@pwddd/skills-scanner 1.0.0

package/skills/skills-scanner/scan.py

@@ -0,0 +1,373 @@
+# /// script
+# dependencies = [
+#   "requests>=2.31.0",
+# ]
+# ///
+"""
+OpenClaw Skills 安全扫描器 (HTTP 客户端)
+通过 HTTP API 调用远程 skill-scanner-api 服务
+
+注意：此脚本必须使用 venv 中的 Python 运行
+"""
+
+import sys
+import os
+import json
+import argparse
+import tempfile
+import zipfile
+import time
+from pathlib import Path
+from typing import Optional, Dict, Any, List
+
+# 依赖检查
+try:
+    import requests
+except ImportError as e:
+    print("❌ requests 未安装。")
+    print(f"   导入错误: {e}")
+    print("   请运行: uv pip install requests")
+    sys.exit(1)
+
+
+# 配置
+DEFAULT_API_URL = "http://localhost:8000"
+REQUEST_TIMEOUT = 180  # 3 分钟
+
+
+# 颜色输出
+USE_COLOR = sys.stdout.isatty()
+
+def c(text, code):
+    return f"\033[{code}m{text}\033[0m" if USE_COLOR else text
+
+RED    = lambda t: c(t, "31")
+YELLOW = lambda t: c(t, "33")
+GREEN  = lambda t: c(t, "32")
+CYAN   = lambda t: c(t, "36")
+BOLD   = lambda t: c(t, "1")
+DIM    = lambda t: c(t, "2")
+
+
+# HTTP 客户端
+class SkillScannerClient:
+    """skill-scanner HTTP API 客户端"""
+    
+    def __init__(self, base_url: str = DEFAULT_API_URL):
+        self.base_url = base_url.rstrip('/')
+        self.session = requests.Session()
+    
+    def health_check(self) -> Dict[str, Any]:
+        """健康检查，返回详细信息"""
+        try:
+            response = self.session.get(f"{self.base_url}/health", timeout=5)
+            response.raise_for_status()
+            return {
+                'status': 'healthy',
+                'data': response.json()
+            }
+        except requests.exceptions.ConnectionError:
+            return {
+                'status': 'unreachable',
+                'error': f'无法连接到 {self.base_url}'
+            }
+        except requests.exceptions.Timeout:
+            return {
+                'status': 'timeout',
+                'error': '请求超时'
+            }
+        except Exception as e:
+            return {
+                'status': 'error',
+                'error': str(e)
+            }
+    
+    def scan_upload(
+        self,
+        skill_path: str,
+        policy: str = "balanced",
+        use_llm: bool = False,
+        use_behavioral: bool = False
+    ) -> Dict[str, Any]:
+        """上传 ZIP 文件扫描（单个 Skill）
+        
+        API: POST /scan-upload
+        - 上传 ZIP 文件
+        - 服务器解压并查找 SKILL.md
+        - 返回扫描结果
+        """
+        with tempfile.NamedTemporaryFile(suffix='.zip', delete=False) as tmp_zip:
+            zip_path = tmp_zip.name
+        
+        try:
+            self._create_zip(skill_path, zip_path)
+            
+            with open(zip_path, 'rb') as f:
+                files = {'file': (os.path.basename(skill_path) + '.zip', f, 'application/zip')}
+                data = {
+                    'policy': policy,
+                    'use_llm': str(use_llm).lower(),
+                    'use_behavioral': str(use_behavioral).lower()
+                }
+                
+                response = self.session.post(
+                    f"{self.base_url}/scan-upload",
+                    files=files,
+                    data=data,
+                    timeout=REQUEST_TIMEOUT
+                )
+                response.raise_for_status()
+                return response.json()
+        finally:
+            if os.path.exists(zip_path):
+                os.unlink(zip_path)
+    
+    def scan_batch_upload(
+        self,
+        skill_paths: List[str],
+        policy: str = "balanced",
+        use_llm: bool = False,
+        use_behavioral: bool = False
+    ) -> List[Dict[str, Any]]:
+        """批量上传多个 Skill（客户端循环）"""
+        results = []
+        
+        for i, skill_path in enumerate(skill_paths, 1):
+            print(f"[{i}/{len(skill_paths)}] 正在扫描: {skill_path}")
+            
+            try:
+                result = self.scan_upload(
+                    skill_path,
+                    policy=policy,
+                    use_llm=use_llm,
+                    use_behavioral=use_behavioral
+                )
+                results.append({
+                    'path': skill_path,
+                    'success': True,
+                    'result': result
+                })
+                status = "✓" if result.get('is_safe', False) else "✗"
+                print(f"  {status} {result.get('skill_name', 'Unknown')}: {result.get('findings_count', 0)} 个发现")
+            except Exception as e:
+                results.append({
+                    'path': skill_path,
+                    'success': False,
+                    'error': str(e)
+                })
+                print(f"  ✗ 失败: {e}")
+        
+        return results
+    
+    @staticmethod
+    def _create_zip(source_dir: str, zip_path: str):
+        """创建 ZIP 文件"""
+        with zipfile.ZipFile(zip_path, 'w', zipfile.ZIP_DEFLATED) as zipf:
+            source_path = Path(source_dir)
+            for file_path in source_path.rglob('*'):
+                if file_path.is_file():
+                    arcname = file_path.relative_to(source_path.parent)
+                    zipf.write(file_path, arcname)
+
+
+# 格式化输出
+def format_scan_result(result: Dict[str, Any], detailed: bool = False) -> str:
+    """格式化扫描结果"""
+    lines = []
+    
+    skill_name = result.get('skill_name', 'Unknown')
+    is_safe = result.get('is_safe', False)
+    max_severity = result.get('max_severity', 'NONE')
+    findings_count = result.get('findings_count', 0)
+    
+    status_icon = GREEN("✓") if is_safe else RED("✗")
+    lines.append(f"{status_icon} {BOLD(skill_name)}")
+    lines.append(f"  严重性: {_severity_color(max_severity)}")
+    lines.append(f"  发现数: {findings_count}")
+    
+    if detailed and findings_count > 0:
+        findings = result.get('findings', [])
+        lines.append("")
+        lines.append(BOLD("发现详情:"))
+        for i, finding in enumerate(findings[:10], 1):
+            severity = finding.get('severity', 'UNKNOWN')
+            category = finding.get('category', 'Unknown')
+            description = finding.get('description', 'No description')
+            lines.append(f"  {i}. [{_severity_color(severity)}] {category}")
+            lines.append(f"     {description}")
+        
+        if len(findings) > 10:
+            lines.append(f"  ... 还有 {len(findings) - 10} 条发现")
+    
+    return "\n".join(lines)
+
+
+def format_batch_result(result: Dict[str, Any]) -> str:
+    """格式化批量扫描结果"""
+    lines = []
+    
+    total = result.get('total_skills_scanned', 0)
+    safe = result.get('safe_skills', 0)
+    unsafe = result.get('unsafe_skills', 0)
+    
+    lines.append(BOLD("批量扫描结果"))
+    lines.append(f"  总计: {total} 个 Skills")
+    lines.append(f"  安全: {GREEN(str(safe))}")
+    lines.append(f"  问题: {RED(str(unsafe))}")
+    
+    if unsafe > 0:
+        skills = result.get('skills', [])
+        unsafe_skills = [s for s in skills if not s.get('is_safe', True)]
+        lines.append("")
+        lines.append(BOLD("问题 Skills:"))
+        for skill in unsafe_skills[:10]:
+            name = skill.get('skill_name', 'Unknown')
+            severity = skill.get('max_severity', 'UNKNOWN')
+            count = skill.get('findings_count', 0)
+            lines.append(f"  • {name} [{_severity_color(severity)}] - {count} 条发现")
+    
+    return "\n".join(lines)
+
+
+def _severity_color(severity: str) -> str:
+    """严重性着色"""
+    severity_upper = severity.upper()
+    if severity_upper in ('CRITICAL', 'HIGH'):
+        return RED(severity_upper)
+    elif severity_upper == 'MEDIUM':
+        return YELLOW(severity_upper)
+    elif severity_upper == 'LOW':
+        return CYAN(severity_upper)
+    else:
+        return DIM(severity_upper)
+
+
+# 命令行接口
+def main():
+    parser = argparse.ArgumentParser(
+        description="OpenClaw Skills 安全扫描器 (HTTP 客户端)",
+        formatter_class=argparse.RawDescriptionHelpFormatter
+    )
+    
+    parser.add_argument(
+        '--api-url',
+        default=DEFAULT_API_URL,
+        help=f'API 服务地址 (默认: {DEFAULT_API_URL})'
+    )
+    
+    subparsers = parser.add_subparsers(dest='command', help='命令')
+    
+    # scan 命令
+    scan_parser = subparsers.add_parser('scan', help='扫描单个 Skill（上传 ZIP）')
+    scan_parser.add_argument('path', help='Skill 目录路径')
+    scan_parser.add_argument('--detailed', action='store_true', help='显示详细发现')
+    scan_parser.add_argument('--behavioral', action='store_true', help='启用行为分析')
+    scan_parser.add_argument('--llm', action='store_true', help='启用 LLM 分析')
+    scan_parser.add_argument('--policy', default='balanced', choices=['strict', 'balanced', 'permissive'], help='扫描策略')
+    scan_parser.add_argument('--json', metavar='FILE', help='输出 JSON 到文件')
+    
+    # batch 命令（客户端批量上传）
+    batch_parser = subparsers.add_parser('batch', help='批量扫描多个 Skills（客户端循环）')
+    batch_parser.add_argument('paths', nargs='+', help='多个 Skill 目录路径')
+    batch_parser.add_argument('--behavioral', action='store_true', help='启用行为分析')
+    batch_parser.add_argument('--llm', action='store_true', help='启用 LLM 分析')
+    batch_parser.add_argument('--policy', default='balanced', choices=['strict', 'balanced', 'permissive'], help='扫描策略')
+    batch_parser.add_argument('--json', metavar='FILE', help='输出 JSON 到文件')
+    
+    # health 命令
+    subparsers.add_parser('health', help='健康检查')
+    
+    args = parser.parse_args()
+    
+    if not args.command:
+        parser.print_help()
+        sys.exit(1)
+    
+    client = SkillScannerClient(args.api_url)
+    
+    try:
+        if args.command == 'health':
+            health_result = client.health_check()
+            
+            if health_result['status'] == 'healthy':
+                print(GREEN("✓") + " API 服务正常")
+                
+                data = health_result.get('data', {})
+                if data:
+                    print(f"  版本: {data.get('version', 'Unknown')}")
+                    analyzers = data.get('analyzers_available', [])
+                    if analyzers:
+                        print(f"  可用分析器: {', '.join(analyzers)}")
+                    print(json.dumps(data))
+                
+                sys.exit(0)
+            else:
+                print(RED("✗") + f" API 服务不可用: {args.api_url}")
+                error = health_result.get('error', '未知错误')
+                print(f"  错误: {error}")
+                sys.exit(1)
+        
+        elif args.command == 'scan':
+            print(f"正在扫描: {args.path}")
+            result = client.scan_upload(
+                args.path,
+                policy=args.policy,
+                use_llm=args.llm,
+                use_behavioral=args.behavioral
+            )
+            
+            if args.json:
+                with open(args.json, 'w') as f:
+                    json.dump(result, f, indent=2)
+                print(f"结果已保存到: {args.json}")
+            else:
+                print(format_scan_result(result, args.detailed))
+            
+            sys.exit(0 if result.get('is_safe', False) else 1)
+        
+        elif args.command == 'batch':
+            print(f"正在批量扫描 {len(args.paths)} 个 Skills...")
+            results = client.scan_batch_upload(
+                args.paths,
+                policy=args.policy,
+                use_llm=args.llm,
+                use_behavioral=args.behavioral
+            )
+            
+            total = len(results)
+            success = sum(1 for r in results if r['success'])
+            failed = total - success
+            
+            if args.json:
+                with open(args.json, 'w') as f:
+                    json.dump(results, f, indent=2)
+                print(f"\n结果已保存到: {args.json}")
+            
+            print(f"\n批量扫描完成: {success}/{total} 成功, {failed} 失败")
+            sys.exit(0 if failed == 0 else 1)
+    
+    except requests.exceptions.ConnectionError:
+        print(RED("✗") + f" 无法连接到 API 服务: {args.api_url}")
+        print("请确保 skill-scanner-api 服务正在运行")
+        sys.exit(1)
+    except requests.exceptions.Timeout:
+        print(RED("✗") + " 请求超时")
+        sys.exit(1)
+    except requests.exceptions.HTTPError as e:
+        print(RED("✗") + f" HTTP 错误: {e}")
+        if e.response is not None:
+            try:
+                error_detail = e.response.json()
+                print(f"详情: {error_detail}")
+            except:
+                print(f"响应: {e.response.text}")
+        sys.exit(1)
+    except Exception as e:
+        print(RED("✗") + f" 错误: {e}")
+        import traceback
+        traceback.print_exc()
+        sys.exit(1)
+
+
+if __name__ == '__main__':
+    main()

package/src/commands.ts

@@ -0,0 +1,277 @@
+/**
+ * Command handlers module
+ */
+
+import { existsSync, execSync } from "node:fs";
+import { join, basename } from "node:path";
+import { promisify } from "node:util";
+import { exec } from "node:child_process";
+import { runScan } from "./scanner.js";
+import { buildDailyReport } from "./report.js";
+import { loadState, saveState, expandPath } from "./state.js";
+import { isVenvReady } from "./deps.js";
+import { generateConfigGuide } from "./config.js";
+import { ensureCronJob } from "./cron.js";
+import type { ScannerConfig } from "./types.js";
+
+const execAsync = promisify(exec);
+
+export function createCommandHandlers(
+  cfg: ScannerConfig,
+  apiUrl: string,
+  scanDirs: string[],
+  behavioral: boolean,
+  useLLM: boolean,
+  policy: string,
+  preInstallScan: string,
+  onUnsafe: string,
+  venvPython: string,
+  scanScript: string,
+  logger: any
+) {
+  async function handleScanCommand(args: string): Promise<any> {
+    if (!args) {
+      return {
+        text: "用法：`/skills-scanner scan <路径> [--detailed] [--behavioral] [--recursive] [--report]`",
+      };
+    }
+
+    if (!isVenvReady(venvPython)) {
+      return { text: "⏳ Python 依赖尚未就绪，请稍后重试或查看日志" };
+    }
+
+    const parts = args.split(/\s+/);
+    const targetPath = expandPath(parts.find((p) => !p.startsWith("--")) ?? "");
+    const detailed = parts.includes("--detailed");
+    const useBehav = parts.includes("--behavioral") || behavioral;
+    const recursive = parts.includes("--recursive");
+    const isReport = parts.includes("--report");
+
+    if (!targetPath) {
+      return { text: "❌ 请指定扫描路径" };
+    }
+
+    if (!existsSync(targetPath)) {
+      return { text: `❌ 路径不存在: ${targetPath}` };
+    }
+
+    const isSingleSkill = existsSync(join(targetPath, "SKILL.md"));
+
+    if (isReport) {
+      if (scanDirs.length === 0) {
+        return { text: "⚠️ 未找到可扫描目录，请检查配置" };
+      }
+      const report = await buildDailyReport(
+        scanDirs,
+        useBehav,
+        apiUrl,
+        useLLM,
+        policy,
+        logger,
+        venvPython,
+        scanScript
+      );
+      return { text: report };
+    } else if (isSingleSkill) {
+      const res = await runScan(venvPython, scanScript, "scan", targetPath, {
+        detailed,
+        behavioral: useBehav,
+        apiUrl,
+        useLLM,
+        policy,
+      });
+      const icon = res.exitCode === 0 ? "✅" : "❌";
+      return { text: `${icon} 扫描完成\n\`\`\`\n${res.output}\n\`\`\`` };
+    } else {
+      const res = await runScan(venvPython, scanScript, "batch", targetPath, {
+        recursive,
+        detailed,
+        behavioral: useBehav,
+        apiUrl,
+        useLLM,
+        policy,
+      });
+      const icon = res.exitCode === 0 ? "✅" : "❌";
+      return { text: `${icon} 批量扫描完成\n\`\`\`\n${res.output}\n\`\`\`` };
+    }
+  }
+
+  async function handleStatusCommand(): Promise<any> {
+    const state = loadState() as any;
+    const alerts: string[] = state.pendingAlerts ?? [];
+
+    const lines = [
+      "📋 *Skills Scanner 状态*",
+      `API 地址: ${apiUrl}`,
+      `Python 依赖: ${isVenvReady(venvPython) ? "✅ 就绪" : "❌ 未就绪"}`,
+      `安装前扫描: ${preInstallScan === "on" ? `✅ 监听中 (${onUnsafe})` : "❌ 已禁用"}`,
+      `扫描策略: ${policy}`,
+      `LLM 分析: ${useLLM ? "✅ 启用" : "❌ 禁用"}`,
+      `行为分析: ${behavioral ? "✅ 启用" : "❌ 禁用"}`,
+      `上次扫描: ${state.lastScanAt ? new Date(state.lastScanAt).toLocaleString("zh-CN") : "从未"}`,
+      `扫描目录:\n${scanDirs.map((d) => `  • ${d}`).join("\n")}`,
+    ];
+
+    if (isVenvReady(venvPython)) {
+      lines.push("", "🔍 *API 服务检查*");
+      try {
+        const cmd = `"${venvPython}" "${scanScript}" --api-url "${apiUrl}" health`;
+        const env = { ...process.env };
+        delete env.http_proxy;
+        delete env.https_proxy;
+        delete env.HTTP_PROXY;
+        delete env.HTTPS_PROXY;
+        delete env.all_proxy;
+        delete env.ALL_PROXY;
+
+        const { stdout, stderr } = await execAsync(cmd, { timeout: 5000, env });
+        const output = (stdout + stderr).trim();
+
+        if (output.includes("✓") || output.includes("OK")) {
+          lines.push(`API 服务: ✅ 正常`);
+          const jsonMatch = output.match(/\{[\s\S]*\}/);
+          if (jsonMatch) {
+            try {
+              const healthData = JSON.parse(jsonMatch[0]);
+              if (healthData.analyzers_available) {
+                lines.push(`可用分析器: ${healthData.analyzers_available.join(", ")}`);
+              }
+            } catch {}
+          }
+        } else {
+          lines.push(`API 服务: ❌ 不可用`);
+        }
+      } catch (err: any) {
+        lines.push(`API 服务: ❌ 连接失败`);
+        lines.push(`错误: ${err.message}`);
+      }
+    }
+
+    if (alerts.length > 0) {
+      lines.push("", `🔔 *待查告警 (${alerts.length} 条):*`);
+      alerts.slice(-5).forEach((a) => lines.push(`  ${a}`));
+      saveState({ ...state, pendingAlerts: [] });
+    }
+
+    lines.push("", "🕐 *定时任务*");
+    if (state.cronJobId && state.cronJobId !== "manual-created") {
+      lines.push(`状态: ✅ 已注册 (${state.cronJobId})`);
+    } else {
+      lines.push("状态: ❌ 未注册");
+      lines.push("💡 使用 `/skills-scanner cron register` 注册");
+    }
+
+    return { text: lines.join("\n") };
+  }
+
+  async function handleConfigCommand(args: string): Promise<any> {
+    const action = args.trim().toLowerCase() || "show";
+
+    if (action === "show" || action === "") {
+      const configGuide = generateConfigGuide(
+        cfg,
+        apiUrl,
+        scanDirs,
+        behavioral,
+        useLLM,
+        policy,
+        preInstallScan,
+        onUnsafe
+      );
+      return { text: "```\n" + configGuide + "\n```" };
+    } else if (action === "reset") {
+      const state = loadState() as any;
+      saveState({ ...state, configReviewed: false });
+      return {
+        text: "✅ 配置审查标记已重置\n下次重启 Gateway 时将再次显示配置向导",
+      };
+    } else {
+      return { text: "用法: `/skills-scanner config [show|reset]`" };
+    }
+  }
+
+  async function handleCronCommand(args: string): Promise<any> {
+    const action = args.trim().toLowerCase() || "status";
+    const state = loadState() as any;
+
+    if (action === "register") {
+      const oldJobId = state.cronJobId;
+      if (oldJobId && oldJobId !== "manual-created") {
+        try {
+          execSync(`openclaw cron remove ${oldJobId}`, { encoding: "utf-8", timeout: 5000 });
+        } catch {}
+      }
+
+      saveState({ ...state, cronJobId: undefined });
+      await ensureCronJob(logger);
+
+      const newState = loadState() as any;
+      if (newState.cronJobId) {
+        return { text: `✅ 定时任务注册成功\n任务 ID: ${newState.cronJobId}` };
+      } else {
+        return { text: "❌ 定时任务注册失败，请查看日志" };
+      }
+    } else if (action === "unregister") {
+      if (!state.cronJobId) {
+        return { text: "⚠️ 未找到已注册的定时任务" };
+      }
+
+      try {
+        execSync(`openclaw cron remove ${state.cronJobId}`, {
+          encoding: "utf-8",
+          timeout: 5000,
+        });
+        saveState({ ...state, cronJobId: undefined });
+        return { text: `✅ 定时任务已删除: ${state.cronJobId}` };
+      } catch (err: any) {
+        return { text: `❌ 删除失败: ${err.message}` };
+      }
+    } else {
+      const lines = ["🕐 *定时任务状态*"];
+      if (state.cronJobId && state.cronJobId !== "manual-created") {
+        lines.push(`任务 ID: ${state.cronJobId}`);
+        lines.push(`执行时间: 每天 08:00 (Asia/Shanghai)`);
+        lines.push("状态: ✅ 已注册");
+      } else {
+        lines.push("状态: ❌ 未注册");
+        lines.push("", "💡 使用 `/skills-scanner cron register` 注册");
+      }
+      return { text: lines.join("\n") };
+    }
+  }
+
+  function getHelpText(): string {
+    return [
+      "🔍 *Skills Scanner - 帮助*",
+      "",
+      "═══ 扫描命令 ═══",
+      "`/skills-scanner scan <路径> [选项]`",
+      "",
+      "选项:",
+      "• `--detailed` - 显示详细发现",
+      "• `--behavioral` - 启用行为分析",
+      "• `--recursive` - 递归扫描子目录",
+      "• `--report` - 生成日报格式",
+      "",
+      "示例:",
+      "```",
+      "/skills-scanner scan ~/.openclaw/skills/my-skill",
+      "/skills-scanner scan ~/.openclaw/skills --recursive",
+      "/skills-scanner scan ~/.openclaw/skills --report",
+      "```",
+      "",
+      "═══ 其他命令 ═══",
+      "• `/skills-scanner status` - 查看状态",
+      "• `/skills-scanner config [show|reset]` - 配置管理",
+      "• `/skills-scanner cron [register|unregister|status]` - 定时任务管理",
+    ].join("\n");
+  }
+
+  return {
+    handleScanCommand,
+    handleStatusCommand,
+    handleConfigCommand,
+    handleCronCommand,
+    getHelpText,
+  };
+}