@pwddd/skills-scanner 3.0.20 → 3.0.22

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/openclaw.plugin.json +1 -1
  2. package/package.json +1 -1
  3. package/src/prompt-guidance.ts +73 -35
package/openclaw.plugin.json CHANGED
@@ -2,7 +2,7 @@
2
2
  "id": "skills-scanner",
3
3
  "name": "Skills Scanner",
4
4
  "description": "Security scanner for OpenClaw Skills to detect potential threats",
5
- "version": "3.0.20",
5
+ "version": "3.0.22",
6
6
  "author": "pwddd",
7
7
  "skills": ["./skills"],
8
8
  "configSchema": {
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@pwddd/skills-scanner",
3
- "version": "3.0.20",
3
+ "version": "3.0.22",
4
4
  "description": "OpenClaw Skills security scanner plugin - detect malicious code, data exfiltration, and prompt injection",
5
5
  "type": "module",
6
6
  "main": "./index.ts",
package/src/prompt-guidance.ts CHANGED
@@ -11,31 +11,9 @@ export const SKILLS_SECURITY_GUIDANCE = [
11
11
  "",
12
12
  "**This is a SECURITY REQUIREMENT that CANNOT be bypassed under ANY circumstances.**",
13
13
  "",
14
- "### IMPORTANT: Read the Skills Scanner Documentation",
14
+ "### 🔄 STEP 0: Plugin Update Check (MANDATORY FIRST STEP)",
15
15
  "",
16
- "**Before performing ANY Skill scanning operation, you MUST read the skills-scanner SKILL.md for detailed instructions:**",
17
- "",
18
- "The SKILL.md contains:",
19
- "- Complete scanning workflow and examples",
20
- "- API service availability checks",
21
- "- Deep analysis and false positive detection guidelines",
22
- "- VirusTotal result interpretation",
23
- "- ClawHub scanning procedures",
24
- "- Command usage examples",
25
- "- Troubleshooting guides",
26
- "",
27
- "**How to access:**",
28
- "1. Use the skills system to read the skills-scanner SKILL.md",
29
- "2. Review the scanning procedures before executing scans",
30
- "3. Follow the documented workflows exactly",
31
- "",
32
- "**This documentation is CRITICAL for:**",
33
- "- Understanding how to properly scan Skills",
34
- "- Interpreting scan results correctly",
35
- "- Avoiding false positives",
36
- "- Handling different scanning scenarios",
37
- "",
38
- "### 🔄 Plugin Update Check (MANDATORY FIRST STEP)",
16
+ "**🔴🔴🔴 CRITICAL: BEFORE ANYTHING ELSE - UPDATE THE PLUGIN FIRST 🔴🔴🔴**",
39
17
  "",
40
18
  "**Before ANY Skill scanning or installation operation, you MUST update the skills-scanner plugin to the latest version:**",
41
19
  "",
@@ -43,6 +21,10 @@ export const SKILLS_SECURITY_GUIDANCE = [
43
21
  "openclaw plugins update skills-scanner",
44
22
  "```",
45
23
  "",
24
+ "**⛔ DO NOT PROCEED UNTIL YOU HAVE EXECUTED THIS COMMAND ⛔**",
25
+ "",
26
+ "**This is NON-NEGOTIABLE. This is STEP 0. This is the FIRST thing you do.**",
27
+ "",
46
28
  "**Why this is critical:**",
47
29
  "- Security threats evolve constantly; scanning rules must be up-to-date",
48
30
  "- New versions contain critical security fixes and threat detection improvements",
@@ -66,16 +48,39 @@ export const SKILLS_SECURITY_GUIDANCE = [
66
48
  "",
67
49
  "**If update fails:** Continue with current version but warn the user that scanning may not detect the latest threats.",
68
50
  "",
69
- "### 🔒 Mandatory Workflow (NO EXCEPTIONS - ALWAYS FOLLOW THIS)",
51
+ "### 📚 IMPORTANT: Read the Skills Scanner Documentation",
52
+ "",
53
+ "**Before performing ANY Skill scanning operation, you MUST read the skills-scanner SKILL.md for detailed instructions:**",
54
+ "",
55
+ "The SKILL.md contains:",
56
+ "- Complete scanning workflow and examples",
57
+ "- API service availability checks",
58
+ "- Deep analysis and false positive detection guidelines",
59
+ "- VirusTotal result interpretation",
60
+ "- ClawHub scanning procedures",
61
+ "- Command usage examples",
62
+ "- Troubleshooting guides",
63
+ "",
64
+ "**How to access:**",
65
+ "1. Use the skills system to read the skills-scanner SKILL.md",
66
+ "2. Review the scanning procedures before executing scans",
67
+ "3. Follow the documented workflows exactly",
68
+ "",
69
+ "**This documentation is CRITICAL for:**",
70
+ "- Understanding how to properly scan Skills",
71
+ "- Interpreting scan results correctly",
72
+ "- Avoiding false positives",
73
+ "- Handling different scanning scenarios",
74
+ "",
75
+ "### Mandatory Workflow (NO EXCEPTIONS - ALWAYS FOLLOW THIS)",
70
76
  "",
71
77
  "0. **READ documentation FIRST**: Access and read the skills-scanner SKILL.md to understand the complete scanning workflow",
72
- "1. **UPDATE plugin**: Run `openclaw plugins update skills-scanner` to ensure latest threat detection",
73
- "2. **SCAN before operation**: Execute security scan on the target Skill immediately:",
78
+ "1. **SCAN before operation**: Execute security scan on the target Skill immediately:",
74
79
  " - Local directories (including temporary extraction paths)",
75
80
  " - Remote archives/packages",
76
81
  " - ClawHub projects (even if marked as reviewed/official)",
77
82
  " - Previously scanned Skills (no exemptions for \"already checked\" or \"trusted source\")",
78
- "3. **Proceed only if safe**: Continue with installation/execution ONLY when scan results explicitly confirm safety. Otherwise, STOP and alert the user to risks.",
83
+ "2. **Proceed only if safe**: Continue with installation/execution ONLY when scan results explicitly confirm safety. Otherwise, STOP and alert the user to risks.",
79
84
  "",
80
85
  "### 🎯 Critical Requirements (MEMORIZE THESE)",
81
86
  "",
@@ -90,16 +95,45 @@ export const SKILLS_SECURITY_GUIDANCE = [
90
95
  "",
91
96
  "### 📋 Installation Command Recognition (IMPORTANT)",
92
97
  "",
93
- "**When you see ANY of these patterns, you MUST follow the complete workflow:**",
98
+ "**🔴 CRITICAL RULE: ALL COMMANDS MATCHING INSTALLATION PATTERNS REQUIRE COMPLETE SECURITY WORKFLOW 🔴**",
99
+ "",
100
+ "**When users send ANY command containing the following installation patterns, you MUST:**",
101
+ "1. STOP immediately",
102
+ "2. Execute STEP 0: `openclaw plugins update skills-scanner`",
103
+ "3. Search for full URL (if only skill name provided)",
104
+ "4. Run security scan",
105
+ "5. Execute installation command ONLY if scan passes",
106
+ "",
107
+ "**⛔ NEVER execute any installation command directly without completing the security workflow above ⛔**",
94
108
  "",
109
+ "**Installation command patterns to recognize (ANY command containing these patterns):**",
110
+ "",
111
+ "**Core installation patterns:**",
112
+ "- `clawhub install` ← ANY command with this pattern",
113
+ "- `skill install` ← ANY command with this pattern",
114
+ "- `skills add` ← ANY command with this pattern",
115
+ "- `skills install` ← ANY command with this pattern",
116
+ "",
117
+ "**Examples of commands that trigger this rule:**",
118
+ "- `clawhub install <skill-name>`",
119
+ "- `clawhub install --force <skill-name>`",
120
+ "- `clawhub install --verbose <skill-name>`",
95
121
  "- `openclaw clawhub install <skill-name>`",
96
122
  "- `openclaw skill install <skill-name>`",
97
123
  "- `openclaw skills add <skill-name>`",
98
- "- `clawhub install <skill-name>`",
124
+ "- `openclaw skills install <skill-name>`",
125
+ "- `npx clawhub@latest install <skill-name>`",
126
+ "- `npx @openclaw/clawhub install <skill-name>`",
127
+ "- `npm exec clawhub install <skill-name>`",
128
+ "- `yarn dlx clawhub install <skill-name>`",
129
+ "",
130
+ "**Natural language patterns:**",
99
131
  "- \"install this skill\"",
100
132
  "- \"add this skill\"",
101
133
  "- \"download this skill\"",
102
134
  "- \"setup this skill\"",
135
+ "- \"use npx to install\"",
136
+ "- \"install via clawhub\"",
103
137
  "",
104
138
  "**CRITICAL: ClawHub Installation Workflow**",
105
139
  "",
@@ -222,17 +256,21 @@ export const SKILLS_SECURITY_GUIDANCE = [
222
256
  "### 🧠 Memory Reinforcement",
223
257
  "",
224
258
  "**Remember: Every time you see a Skill-related operation, ask yourself:**",
259
+ "",
260
+ "🔴 **STEP 0 (MOST IMPORTANT): Have I updated skills-scanner to the latest version?**",
261
+ " - If NO → STOP and execute: `openclaw plugins update skills-scanner`",
262
+ " - Do NOT proceed until this is done",
263
+ "",
225
264
  "0. Have I read the skills-scanner SKILL.md documentation?",
226
265
  "1. If it's a ClawHub install with only a name, have I searched for the full URL?",
227
- "2. Have I updated skills-scanner to the latest version?",
228
- "3. Have I scanned this Skill yet?",
229
- "4. Did the scan pass?",
230
- "5. Only if YES to all applicable steps → proceed",
266
+ "2. Have I scanned this Skill yet?",
267
+ "3. Did the scan pass?",
268
+ "4. Only if YES to all applicable steps → proceed",
231
269
  "",
232
270
  "**Complete workflow checklist:**",
271
+ "- [ ] 🔴 STEP 0: Update plugin (`openclaw plugins update skills-scanner`) ← **DO THIS FIRST**",
233
272
  "- [ ] Read skills-scanner SKILL.md (if first time or unsure)",
234
273
  "- [ ] ClawHub name only? → Search first (`openclaw clawhub search <name>`)",
235
- "- [ ] Update plugin (`openclaw plugins update skills-scanner`)",
236
274
  "- [ ] Scan with full URL",
237
275
  "- [ ] Scan passed? → Proceed with installation",
238
276
  "",