@pwddd/skills-scanner 3.0.19 → 3.0.21

package/openclaw.plugin.json

@@ -2,7 +2,7 @@
   "id": "skills-scanner",
   "name": "Skills Scanner",
   "description": "Security scanner for OpenClaw Skills to detect potential threats",
-  "version": "3.0.19",
+  "version": "3.0.21",
   "author": "pwddd",
   "skills": ["./skills"],
   "configSchema": {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pwddd/skills-scanner",
-  "version": "3.0.19",
+  "version": "3.0.21",
   "description": "OpenClaw Skills security scanner plugin - detect malicious code, data exfiltration, and prompt injection",
   "type": "module",
   "main": "./index.ts",

package/src/prompt-guidance.ts

@@ -11,7 +11,9 @@ export const SKILLS_SECURITY_GUIDANCE = [
   "",
   "**This is a SECURITY REQUIREMENT that CANNOT be bypassed under ANY circumstances.**",
   "",
-  "### 🔄 Plugin Update Check (MANDATORY FIRST STEP)",
+  "### 🔄 STEP 0: Plugin Update Check (MANDATORY FIRST STEP)",
+  "",
+  "**🔴🔴🔴 CRITICAL: BEFORE ANYTHING ELSE - UPDATE THE PLUGIN FIRST 🔴🔴🔴**",
   "",
   "**Before ANY Skill scanning or installation operation, you MUST update the skills-scanner plugin to the latest version:**",
   "",
@@ -19,6 +21,10 @@ export const SKILLS_SECURITY_GUIDANCE = [
   "openclaw plugins update skills-scanner",
   "```",
   "",
+  "**⛔ DO NOT PROCEED UNTIL YOU HAVE EXECUTED THIS COMMAND ⛔**",
+  "",
+  "**This is NON-NEGOTIABLE. This is STEP 0. This is the FIRST thing you do.**",
+  "",
   "**Why this is critical:**",
   "- Security threats evolve constantly; scanning rules must be up-to-date",
   "- New versions contain critical security fixes and threat detection improvements",
@@ -42,15 +48,39 @@ export const SKILLS_SECURITY_GUIDANCE = [
   "",
   "**If update fails:** Continue with current version but warn the user that scanning may not detect the latest threats.",
   "",
-  "### 🔒 Mandatory Workflow (NO EXCEPTIONS - ALWAYS FOLLOW THIS)",
+  "### 📚 IMPORTANT: Read the Skills Scanner Documentation",
+  "",
+  "**Before performing ANY Skill scanning operation, you MUST read the skills-scanner SKILL.md for detailed instructions:**",
+  "",
+  "The SKILL.md contains:",
+  "- Complete scanning workflow and examples",
+  "- API service availability checks",
+  "- Deep analysis and false positive detection guidelines",
+  "- VirusTotal result interpretation",
+  "- ClawHub scanning procedures",
+  "- Command usage examples",
+  "- Troubleshooting guides",
   "",
-  "1. **UPDATE plugin FIRST**: Run `openclaw plugins update skills-scanner` to ensure latest threat detection",
-  "2. **SCAN before operation**: Execute security scan on the target Skill immediately:",
+  "**How to access:**",
+  "1. Use the skills system to read the skills-scanner SKILL.md",
+  "2. Review the scanning procedures before executing scans",
+  "3. Follow the documented workflows exactly",
+  "",
+  "**This documentation is CRITICAL for:**",
+  "- Understanding how to properly scan Skills",
+  "- Interpreting scan results correctly",
+  "- Avoiding false positives",
+  "- Handling different scanning scenarios",
+  "",
+  "###  Mandatory Workflow (NO EXCEPTIONS - ALWAYS FOLLOW THIS)",
+  "",
+  "0. **READ documentation FIRST**: Access and read the skills-scanner SKILL.md to understand the complete scanning workflow",
+  "1. **SCAN before operation**: Execute security scan on the target Skill immediately:",
   "   - Local directories (including temporary extraction paths)",
   "   - Remote archives/packages",
   "   - ClawHub projects (even if marked as reviewed/official)",
   "   - Previously scanned Skills (no exemptions for \"already checked\" or \"trusted source\")",
-  "3. **Proceed only if safe**: Continue with installation/execution ONLY when scan results explicitly confirm safety. Otherwise, STOP and alert the user to risks.",
+  "2. **Proceed only if safe**: Continue with installation/execution ONLY when scan results explicitly confirm safety. Otherwise, STOP and alert the user to risks.",
   "",
   "### 🎯 Critical Requirements (MEMORIZE THESE)",
   "",
@@ -197,17 +227,23 @@ export const SKILLS_SECURITY_GUIDANCE = [
   "### 🧠 Memory Reinforcement",
   "",
   "**Remember: Every time you see a Skill-related operation, ask yourself:**",
+  "",
+  "🔴 **STEP 0 (MOST IMPORTANT): Have I updated skills-scanner to the latest version?**",
+  "   - If NO → STOP and execute: `openclaw plugins update skills-scanner`",
+  "   - Do NOT proceed until this is done",
+  "",
+  "0. Have I read the skills-scanner SKILL.md documentation?",
   "1. If it's a ClawHub install with only a name, have I searched for the full URL?",
-  "2. Have I updated skills-scanner to the latest version?",
-  "3. Have I scanned this Skill yet?",
-  "4. Did the scan pass?",
-  "5. Only if YES to all applicable steps → proceed",
+  "2. Have I scanned this Skill yet?",
+  "3. Did the scan pass?",
+  "4. Only if YES to all applicable steps → proceed",
   "",
   "**Complete workflow checklist:**",
+  "- [ ] 🔴 STEP 0: Update plugin (`openclaw plugins update skills-scanner`) ← **DO THIS FIRST**",
+  "- [ ] Read skills-scanner SKILL.md (if first time or unsure)",
   "- [ ] ClawHub name only? → Search first (`openclaw clawhub search <name>`)",
-  "- [ ] Update plugin (`openclaw plugins update skills-scanner`)",
   "- [ ] Scan with full URL",
   "- [ ] Scan passed? → Proceed with installation",
   "",
-  "**If you forget to search, update, or scan, you are putting the user's system at risk. Always follow the complete workflow.**",
+  "**If you forget to read documentation, search, update, or scan, you are putting the user's system at risk. Always follow the complete workflow.**",
 ].join("\n");