫描参数`, {
+        mode: "scan",
+        targetPath,
+        detailed,
+        behavioral: useBehav,
+        apiUrl,
+        useLLM,
+        policy,
+      });
+
       const res = await runScan("scan", targetPath, {
         detailed,
         behavioral: useBehav,
         apiUrl,
         useLLM,
         policy,
+        timeoutMs: 180000, // 3 minutes
+      });
+
+      logger.info(`[命令] 扫描完成`, {
+        exitCode: res.exitCode,
+        hasData: !!res.data,
       });
+
       const icon = res.exitCode === 0 ? "✅" : "❌";
       return { text: `${icon} 扫描完成\n\`\`\`\n${res.output}\n\`\`\`` };
     } else {
@@ -117,12 +114,10 @@ export function createCommandHandlers(
     const lines = [
       "✅ *Skills Scanner 状态*",
       `API 地址：${apiUrl}`,
-      `安装前扫描：${preInstallScan === "on" ? `✅ 监听中 (${onUnsafe})` : "⏭️ 已禁用"}`,
       `扫描策略：${policy}`,
       `LLM 分析：${useLLM ? "✅ 启用" : "❌ 禁用"}`,
       `行为分析：${behavioral ? "✅ 启用" : "❌ 禁用"}`,
       `上次扫描：${state.lastScanAt ? new Date(state.lastScanAt).toLocaleString("zh-CN") : "从未"}`,
-      `扫描目录:\n${scanDirs.map((d) => `  📁 ${d}`).join("\n")}`,
     ];
 
     // API health check
@@ -152,13 +147,7 @@ export function createCommandHandlers(
       saveState({ ...state, pendingAlerts: [] });
     }
 
-    lines.push("", "✅ *定时任务*");
-    if (state.cronJobId && state.cronJobId !== "manual-created") {
-      lines.push(`状态：✅ 已注册 (${state.cronJobId})`);
-    } else {
-      lines.push("状态：❌ 未注册");
-      lines.push("ℹ️ 使用 `/skills-scanner cron register` 注册");
-    }
+    // 定时任务功能已移除
 
     return { text: lines.join("\n") };
   }
@@ -170,11 +159,9 @@ export function createCommandHandlers(
       const configGuide = generateConfigGuide(
         cfg,
         apiUrl,
-        scanDirs,
         behavioral,
         useLLM,
         policy,
-        preInstallScan,
         onUnsafe
       );
       return { text: "```\n" + configGuide + "\n```" };
@@ -189,66 +176,6 @@ export function createCommandHandlers(
     }
   }
 
-  async function handleCronCommand(args: string): Promise<CommandResponse> {
-    const action = args.trim().toLowerCase() || "status";
-
-    if (action === "setup" || action === "register") {
-      try {
-        await ensureCronJobViaGateway({
-          logger,
-          callGateway,
-        });
-        return { text: "✅ 定时任务注册完成\n请查看日志了解详情" };
-      } catch (err: any) {
-        return { text: `⚠️ 定时任务注册失败：${err.message}` };
-      }
-    } else if (action === "unregister") {
-      try {
-        // 列出所有任务
-        const listResult = await callGateway("cron.list", {});
-        const jobs = Array.isArray(listResult?.jobs) ? listResult.jobs : [];
-        const existingJobs = jobs.filter((job: any) => job.name === "skills-weekly-report");
-
-        if (existingJobs.length === 0) {
-          return { text: "ℹ️ 未找到已注册的定时任务" };
-        }
-
-        // 删除所有同名任务
-        const deletedIds: string[] = [];
-        for (const job of existingJobs) {
-          const jobId = job.jobId || job.id;
-          try {
-            await callGateway("cron.remove", { jobId });
-            deletedIds.push(jobId);
-          } catch (err: any) {
-            logger.warn(`删除任务 ${jobId} 失败: ${err.message}`);
-          }
-        }
-
-        if (deletedIds.length > 0) {
-          return {
-            text: `✅ 已删除 ${deletedIds.length} 个定时任务\n${deletedIds.map(id => `- ${id}`).join("\n")}`,
-          };
-        } else {
-          return { text: "⚠️ 删除失败，请查看日志" };
-        }
-      } catch (err: any) {
-        return { text: `⚠️ 删除失败：${err.message}` };
-      }
-    } else {
-      // status
-      try {
-        const statusText = await checkCronJobStatus({
-          logger,
-          callGateway,
-        });
-        return { text: statusText };
-      } catch (err: any) {
-        return { text: `⚠️ 查询状态失败：${err.message}` };
-      }
-    }
-  }
-
   function getHelpText(): string {
     return [
       "✅ *Skills Scanner - 帮助*",
@@ -261,13 +188,11 @@ export function createCommandHandlers(
       "• `--detailed` - 显示详细发现",
       "• `--behavioral` - 启用行为分析",
       "• `--recursive` - 递归扫描子目录",
-      "• `--report` - 生成日报格式",
       "",
       "示例:",
       "```",
       "/skills-scanner scan ~/.openclaw/skills/my-skill",
       "/skills-scanner scan ~/.openclaw/skills --recursive",
-      "/skills-scanner scan ~/.openclaw/skills --report",
       "/skills-scanner scan clawhub https://clawhub.ai/username/project",
       "/skills-scanner scan clawhub https://clawhub.ai/username/project --detailed",
       "```",
@@ -275,7 +200,6 @@ export function createCommandHandlers(
       "═══ 其他命令 ═══",
       "• `/skills-scanner health` - 健康检查",
       "• `/skills-scanner config [show|reset]` - 配置管理",
-      "• `/skills-scanner cron [register|unregister|status]` - 定时任务管理",
     ].join("\n");
   }
 
@@ -283,7 +207,6 @@ export function createCommandHandlers(
     handleScanCommand,
     handleHealthCommand,
     handleConfigCommand,
-    handleCronCommand,
     getHelpText,
   };
 }

package/src/config-validator.ts

@@ -31,15 +31,6 @@ export function validateConfig(
     }
   }
 
-  // Validate scan directories
-  if (cfg.scanDirs && cfg.scanDirs.length > 0) {
-    for (const dir of cfg.scanDirs) {
-      if (!existsSync(dir)) {
-        warnings.push(`Scan directory does not exist: ${dir}`);
-      }
-    }
-  }
-
   // Validate policy
   if (cfg.policy && !["strict", "balanced", "permissive"].includes(cfg.policy)) {
     errors.push(
@@ -47,13 +38,6 @@ export function validateConfig(
     );
   }
 
-  // Validate preInstallScan
-  if (cfg.preInstallScan && !["on", "off"].includes(cfg.preInstallScan)) {
-    errors.push(
-      `Invalid preInstallScan: "${cfg.preInstallScan}". Must be "on" or "off"`
-    );
-  }
-
   // Validate onUnsafe
   if (cfg.onUnsafe && !["warn", "delete", "quarantine"].includes(cfg.onUnsafe)) {
     errors.push(