@pwddd/skills-scanner 3.0.10 → 3.0.12

package/index.ts

@@ -171,7 +171,8 @@ export default function register(api: OpenClawPluginApi) {
       // Register cron job (only in Gateway mode)
       const isGatewayMode = !!(api as any).runtime;
       if (isGatewayMode) {
-        await ensureCronJob(api.logger);
+        const runtime = (api as any).runtime;
+        await ensureCronJob(api.logger, runtime);
       }
 
       api.logger.info("[skills-scanner] ─────────────────────────────────────");
@@ -396,6 +397,3 @@ export default function register(api: OpenClawPluginApi) {
 
   api.logger.info("[skills-scanner] ✅ Plugin registered");
 }
-
-
-

package/openclaw.plugin.json

@@ -2,7 +2,7 @@
   "id": "skills-scanner",
   "name": "Skills Scanner",
   "description": "Security scanner for OpenClaw Skills to detect potential threats",
-  "version": "3.0.10",
+  "version": "3.0.12",
   "author": "pwddd",
   "skills": ["./skills"],
   "configSchema": {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pwddd/skills-scanner",
-  "version": "3.0.10",
+  "version": "3.0.12",
   "description": "OpenClaw Skills security scanner plugin - detect malicious code, data exfiltration, and prompt injection",
   "type": "module",
   "main": "./index.ts",

package/src/commands.ts

@@ -225,7 +225,7 @@ export function createCommandHandlers(
       }
 
       saveState({ ...state, cronJobId: undefined });
-      await ensureCronJob(logger);
+      await ensureCronJob(logger, undefined);
 
       const newState = loadState() as any;
       if (newState.cronJobId) {

package/src/cron.ts

@@ -9,16 +9,124 @@ const CRON_JOB_NAME = "skills-daily-report";
 const CRON_SCHEDULE = "0 8 * * *";
 const CRON_TIMEZONE = "Asia/Shanghai";
 
-export async function ensureCronJob(logger: any): Promise<void> {
-  const state = loadState() as any;
+/**
+ * Detect the correct OpenClaw command (openclaw vs npx openclaw)
+ */
+function getOpenClawCommand(): string {
+  // 1. Check environment variable
+  if (process.env.OPENCLAW_CLI_PATH) {
+    return process.env.OPENCLAW_CLI_PATH;
+  }
 
-  logger.info("[skills-scanner] ─────────────────────────────────────");
-  logger.info("[skills-scanner] 🕐 Checking cron job...");
+  // 2. Check if running via npx
+  const argv1 = process.argv[1];
+  if (argv1?.includes("npx") || argv1?.includes("_npx")) {
+    return "npx openclaw";
+  }
+  
+  if (process.env.npm_execpath?.includes("npx")) {
+    return "npx openclaw";
+  }
+
+  // 3. Try global openclaw command
+  try {
+    execSync("openclaw --version", { 
+      encoding: "utf-8", 
+      timeout: 3000,
+      stdio: "pipe" 
+    });
+    return "openclaw";
+  } catch {
+    // openclaw command not available
+  }
+
+  // 4. Try npx as fallback
+  try {
+    execSync("npx openclaw --version", { 
+      encoding: "utf-8", 
+      timeout: 5000,
+      stdio: "pipe"
+    });
+    return "npx openclaw";
+  } catch {
+    // npx also not available
+  }
+
+  // 5. Default to openclaw (will fail with clear error)
+  return "openclaw";
+}
+
+/**
+ * Create cron job via Gateway API (most reliable)
+ */
+async function ensureCronJobViaAPI(runtime: any, logger: any): Promise<boolean> {
+  if (!runtime?.cron) {
+    logger.debug("[skills-scanner] Cron API not available");
+    return false;
+  }
+  
+  try {
+    const state = loadState() as any;
+    
+    // Check if job already exists
+    const jobs = await runtime.cron.list({ includeDisabled: true });
+    const existing = jobs.find((j: any) => j.name === CRON_JOB_NAME);
+    
+    if (existing) {
+      logger.info(`[skills-scanner] ✅ Job already exists: ${existing.id}`);
+      if (state.cronJobId !== existing.id) {
+        saveState({ ...state, cronJobId: existing.id });
+      }
+      return true;
+    }
+    
+    // Create new job
+    logger.info("[skills-scanner] 📝 Creating cron job via API...");
+    const job = await runtime.cron.add({
+      name: CRON_JOB_NAME,
+      enabled: true,
+      schedule: { 
+        kind: "cron", 
+        expr: CRON_SCHEDULE,
+        tz: CRON_TIMEZONE
+      },
+      payload: {
+        kind: "agentTurn",
+        message: "Please run /skills-scanner scan --report and send results to this channel"
+      },
+      delivery: {
+        mode: "announce",
+        channel: "last"
+      }
+    });
+    
+    saveState({ ...state, cronJobId: job.id });
+    logger.info(`[skills-scanner] ✅ Job created successfully via API: ${job.id}`);
+    logger.info(
+      `[skills-scanner] 📅 Schedule: Daily at ${CRON_SCHEDULE.split(" ")[1]}:${CRON_SCHEDULE.split(" ")[0]} (${CRON_TIMEZONE})`
+    );
+    logger.info("[skills-scanner] 📬 Reports will be delivered to the last active channel");
+    return true;
+  } catch (err: any) {
+    logger.warn(`[skills-scanner] API creation failed: ${err.message}`);
+    return false;
+  }
+}
+
+/**
+ * Create cron job via CLI (fallback)
+ */
+async function ensureCronJobViaCLI(logger: any): Promise<void> {
+  const openclawCmd = getOpenClawCommand();
+  logger.info(`[skills-scanner] Using CLI command: ${openclawCmd}`);
+  
+  const state = loadState() as any;
+  const state = loadState() as any;
 
   try {
     let jobs: any[] = [];
     try {
-      const listResult = execSync("openclaw cron list --format json", {
+      const listResult = execSync(`${openclawCmd} cron list --format json`, {
         encoding: "utf-8",
         timeout: 5000,
       });
@@ -26,7 +134,7 @@ export async function ensureCronJob(logger: any): Promise<void> {
     } catch (listErr: any) {
       logger.debug("[skills-scanner] JSON format not supported, trying text parsing");
       try {
-        const listResult = execSync("openclaw cron list", {
+        const listResult = execSync(`${openclawCmd} cron list`, {
           encoding: "utf-8",
           timeout: 5000,
         });
@@ -57,7 +165,7 @@ export async function ensureCronJob(logger: any): Promise<void> {
       for (let i = 1; i < existingJobs.length; i++) {
         const jobId = existingJobs[i].id || existingJobs[i].jobId;
         try {
-          execSync(`openclaw cron remove ${jobId}`, {
+          execSync(`${openclawCmd} cron remove ${jobId}`, {
             encoding: "utf-8",
             timeout: 5000,
           });
@@ -82,7 +190,7 @@ export async function ensureCronJob(logger: any): Promise<void> {
       if (needsUpdate) {
         logger.info(`[skills-scanner] 🔄 Job config changed, updating...`);
         try {
-          execSync(`openclaw cron remove ${jobId}`, {
+          execSync(`${openclawCmd} cron remove ${jobId}`, {
             encoding: "utf-8",
             timeout: 5000,
           });
@@ -106,12 +214,12 @@ export async function ensureCronJob(logger: any): Promise<void> {
       }
     }
 
-    logger.info("[skills-scanner] 📝 Creating cron job...");
+    logger.info("[skills-scanner] 📝 Creating cron job via CLI...");
 
     // Create cron job with --announce and --channel last
     // This will deliver to the last place the agent replied
     const cronCmd = [
-      "openclaw cron add",
+      `${openclawCmd} cron add`,
       `--name "${CRON_JOB_NAME}"`,
       `--cron "${CRON_SCHEDULE}"`,
       `--tz "${CRON_TIMEZONE}"`,
@@ -151,11 +259,11 @@ export async function ensureCronJob(logger: any): Promise<void> {
       err.message.includes("command not found") ||
       err.message.includes("ENOENT")
     ) {
-      logger.error("[skills-scanner] ❌ openclaw command not found, please check installation");
+      logger.error(`[skills-scanner] ❌ ${openclawCmd} command not found, please check installation`);
     } else {
       logger.info("[skills-scanner] 💡 Please manually register cron job:");
       logger.info("[skills-scanner]");
-      logger.info("[skills-scanner]   openclaw cron add \\");
+      logger.info(`[skills-scanner]   ${openclawCmd} cron add \\`);
       logger.info(`[skills-scanner]     --name "${CRON_JOB_NAME}" \\`);
       logger.info(`[skills-scanner]     --cron "${CRON_SCHEDULE}" \\`);
       logger.info(`[skills-scanner]     --tz "${CRON_TIMEZONE}" \\`);
@@ -172,3 +280,24 @@ export async function ensureCronJob(logger: any): Promise<void> {
     }
   }
 }
+
+/**
+ * Ensure cron job exists (tries API first, falls back to CLI)
+ */
+export async function ensureCronJob(logger: any, runtime?: any): Promise<void> {
+  logger.info("[skills-scanner] ─────────────────────────────────────");
+  logger.info("[skills-scanner] 🕐 Checking cron job...");
+  
+  // Try API first (most reliable)
+  if (runtime) {
+    const success = await ensureCronJobViaAPI(runtime, logger);
+    if (success) {
+      logger.info("[skills-scanner] ✅ Cron job configured via API");
+      return;
+    }
+    logger.info("[skills-scanner] Falling back to CLI method...");
+  }
+  
+  // Fallback to CLI
+  await ensureCronJobViaCLI(logger);
+}

package/src/prompt-guidance.ts

@@ -21,6 +21,8 @@ export const SKILLS_SECURITY_GUIDANCE = [
   "",
   "- **Local Skills**: ANY local path or temporary extraction directory MUST be scanned. No skipping.",
   "- **ClawHub Skills**: Even if marked as audited/official, re-scan before install/run.",
+  "- **Manual downloads**: When user manually downloads a Skill (via git clone, curl, browser download, etc.), PROACTIVELY prompt them to run a security scan before proceeding with any setup or installation.",
+  "- **All installation methods**: Whether Skills are added via ClawHub, manual download, or any other method, security scanning is MANDATORY before use.",
   "- **Error handling priority**: If user reports errors with a Skill, scan it FIRST before attempting fixes or troubleshooting.",
   "- **Download method agnostic**: Regardless of how the user obtained the Skill (git clone, download, curl, manual copy), scan it before use.",
   "- **No bypass justifications**: Never skip scanning due to \"user insistence\", \"time pressure\", \"trusted source\", or \"previous scan\". If scanning is impossible, REFUSE to proceed and explain why.",