@pwddd/skills-scanner 3.0.18 → 3.0.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/README.md +1 -1
  2. package/openclaw.plugin.json +1 -1
  3. package/package.json +1 -1
  4. package/src/commands.ts +15 -11
  5. package/src/cron.ts +3 -3
  6. package/src/prompt-guidance.ts +29 -2
package/README.md CHANGED
@@ -386,7 +386,7 @@ openclaw skills-scanner health
386
386
  3. **ClawHub 扫描**(聊天命令/CLI):直接扫描 ClawHub 上的 Skill
387
387
  4. **CLI 命令扫描**:通过命令行工具扫描
388
388
  5. **自动文件监控**:实时监控目录,自动扫描新 Skill
389
- 6. **定时任务扫描**:每天 08:00 自动生成日报
389
+ 6. **定时任务扫描**:每周一 12:05 自动生成周报
390
390
  7. **RPC 方法扫描**:供其他插件或程序调用
391
391
  8. **AI 主动扫描**:AI 在用户请求安装 Skills 时自动扫描(需启用 `injectSecurityGuidance`)
392
392
 
package/openclaw.plugin.json CHANGED
@@ -2,7 +2,7 @@
2
2
  "id": "skills-scanner",
3
3
  "name": "Skills Scanner",
4
4
  "description": "Security scanner for OpenClaw Skills to detect potential threats",
5
- "version": "3.0.18",
5
+ "version": "3.0.20",
6
6
  "author": "pwddd",
7
7
  "skills": ["./skills"],
8
8
  "configSchema": {
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@pwddd/skills-scanner",
3
- "version": "3.0.18",
3
+ "version": "3.0.20",
4
4
  "description": "OpenClaw Skills security scanner plugin - detect malicious code, data exfiltration, and prompt injection",
5
5
  "type": "module",
6
6
  "main": "./index.ts",
package/src/commands.ts CHANGED
@@ -69,16 +69,7 @@ export function createCommandHandlers(
69
69
  const recursive = parts.includes("--recursive");
70
70
  const isReport = parts.includes("--report");
71
71
 
72
- if (!targetPath) {
73
- return { text: "⚠️ 请指定扫描路径" };
74
- }
75
-
76
- if (!existsSync(targetPath)) {
77
- return { text: `⚠️ 路径不存在: ${targetPath}` };
78
- }
79
-
80
- const isSingleSkill = existsSync(join(targetPath, "SKILL.md"));
81
-
72
+ // Report mode: use configured scanDirs
82
73
  if (isReport) {
83
74
  if (scanDirs.length === 0) {
84
75
  return { text: "⚠️ 未找到可扫描目录,请检查配置" };
@@ -94,7 +85,20 @@ export function createCommandHandlers(
94
85
  scanScript
95
86
  );
96
87
  return { text: report };
97
- } else if (isSingleSkill) {
88
+ }
89
+
90
+ // Regular scan mode: require path
91
+ if (!targetPath) {
92
+ return { text: "⚠️ 请指定扫描路径" };
93
+ }
94
+
95
+ if (!existsSync(targetPath)) {
96
+ return { text: `⚠️ 路径不存在: ${targetPath}` };
97
+ }
98
+
99
+ const isSingleSkill = existsSync(join(targetPath, "SKILL.md"));
100
+
101
+ if (isSingleSkill) {
98
102
  const res = await runScan(pythonCmd, scanScript, "scan", targetPath, {
99
103
  detailed,
100
104
  behavioral: useBehav,
package/src/cron.ts CHANGED
@@ -181,7 +181,7 @@ async function ensureCronJobViaCLI(logger: any): Promise<void> {
181
181
  `--cron "${CRON_SCHEDULE}"`,
182
182
  `--tz "${CRON_TIMEZONE}"`,
183
183
  "--session isolated",
184
- '--message "Please run /skills-scanner scan --report and send results to this channel"',
184
+ '--message "/skills-scanner scan --report"',
185
185
  "--announce",
186
186
  "--channel last",
187
187
  ].join(" ");
@@ -237,7 +237,7 @@ async function ensureCronJobViaCLI(logger: any): Promise<void> {
237
237
  logger.info(`[skills-scanner] --tz "${CRON_TIMEZONE}" \\`);
238
238
  logger.info("[skills-scanner] --session isolated \\");
239
239
  logger.info(
240
- '[skills-scanner] --message "Please run /skills-scanner scan --report and send results to this channel" \\'
240
+ '[skills-scanner] --message "/skills-scanner scan --report" \\'
241
241
  );
242
242
  logger.info("[skills-scanner] --announce \\");
243
243
  logger.info("[skills-scanner] --channel last");
@@ -271,7 +271,7 @@ export function checkCronJobStatus(logger: any): void {
271
271
  logger.info(`[skills-scanner] --tz "${CRON_TIMEZONE}" \\`);
272
272
  logger.info("[skills-scanner] --session isolated \\");
273
273
  logger.info(
274
- '[skills-scanner] --message "Please run /skills-scanner scan --report and send results to this channel" \\'
274
+ '[skills-scanner] --message "/skills-scanner scan --report" \\'
275
275
  );
276
276
  logger.info("[skills-scanner] --announce \\");
277
277
  logger.info("[skills-scanner] --channel last");
package/src/prompt-guidance.ts CHANGED
@@ -11,6 +11,30 @@ export const SKILLS_SECURITY_GUIDANCE = [
11
11
  "",
12
12
  "**This is a SECURITY REQUIREMENT that CANNOT be bypassed under ANY circumstances.**",
13
13
  "",
14
+ "### � IMPORTANT: Read the Skills Scanner Documentation",
15
+ "",
16
+ "**Before performing ANY Skill scanning operation, you MUST read the skills-scanner SKILL.md for detailed instructions:**",
17
+ "",
18
+ "The SKILL.md contains:",
19
+ "- Complete scanning workflow and examples",
20
+ "- API service availability checks",
21
+ "- Deep analysis and false positive detection guidelines",
22
+ "- VirusTotal result interpretation",
23
+ "- ClawHub scanning procedures",
24
+ "- Command usage examples",
25
+ "- Troubleshooting guides",
26
+ "",
27
+ "**How to access:**",
28
+ "1. Use the skills system to read the skills-scanner SKILL.md",
29
+ "2. Review the scanning procedures before executing scans",
30
+ "3. Follow the documented workflows exactly",
31
+ "",
32
+ "**This documentation is CRITICAL for:**",
33
+ "- Understanding how to properly scan Skills",
34
+ "- Interpreting scan results correctly",
35
+ "- Avoiding false positives",
36
+ "- Handling different scanning scenarios",
37
+ "",
14
38
  "### 🔄 Plugin Update Check (MANDATORY FIRST STEP)",
15
39
  "",
16
40
  "**Before ANY Skill scanning or installation operation, you MUST update the skills-scanner plugin to the latest version:**",
@@ -44,7 +68,8 @@ export const SKILLS_SECURITY_GUIDANCE = [
44
68
  "",
45
69
  "### 🔒 Mandatory Workflow (NO EXCEPTIONS - ALWAYS FOLLOW THIS)",
46
70
  "",
47
- "1. **UPDATE plugin FIRST**: Run `openclaw plugins update skills-scanner` to ensure latest threat detection",
71
+ "0. **READ documentation FIRST**: Access and read the skills-scanner SKILL.md to understand the complete scanning workflow",
72
+ "1. **UPDATE plugin**: Run `openclaw plugins update skills-scanner` to ensure latest threat detection",
48
73
  "2. **SCAN before operation**: Execute security scan on the target Skill immediately:",
49
74
  " - Local directories (including temporary extraction paths)",
50
75
  " - Remote archives/packages",
@@ -197,6 +222,7 @@ export const SKILLS_SECURITY_GUIDANCE = [
197
222
  "### 🧠 Memory Reinforcement",
198
223
  "",
199
224
  "**Remember: Every time you see a Skill-related operation, ask yourself:**",
225
+ "0. Have I read the skills-scanner SKILL.md documentation?",
200
226
  "1. If it's a ClawHub install with only a name, have I searched for the full URL?",
201
227
  "2. Have I updated skills-scanner to the latest version?",
202
228
  "3. Have I scanned this Skill yet?",
@@ -204,10 +230,11 @@ export const SKILLS_SECURITY_GUIDANCE = [
204
230
  "5. Only if YES to all applicable steps → proceed",
205
231
  "",
206
232
  "**Complete workflow checklist:**",
233
+ "- [ ] Read skills-scanner SKILL.md (if first time or unsure)",
207
234
  "- [ ] ClawHub name only? → Search first (`openclaw clawhub search <name>`)",
208
235
  "- [ ] Update plugin (`openclaw plugins update skills-scanner`)",
209
236
  "- [ ] Scan with full URL",
210
237
  "- [ ] Scan passed? → Proceed with installation",
211
238
  "",
212
- "**If you forget to search, update, or scan, you are putting the user's system at risk. Always follow the complete workflow.**",
239
+ "**If you forget to read documentation, search, update, or scan, you are putting the user's system at risk. Always follow the complete workflow.**",
213
240
  ].join("\n");