@pwddd/skills-scanner 3.0.6 → 3.0.7

package/README.md

@@ -116,29 +116,22 @@ openclaw skills-scanner health
 
 ## 前置要求
 
-### 1. Python 3.10+（必需）
+### Python 3.10+（必需）
 
 ```bash
 # 检查 Python 版本
 python3 --version
-```
-
-### 2. 包管理器（二选一）
 
-**选项 A：uv（推荐，更快）**
+# macOS
+brew install python3
 
-```bash
-# macOS/Linux
-curl -LsSf https://astral.sh/uv/install.sh | sh
+# Linux
+apt-get install python3 python3-pip
 
-# 或使用 Homebrew
-brew install uv
+# Windows
+# 从 https://www.python.org/downloads/ 下载安装
 ```
 
-**选项 B：标准 pip（无需额外安装）**
-
-如果没有 uv，插件会自动使用 Python 自带的 `pip`。
-
 ### 2. 启动扫描 API 服务
 
 插件需要连接到 skill-scanner-api 服务进行实际的安全扫描。
@@ -165,14 +158,7 @@ skill-scanner-api
 ```bash
 # 手动安装依赖
 cd extensions/skills-scanner/skills/skills-scanner
-
-# 使用 uv（推荐）
-uv venv .venv --python 3.10
-uv pip install --python .venv/bin/python requests>=2.31.0
-
-# 或使用标准 Python
-python3 -m venv .venv
-.venv/bin/python -m pip install requests>=2.31.0
+python3 -m pip install --user "requests>=2.31.0"
 ```
 
 ### API 服务连接失败
@@ -216,8 +202,7 @@ extensions/skills-scanner/
 │   └── types.ts             # 类型定义
 └── skills/
     └── skills-scanner/
-        ├── scan.py          # Python 扫描脚本
-        └── .venv/           # Python 虚拟环境（自动创建）
+        └── scan.py          # Python 扫描脚本
 ```
 
 ## 许可证
@@ -403,17 +388,13 @@ openclaw skills-scanner clawhub https://clawhub.ai/username/project --json resul
 ## 依赖要求
 
 - Python 3.10+
-- uv（Python 包管理器）
 - skill-scanner-api 服务（需要单独运行）
 
 ### 安装依赖
 
 ```bash
-# macOS
-brew install uv
-
-# Linux
-curl -LsSf https://astral.sh/uv/install.sh | sh
+# 确保 Python 已安装
+python3 --version
 
 # 启动 API 服务
 skill-scanner-api
@@ -426,8 +407,7 @@ skill-scanner-api
 ```bash
 # 手动安装依赖
 cd extensions/skills-scanner/skills/skills-scanner
-uv venv .venv --python 3.10
-uv pip install --python .venv/bin/python requests
+python3 -m pip install --user "requests>=2.31.0"
 ```
 
 ### API 服务连接失败

package/index.ts

@@ -18,7 +18,7 @@ import {
   isFirstRun,
   markConfigReviewed,
 } from "./src/state.js";
-import { ensureDeps, isVenvReady } from "./src/deps.js";
+import { ensureDeps, getPythonCommand, isPythonReady } from "./src/deps.js";
 import { runScan } from "./src/scanner.js";
 import { buildDailyReport } from "./src/report.js";
 import { ensureCronJob } from "./src/cron.js";
@@ -31,11 +31,12 @@ import { HIGH_RISK_OPERATION_GUARD } from "./src/high-risk-operation-guard.js";
 // Constants
 const PLUGIN_ROOT = process.env.OPENCLAW_PLUGIN_ROOT || __dirname;
 const SKILL_DIR = join(PLUGIN_ROOT, "skills", "skills-scanner");
-const VENV_PYTHON = join(SKILL_DIR, ".venv", "bin", "python");
 const SCAN_SCRIPT = join(SKILL_DIR, "scan.py");
 const STATE_DIR = join(os.homedir(), ".openclaw", "skills-scanner");
 const QUARANTINE_DIR = join(STATE_DIR, "quarantine");
 
+const PYTHON_CMD = getPythonCommand();
+
 export default function register(api: OpenClawPluginApi) {
   const cfg: ScannerConfig =
     api.config?.plugins?.entries?.["skills-scanner"]?.config ?? {};
@@ -58,7 +59,7 @@ export default function register(api: OpenClawPluginApi) {
   api.logger.info(`[skills-scanner] API URL: ${apiUrl}`);
   api.logger.info(`[skills-scanner] Scan directories: ${scanDirs.join(", ")}`);
   api.logger.info(
-    `[skills-scanner] Python dependencies: ${isVenvReady(VENV_PYTHON) ? "✅ Ready" : "❌ Not installed"}`
+    `[skills-scanner] Python dependencies: ${isPythonReady(PYTHON_CMD) ? "✅ Ready" : "❌ Not installed"}`
   );
 
   // Inject system prompt guidance (can be disabled via config)
@@ -110,9 +111,9 @@ export default function register(api: OpenClawPluginApi) {
   }
 
   // Install dependencies immediately
-  if (!isVenvReady(VENV_PYTHON)) {
+  if (!isPythonReady(PYTHON_CMD)) {
     api.logger.info("[skills-scanner] Installing Python dependencies...");
-    ensureDeps(SKILL_DIR, VENV_PYTHON, api.logger)
+    ensureDeps(PYTHON_CMD, api.logger)
       .then((success) => {
         if (success) {
           api.logger.info("[skills-scanner] ✅ Dependencies installed");
@@ -140,7 +141,7 @@ export default function register(api: OpenClawPluginApi) {
     start: async () => {
       api.logger.info("[skills-scanner] 🚀 Service starting...");
 
-      const depsReady = await ensureDeps(SKILL_DIR, VENV_PYTHON, api.logger);
+      const depsReady = await ensureDeps(PYTHON_CMD, api.logger);
 
       if (!depsReady) {
         api.logger.error("[skills-scanner] ❌ Dependencies installation failed");
@@ -158,7 +159,7 @@ export default function register(api: OpenClawPluginApi) {
           policy,
           persistWatcherAlert,
           api.logger,
-          VENV_PYTHON,
+          PYTHON_CMD,
           SCAN_SCRIPT,
           QUARANTINE_DIR
         );
@@ -192,7 +193,7 @@ export default function register(api: OpenClawPluginApi) {
     policy,
     preInstallScan,
     onUnsafe,
-    VENV_PYTHON,
+    PYTHON_CMD,
     SCAN_SCRIPT,
     api.logger
   );
@@ -261,9 +262,9 @@ export default function register(api: OpenClawPluginApi) {
   api.registerGatewayMethod("skillsScanner.scan", async ({ respond, params }: any) => {
     const { path: p, mode = "scan", recursive = false, detailed = false } = params ?? {};
     if (!p) return respond(false, { error: "Missing path parameter" });
-    if (!isVenvReady(VENV_PYTHON))
+    if (!isPythonReady(PYTHON_CMD))
       return respond(false, { error: "Python dependencies not ready" });
-    const res = await runScan(VENV_PYTHON, SCAN_SCRIPT, mode === "batch" ? "batch" : "scan", expandPath(p), {
+    const res = await runScan(PYTHON_CMD, SCAN_SCRIPT, mode === "batch" ? "batch" : "scan", expandPath(p), {
       recursive,
       detailed,
       behavioral,
@@ -279,7 +280,7 @@ export default function register(api: OpenClawPluginApi) {
   });
 
   api.registerGatewayMethod("skillsScanner.report", async ({ respond }: any) => {
-    if (!isVenvReady(VENV_PYTHON))
+    if (!isPythonReady(PYTHON_CMD))
       return respond(false, { error: "Python dependencies not ready" });
     if (scanDirs.length === 0) return respond(false, { error: "No scan directories found" });
     const report = await buildDailyReport(
@@ -289,7 +290,7 @@ export default function register(api: OpenClawPluginApi) {
       useLLM,
       policy,
       api.logger,
-      VENV_PYTHON,
+      PYTHON_CMD,
       SCAN_SCRIPT
     );
     respond(true, { report, state: loadState() });
@@ -306,7 +307,7 @@ export default function register(api: OpenClawPluginApi) {
         .option("--detailed", "显示所有发现")
         .option("--behavioral", "启用行为分析")
         .action(async (p: string, opts: any) => {
-          const res = await runScan(VENV_PYTHON, SCAN_SCRIPT, "scan", expandPath(p), {
+          const res = await runScan(PYTHON_CMD, SCAN_SCRIPT, "scan", expandPath(p), {
             ...opts,
             apiUrl,
             useLLM,
@@ -323,7 +324,7 @@ export default function register(api: OpenClawPluginApi) {
         .option("--detailed", "显示所有发现")
         .option("--behavioral", "启用行为分析")
         .action(async (d: string, opts: any) => {
-          const res = await runScan(VENV_PYTHON, SCAN_SCRIPT, "batch", expandPath(d), {
+          const res = await runScan(PYTHON_CMD, SCAN_SCRIPT, "batch", expandPath(d), {
             ...opts,
             apiUrl,
             useLLM,
@@ -344,7 +345,7 @@ export default function register(api: OpenClawPluginApi) {
             useLLM,
             policy,
             console,
-            VENV_PYTHON,
+            PYTHON_CMD,
             SCAN_SCRIPT
           );
           console.log(report);
@@ -354,7 +355,7 @@ export default function register(api: OpenClawPluginApi) {
         .command("health")
         .description("检查 API 服务健康状态")
         .action(async () => {
-          if (!isVenvReady(VENV_PYTHON)) {
+          if (!isPythonReady(PYTHON_CMD)) {
             console.error("❌ Python 依赖未就绪");
             process.exit(1);
           }
@@ -364,7 +365,7 @@ export default function register(api: OpenClawPluginApi) {
             const { promisify } = await import("node:util");
             const execAsync = promisify(exec);
 
-            const cmd = `"${VENV_PYTHON}" "${SCAN_SCRIPT}" --api-url "${apiUrl}" health`;
+            const cmd = `"${PYTHON_CMD}" "${SCAN_SCRIPT}" --api-url "${apiUrl}" health`;
             const env = { ...process.env };
             delete env.http_proxy;
             delete env.https_proxy;
@@ -395,3 +396,6 @@ export default function register(api: OpenClawPluginApi) {
 
   api.logger.info("[skills-scanner] ✅ Plugin registered");
 }
+
+
+

package/openclaw.plugin.json

@@ -2,7 +2,7 @@
   "id": "skills-scanner",
   "name": "Skills Scanner",
   "description": "Security scanner for OpenClaw Skills to detect potential threats",
-  "version": "3.0.6",
+  "version": "3.0.7",
   "author": "pwddd",
   "skills": ["./skills"],
   "configSchema": {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pwddd/skills-scanner",
-  "version": "3.0.6",
+  "version": "3.0.7",
   "description": "OpenClaw Skills security scanner plugin - detect malicious code, data exfiltration, and prompt injection",
   "type": "module",
   "main": "./index.ts",

package/skills/skills-scanner/SKILL.md

@@ -29,7 +29,7 @@ OpenClaw Skills 安全扫描工具，检测恶意代码、数据窃取、提示
 
 **检查方法**：
 ```bash
-{baseDir}/.venv/bin/python {baseDir}/scan.py --api-url http://localhost:8000 health
+python3 {baseDir}/scan.py --api-url http://localhost:8000 health
 ```
 
 **处理规则**：
@@ -144,19 +144,13 @@ VirusTotal 是业界权威的多引擎病毒扫描服务，其结果具有极高
 
 ```bash
 # 检查 Python 是否可用
-which python3 || echo "请安装 Python 3.10+"
+python3 --version || echo "请安装 Python 3.10+"
 
-# 方式 1：使用 uv（推荐，更快）
-which uv || echo "安装 uv: brew install uv 或 curl -LsSf https://astral.sh/uv/install.sh | sh"
-uv venv {baseDir}/.venv --python 3.10 --quiet
-uv pip install --python {baseDir}/.venv/bin/python requests --quiet
-
-# 方式 2：使用标准 Python（无需 uv）
-python3 -m venv {baseDir}/.venv
-{baseDir}/.venv/bin/python -m pip install --quiet requests
+# 安装依赖到主机环境
+python3 -m pip install --user --quiet "requests>=2.31.0"
 ```
 
-安装只需执行一次。插件会自动选择可用的工具（优先使用 uv，回退到 python3）。
+安装只需执行一次。插件会自动处理依赖安装。
 
 ## 配置
 
@@ -179,7 +173,7 @@ python3 -m venv {baseDir}/.venv
 或直接调用时使用 `--api-url` 参数：
 
 ```bash
-{baseDir}/.venv/bin/python {baseDir}/scan.py --api-url http://localhost:8000 scan <路径>
+python3 {baseDir}/scan.py --api-url http://localhost:8000 scan <路径>
 ```
 
 ---
@@ -204,7 +198,7 @@ python3 -m venv {baseDir}/.venv
 适用于快速安全检查，显示总体安全状态和严重问题。
 
 ```bash
-{baseDir}/.venv/bin/python {baseDir}/scan.py --api-url {apiUrl} clawhub <clawhub_url>
+python3 {baseDir}/scan.py --api-url {apiUrl} clawhub <clawhub_url>
 ```
 
 **示例输出**：
@@ -219,7 +213,7 @@ python3 -m venv {baseDir}/.venv
 显示每个安全发现的详细信息，包括类别、描述、文件位置等。
 
 ```bash
-{baseDir}/.venv/bin/python {baseDir}/scan.py --api-url {apiUrl} clawhub <clawhub_url> --detailed
+python3 {baseDir}/scan.py --api-url {apiUrl} clawhub <clawhub_url> --detailed
 ```
 
 **示例输出**：
@@ -240,7 +234,7 @@ python3 -m venv {baseDir}/.venv
 启用 AST 数据流分析，更准确地检测复杂的安全威胁。扫描时间较长但更全面。
 
 ```bash
-{baseDir}/.venv/bin/python {baseDir}/scan.py --api-url {apiUrl} clawhub <clawhub_url> --detailed --behavioral
+python3 {baseDir}/scan.py --api-url {apiUrl} clawhub <clawhub_url> --detailed --behavioral
 ```
 
 **适用场景**：
@@ -253,7 +247,7 @@ python3 -m venv {baseDir}/.venv
 使用 LLM 进行语义分析，检测隐蔽的恶意模式和提示注入。需要 API 服务配置 LLM 支持。
 
 ```bash
-{baseDir}/.venv/bin/python {baseDir}/scan.py --api-url {apiUrl} clawhub <clawhub_url> --detailed --behavioral --llm
+python3 {baseDir}/scan.py --api-url {apiUrl} clawhub <clawhub_url> --detailed --behavioral --llm
 ```
 
 **适用场景**：
@@ -265,13 +259,13 @@ python3 -m venv {baseDir}/.venv
 
 ```bash
 # 严格模式（最保守，任何可疑行为都标记）
-{baseDir}/.venv/bin/python {baseDir}/scan.py --api-url {apiUrl} clawhub <clawhub_url> --policy strict
+python3 {baseDir}/scan.py --api-url {apiUrl} clawhub <clawhub_url> --policy strict
 
 # 平衡模式（推荐，默认）
-{baseDir}/.venv/bin/python {baseDir}/scan.py --api-url {apiUrl} clawhub <clawhub_url> --policy balanced
+python3 {baseDir}/scan.py --api-url {apiUrl} clawhub <clawhub_url> --policy balanced
 
 # 宽松模式（只标记明确的威胁）
-{baseDir}/.venv/bin/python {baseDir}/scan.py --api-url {apiUrl} clawhub <clawhub_url> --policy permissive
+python3 {baseDir}/scan.py --api-url {apiUrl} clawhub <clawhub_url> --policy permissive
 ```
 
 ### 保存扫描结果
@@ -279,7 +273,7 @@ python3 -m venv {baseDir}/.venv
 将扫描结果保存为 JSON 文件，便于后续分析或存档。
 
 ```bash
-{baseDir}/.venv/bin/python {baseDir}/scan.py --api-url {apiUrl} clawhub <clawhub_url> --detailed --json /tmp/scan-result.json
+python3 {baseDir}/scan.py --api-url {apiUrl} clawhub <clawhub_url> --detailed --json /tmp/scan-result.json
 ```
 
 ### 实际使用示例
@@ -287,7 +281,7 @@ python3 -m venv {baseDir}/.venv
 #### 示例 1：快速检查日历 Skill
 
 ```bash
-{baseDir}/.venv/bin/python {baseDir}/scan.py --api-url {apiUrl} clawhub https://clawhub.ai/Asleep123/caldav-calendar
+python3 {baseDir}/scan.py --api-url {apiUrl} clawhub https://clawhub.ai/Asleep123/caldav-calendar
 ```
 
 **用户对话**：
@@ -303,7 +297,7 @@ AI: 好的，让我先扫描一下这个 skill 的安全性...
 #### 示例 2：详细检查 PDF Skill
 
 ```bash
-{baseDir}/.venv/bin/python {baseDir}/scan.py --api-url http://localhost:8000 clawhub https://clawhub.ai/steipete/nano-pdf --detailed
+python3 {baseDir}/scan.py --api-url http://localhost:8000 clawhub https://clawhub.ai/steipete/nano-pdf --detailed
 ```
 
 **用户对话**：
@@ -326,7 +320,7 @@ AI: 好的，我会进行详细扫描...
 #### 示例 3：深度扫描可疑 Skill
 
 ```bash
-{baseDir}/.venv/bin/python {baseDir}/scan.py --api-url http://localhost:8000 clawhub https://clawhub.ai/username/suspicious-skill --detailed --behavioral --policy strict
+python3 {baseDir}/scan.py --api-url http://localhost:8000 clawhub https://clawhub.ai/username/suspicious-skill --detailed --behavioral --policy strict
 ```
 
 **用户对话**：
@@ -349,7 +343,7 @@ AI: 明白，我会使用严格模式进行深度扫描...
 #### 示例 4：包含 VirusTotal 扫描结果
 
 ```bash
-{baseDir}/.venv/bin/python {baseDir}/scan.py --api-url http://localhost:8000 clawhub https://clawhub.ai/username/project --detailed
+python3 {baseDir}/scan.py --api-url http://localhost:8000 clawhub https://clawhub.ai/username/project --detailed
 ```
 
 **用户对话（未检测到威胁）**：
@@ -462,25 +456,25 @@ https://clawhub.ai/<username>/<project>
 ### 基础扫描（推荐，速度快）
 
 ```bash
-{baseDir}/.venv/bin/python {baseDir}/scan.py --api-url http://localhost:8000 scan <skill路径>
+python3 {baseDir}/scan.py --api-url http://localhost:8000 scan <skill路径>
 ```
 
 ### 详细模式（显示所有发现）
 
 ```bash
-{baseDir}/.venv/bin/python {baseDir}/scan.py --api-url http://localhost:8000 scan <skill路径> --detailed
+python3 {baseDir}/scan.py --api-url http://localhost:8000 scan <skill路径> --detailed
 ```
 
 ### 深度扫描（加入行为分析）
 
 ```bash
-{baseDir}/.venv/bin/python {baseDir}/scan.py --api-url http://localhost:8000 scan <skill路径> --detailed --behavioral
+python3 {baseDir}/scan.py --api-url http://localhost:8000 scan <skill路径> --detailed --behavioral
 ```
 
 ### 最强扫描（加入 LLM 语义分析）
 
 ```bash
-{baseDir}/.venv/bin/python {baseDir}/scan.py --api-url http://localhost:8000 scan <skill路径> --detailed --behavioral --llm
+python3 {baseDir}/scan.py --api-url http://localhost:8000 scan <skill路径> --detailed --behavioral --llm
 ```
 
 ---
@@ -492,31 +486,31 @@ https://clawhub.ai/<username>/<project>
 ### 扫描指定目录下的所有 Skills
 
 ```bash
-{baseDir}/.venv/bin/python {baseDir}/scan.py --api-url http://localhost:8000 batch <目录路径>
+python3 {baseDir}/scan.py --api-url http://localhost:8000 batch <目录路径>
 ```
 
 ### 递归扫描（含子目录）
 
 ```bash
-{baseDir}/.venv/bin/python {baseDir}/scan.py --api-url http://localhost:8000 batch <目录路径> --recursive
+python3 {baseDir}/scan.py --api-url http://localhost:8000 batch <目录路径> --recursive
 ```
 
 ### 批量扫描并输出 JSON 报告
 
 ```bash
-{baseDir}/.venv/bin/python {baseDir}/scan.py --api-url http://localhost:8000 batch <目录路径> --detailed --json /tmp/scan-report.json
+python3 {baseDir}/scan.py --api-url http://localhost:8000 batch <目录路径> --detailed --json /tmp/scan-report.json
 ```
 
 ### 常用目录示例
 
 扫描 OpenClaw 默认 skills 目录：
 ```bash
-{baseDir}/.venv/bin/python {baseDir}/scan.py --api-url http://localhost:8000 batch ~/.openclaw/skills
+python3 {baseDir}/scan.py --api-url http://localhost:8000 batch ~/.openclaw/skills
 ```
 
 扫描 workspace skills：
 ```bash
-{baseDir}/.venv/bin/python {baseDir}/scan.py --api-url http://localhost:8000 batch ~/.openclaw/workspace/skills --recursive
+python3 {baseDir}/scan.py --api-url http://localhost:8000 batch ~/.openclaw/workspace/skills --recursive
 ```
 
 ---
@@ -526,7 +520,7 @@ https://clawhub.ai/<username>/<project>
 检查 API 服务是否运行：
 
 ```bash
-{baseDir}/.venv/bin/python {baseDir}/scan.py --api-url http://localhost:8000 health
+python3 {baseDir}/scan.py --api-url http://localhost:8000 health
 ```
 
 ---
@@ -638,3 +632,4 @@ https://clawhub.ai/<username>/<project>
 ```
 
 **即使其他分析器显示安全，VirusTotal 检测到威胁时也必须警告用户！**
+

package/skills/skills-scanner/scan.py

@@ -7,7 +7,7 @@
 OpenClaw Skills 安全扫描器 (HTTP 客户端)
 通过 HTTP API 调用远程 skill-scanner-api 服务
 
-注意：此脚本必须使用 venv 中的 Python 运行
+注意：此脚本使用系统 Python 运行，需确保已安装 requests 依赖
 """
 
 import sys
@@ -26,7 +26,7 @@ try:
 except ImportError as e:
     print("❌ requests 未安装。")
     print(f"   导入错误: {e}")
-    print("   请运行: pip install requests 或 uv pip install requests")
+    print("   请运行: pip install requests")
     sys.exit(1)