@token-security/clawdit 0.1.0

package/dist/checks/chan-002-group-policy.js

@@ -0,0 +1,43 @@
+/**
+ * CHAN-002: Group policy not set to allowlist
+ *
+ * Detects when a channel's groupPolicy is not set to 'allowlist',
+ * potentially allowing messages from unauthorized groups.
+ */
+import { getValueAtPath } from '../utils.js';
+const check = {
+    id: 'CHAN-002',
+    severity: 'MEDIUM',
+    name: 'Group policy not set to allowlist',
+    execute(ctx) {
+        const findings = [];
+        const channels = getValueAtPath(ctx.config, 'channels');
+        if (!channels || typeof channels !== 'object')
+            return [];
+        for (const [channelName, channelConfig] of Object.entries(channels)) {
+            if (!channelConfig || typeof channelConfig !== 'object')
+                continue;
+            const groupPolicy = channelConfig.groupPolicy;
+            // Only 'allowlist' is considered secure
+            if (groupPolicy !== undefined && groupPolicy !== 'allowlist') {
+                findings.push({
+                    id: 'CHAN-002',
+                    severity: 'MEDIUM',
+                    name: 'Group policy not set to allowlist',
+                    location: { file: ctx.configPath, path: `channels.${channelName}.groupPolicy` },
+                    currentValue: groupPolicy,
+                    expectedValue: 'allowlist',
+                    risk: `Channel "${channelName}" uses "${groupPolicy}" group policy. This could allow messages from unauthorized groups or channels.`,
+                    fix: {
+                        description: 'Set group policy to allowlist',
+                        command: `jq '.channels["${channelName}"].groupPolicy = "allowlist"' ${ctx.configPath} > tmp.json && mv tmp.json ${ctx.configPath}`,
+                    },
+                    references: ['https://docs.openclaw.ai/channels/security#group-policy'],
+                });
+            }
+        }
+        return findings;
+    },
+};
+export default check;
+//# sourceMappingURL=chan-002-group-policy.js.map

package/dist/checks/chan-003-no-mention.d.ts

@@ -0,0 +1,10 @@
+/**
+ * CHAN-003: Require mention disabled in groups
+ *
+ * Detects when requireMention is disabled for group channels,
+ * allowing the bot to respond to any message without being mentioned.
+ */
+import type { Check } from './types.js';
+declare const check: Check;
+export default check;
+//# sourceMappingURL=chan-003-no-mention.d.ts.map

package/dist/checks/chan-003-no-mention.js

@@ -0,0 +1,45 @@
+/**
+ * CHAN-003: Require mention disabled in groups
+ *
+ * Detects when requireMention is disabled for group channels,
+ * allowing the bot to respond to any message without being mentioned.
+ */
+import { getValueAtPath } from '../utils.js';
+const check = {
+    id: 'CHAN-003',
+    severity: 'LOW',
+    name: 'Require mention disabled in groups',
+    execute(ctx) {
+        const findings = [];
+        const channels = getValueAtPath(ctx.config, 'channels');
+        if (!channels || typeof channels !== 'object')
+            return [];
+        for (const [channelName, channelConfig] of Object.entries(channels)) {
+            if (!channelConfig || typeof channelConfig !== 'object')
+                continue;
+            const config = channelConfig;
+            const requireMention = config.requireMention;
+            const channelType = config.type;
+            // Only flag for group channels where requireMention is explicitly false
+            if (requireMention === false && (channelType === 'group' || channelType === undefined)) {
+                findings.push({
+                    id: 'CHAN-003',
+                    severity: 'LOW',
+                    name: 'Require mention disabled in groups',
+                    location: { file: ctx.configPath, path: `channels.${channelName}.requireMention` },
+                    currentValue: requireMention,
+                    expectedValue: 'true (or not set)',
+                    risk: `Channel "${channelName}" responds to all messages without requiring a mention. This increases exposure to prompt injection and noise.`,
+                    fix: {
+                        description: 'Enable require mention for groups',
+                        command: `jq '.channels["${channelName}"].requireMention = true' ${ctx.configPath} > tmp.json && mv tmp.json ${ctx.configPath}`,
+                    },
+                    references: ['https://docs.openclaw.ai/channels/security#require-mention'],
+                });
+            }
+        }
+        return findings;
+    },
+};
+export default check;
+//# sourceMappingURL=chan-003-no-mention.js.map

package/dist/checks/chan-004-dm-isolation.d.ts

@@ -0,0 +1,10 @@
+/**
+ * CHAN-004: DM session isolation disabled
+ *
+ * Detects when session.dmScope is not set to 'per-channel-peer' in configs
+ * where multiple users can DM the bot, potentially allowing session cross-contamination.
+ */
+import type { Check } from './types.js';
+declare const check: Check;
+export default check;
+//# sourceMappingURL=chan-004-dm-isolation.d.ts.map

package/dist/checks/chan-004-dm-isolation.js

@@ -0,0 +1,50 @@
+/**
+ * CHAN-004: DM session isolation disabled
+ *
+ * Detects when session.dmScope is not set to 'per-channel-peer' in configs
+ * where multiple users can DM the bot, potentially allowing session cross-contamination.
+ */
+import { getValueAtPath } from '../utils.js';
+const check = {
+    id: 'CHAN-004',
+    severity: 'MEDIUM',
+    name: 'DM session isolation disabled',
+    execute(ctx) {
+        const findings = [];
+        const channels = getValueAtPath(ctx.config, 'channels');
+        if (!channels || typeof channels !== 'object')
+            return [];
+        for (const [channelName, channelConfig] of Object.entries(channels)) {
+            if (!channelConfig || typeof channelConfig !== 'object')
+                continue;
+            const config = channelConfig;
+            const dmPolicy = config.dmPolicy;
+            const allowFrom = config.allowFrom;
+            const session = config.session;
+            const dmScope = session?.dmScope;
+            // Check if multiple users can DM
+            const multipleUsersCanDM = dmPolicy === 'open' ||
+                (dmPolicy === 'allowlist' && Array.isArray(allowFrom) && allowFrom.length > 1);
+            // If multiple users can DM and dmScope isn't per-channel-peer, flag it
+            if (multipleUsersCanDM && dmScope !== 'per-channel-peer') {
+                findings.push({
+                    id: 'CHAN-004',
+                    severity: 'MEDIUM',
+                    name: 'DM session isolation disabled',
+                    location: { file: ctx.configPath, path: `channels.${channelName}.session.dmScope` },
+                    currentValue: dmScope ?? 'not set',
+                    expectedValue: 'per-channel-peer',
+                    risk: `Channel "${channelName}" allows multiple users to DM without session isolation. Users could potentially access each other's session context.`,
+                    fix: {
+                        description: 'Enable per-channel-peer session isolation',
+                        command: `jq '.channels["${channelName}"].session.dmScope = "per-channel-peer"' ${ctx.configPath} > tmp.json && mv tmp.json ${ctx.configPath}`,
+                    },
+                    references: ['https://docs.openclaw.ai/channels/security#session-isolation'],
+                });
+            }
+        }
+        return findings;
+    },
+};
+export default check;
+//# sourceMappingURL=chan-004-dm-isolation.js.map

package/dist/checks/chan-005-verbose-groups.d.ts

@@ -0,0 +1,10 @@
+/**
+ * CHAN-005: Verbose/reasoning enabled in groups
+ *
+ * Detects when verbose mode or reasoning mode is enabled in group channels,
+ * which could leak internal processing details.
+ */
+import type { Check } from './types.js';
+declare const check: Check;
+export default check;
+//# sourceMappingURL=chan-005-verbose-groups.d.ts.map

package/dist/checks/chan-005-verbose-groups.js

@@ -0,0 +1,53 @@
+/**
+ * CHAN-005: Verbose/reasoning enabled in groups
+ *
+ * Detects when verbose mode or reasoning mode is enabled in group channels,
+ * which could leak internal processing details.
+ */
+import { getValueAtPath } from '../utils.js';
+const check = {
+    id: 'CHAN-005',
+    severity: 'LOW',
+    name: 'Verbose/reasoning enabled in groups',
+    execute(ctx) {
+        const findings = [];
+        const channels = getValueAtPath(ctx.config, 'channels');
+        if (!channels || typeof channels !== 'object')
+            return [];
+        for (const [channelName, channelConfig] of Object.entries(channels)) {
+            if (!channelConfig || typeof channelConfig !== 'object')
+                continue;
+            const config = channelConfig;
+            const channelType = config.type;
+            const verbose = config.verbose;
+            const reasoning = config.reasoning;
+            // Only check group channels (type: group or undefined)
+            if (channelType !== 'dm') {
+                const issues = [];
+                if (verbose === true)
+                    issues.push('verbose');
+                if (reasoning === true)
+                    issues.push('reasoning');
+                if (issues.length > 0) {
+                    findings.push({
+                        id: 'CHAN-005',
+                        severity: 'LOW',
+                        name: 'Verbose/reasoning enabled in groups',
+                        location: { file: ctx.configPath, path: `channels.${channelName}` },
+                        currentValue: issues.join(', ') + ' enabled',
+                        expectedValue: 'verbose: false, reasoning: false',
+                        risk: `Channel "${channelName}" has ${issues.join(' and ')} mode enabled. This exposes internal processing details to all group members.`,
+                        fix: {
+                            description: 'Disable verbose and reasoning modes in groups',
+                            command: `jq '.channels["${channelName}"].verbose = false | .channels["${channelName}"].reasoning = false' ${ctx.configPath} > tmp.json && mv tmp.json ${ctx.configPath}`,
+                        },
+                        references: ['https://docs.openclaw.ai/channels/security#output-modes'],
+                    });
+                }
+            }
+        }
+        return findings;
+    },
+};
+export default check;
+//# sourceMappingURL=chan-005-verbose-groups.js.map

package/dist/checks/disc-001-mdns-full.d.ts

@@ -0,0 +1,10 @@
+/**
+ * DISC-001: mDNS full mode exposes system info
+ *
+ * Detects when mDNS discovery is set to full mode, broadcasting
+ * detailed system information on the local network.
+ */
+import type { Check } from './types.js';
+declare const check: Check;
+export default check;
+//# sourceMappingURL=disc-001-mdns-full.d.ts.map

package/dist/checks/disc-001-mdns-full.js

@@ -0,0 +1,34 @@
+/**
+ * DISC-001: mDNS full mode exposes system info
+ *
+ * Detects when mDNS discovery is set to full mode, broadcasting
+ * detailed system information on the local network.
+ */
+import { getValueAtPath } from '../utils.js';
+const check = {
+    id: 'DISC-001',
+    severity: 'MEDIUM',
+    name: 'mDNS full mode exposes system info',
+    execute(ctx) {
+        const mode = getValueAtPath(ctx.config, 'discovery.mdns.mode');
+        if (mode === 'full') {
+            return [{
+                    id: 'DISC-001',
+                    severity: 'MEDIUM',
+                    name: 'mDNS full mode exposes system info',
+                    location: { file: ctx.configPath, path: 'discovery.mdns.mode' },
+                    currentValue: 'full',
+                    expectedValue: 'minimal or off',
+                    risk: 'Full mDNS mode broadcasts detailed system information on the local network, aiding reconnaissance by attackers.',
+                    fix: {
+                        description: 'Set mDNS to minimal or off',
+                        command: `jq '.discovery.mdns.mode = "minimal"' ${ctx.configPath} > tmp.json && mv tmp.json ${ctx.configPath}`,
+                    },
+                    references: ['https://docs.openclaw.ai/discovery/mdns'],
+                }];
+        }
+        return [];
+    },
+};
+export default check;
+//# sourceMappingURL=disc-001-mdns-full.js.map

package/dist/checks/disc-002-mdns-enabled.d.ts

@@ -0,0 +1,10 @@
+/**
+ * DISC-002: mDNS enabled (information disclosure)
+ *
+ * Detects when mDNS discovery mode is not set to 'off',
+ * potentially advertising the service on the local network.
+ */
+import type { Check } from './types.js';
+declare const check: Check;
+export default check;
+//# sourceMappingURL=disc-002-mdns-enabled.d.ts.map

package/dist/checks/disc-002-mdns-enabled.js

@@ -0,0 +1,35 @@
+/**
+ * DISC-002: mDNS enabled (information disclosure)
+ *
+ * Detects when mDNS discovery mode is not set to 'off',
+ * potentially advertising the service on the local network.
+ */
+import { getValueAtPath } from '../utils.js';
+const check = {
+    id: 'DISC-002',
+    severity: 'LOW',
+    name: 'mDNS enabled (information disclosure)',
+    execute(ctx) {
+        const mdnsMode = getValueAtPath(ctx.config, 'discovery.mdns.mode');
+        // Flag if mDNS is explicitly enabled (not off or undefined)
+        if (mdnsMode !== undefined && mdnsMode !== 'off') {
+            return [{
+                    id: 'DISC-002',
+                    severity: 'LOW',
+                    name: 'mDNS enabled (information disclosure)',
+                    location: { file: ctx.configPath, path: 'discovery.mdns.mode' },
+                    currentValue: mdnsMode,
+                    expectedValue: 'off',
+                    risk: 'mDNS broadcasts the service presence on the local network. Attackers on the same network can easily discover the OpenClaw instance.',
+                    fix: {
+                        description: 'Disable mDNS discovery',
+                        command: `jq '.discovery.mdns.mode = "off"' ${ctx.configPath} > tmp.json && mv tmp.json ${ctx.configPath}`,
+                    },
+                    references: ['https://docs.openclaw.ai/discovery/security#mdns'],
+                }];
+        }
+        return [];
+    },
+};
+export default check;
+//# sourceMappingURL=disc-002-mdns-enabled.js.map

package/dist/checks/exec-001-full-security.d.ts

@@ -0,0 +1,10 @@
+/**
+ * EXEC-001: Exec security set to full
+ *
+ * Detects when exec security is set to "full", allowing arbitrary
+ * command execution without restrictions.
+ */
+import type { Check } from './types.js';
+declare const check: Check;
+export default check;
+//# sourceMappingURL=exec-001-full-security.d.ts.map

package/dist/checks/exec-001-full-security.js

@@ -0,0 +1,34 @@
+/**
+ * EXEC-001: Exec security set to full
+ *
+ * Detects when exec security is set to "full", allowing arbitrary
+ * command execution without restrictions.
+ */
+import { getValueAtPath } from '../utils.js';
+const check = {
+    id: 'EXEC-001',
+    severity: 'HIGH',
+    name: 'Exec security set to full',
+    execute(ctx) {
+        const security = getValueAtPath(ctx.config, 'tools.exec.security');
+        if (security === 'full') {
+            return [{
+                    id: 'EXEC-001',
+                    severity: 'HIGH',
+                    name: 'Exec security set to full',
+                    location: { file: ctx.configPath, path: 'tools.exec.security' },
+                    currentValue: 'full',
+                    expectedValue: 'restricted or sandbox',
+                    risk: 'Full exec security allows arbitrary command execution without restrictions. Malicious prompts can execute any system command.',
+                    fix: {
+                        description: 'Set exec security to restricted',
+                        command: `jq '.tools.exec.security = "restricted"' ${ctx.configPath} > tmp.json && mv tmp.json ${ctx.configPath}`,
+                    },
+                    references: ['https://docs.openclaw.ai/tools/exec#security-modes'],
+                }];
+        }
+        return [];
+    },
+};
+export default check;
+//# sourceMappingURL=exec-001-full-security.js.map

package/dist/checks/exec-002-sandbox-disabled.d.ts

@@ -0,0 +1,10 @@
+/**
+ * EXEC-002: Sandbox disabled for all sessions
+ *
+ * Detects when the sandbox mode is set to "off", allowing all commands
+ * to execute directly on the host system.
+ */
+import type { Check } from './types.js';
+declare const check: Check;
+export default check;
+//# sourceMappingURL=exec-002-sandbox-disabled.d.ts.map

package/dist/checks/exec-002-sandbox-disabled.js

@@ -0,0 +1,34 @@
+/**
+ * EXEC-002: Sandbox disabled for all sessions
+ *
+ * Detects when the sandbox mode is set to "off", allowing all commands
+ * to execute directly on the host system.
+ */
+import { getValueAtPath } from '../utils.js';
+const check = {
+    id: 'EXEC-002',
+    severity: 'HIGH',
+    name: 'Sandbox disabled for all sessions',
+    execute(ctx) {
+        const mode = getValueAtPath(ctx.config, 'agents.defaults.sandbox.mode');
+        if (mode === 'off') {
+            return [{
+                    id: 'EXEC-002',
+                    severity: 'HIGH',
+                    name: 'Sandbox disabled for all sessions',
+                    location: { file: ctx.configPath, path: 'agents.defaults.sandbox.mode' },
+                    currentValue: 'off',
+                    expectedValue: 'all or non-main',
+                    risk: 'All commands execute directly on the host system without isolation. Malicious prompts can modify system files, install malware, or exfiltrate data.',
+                    fix: {
+                        description: 'Enable sandbox for all sessions',
+                        command: `jq '.agents.defaults.sandbox.mode = "all"' ${ctx.configPath} > tmp.json && mv tmp.json ${ctx.configPath}`,
+                    },
+                    references: ['https://docs.openclaw.ai/agents/sandbox'],
+                }];
+        }
+        return [];
+    },
+};
+export default check;
+//# sourceMappingURL=exec-002-sandbox-disabled.js.map

package/dist/checks/exec-003-elevated-unrestricted.d.ts

@@ -0,0 +1,10 @@
+/**
+ * EXEC-003: Elevated mode enabled without restrictions
+ *
+ * Detects when elevated mode is enabled without an allowFrom restriction,
+ * allowing any session to bypass sandbox isolation.
+ */
+import type { Check } from './types.js';
+declare const check: Check;
+export default check;
+//# sourceMappingURL=exec-003-elevated-unrestricted.d.ts.map

package/dist/checks/exec-003-elevated-unrestricted.js

@@ -0,0 +1,38 @@
+/**
+ * EXEC-003: Elevated mode enabled without restrictions
+ *
+ * Detects when elevated mode is enabled without an allowFrom restriction,
+ * allowing any session to bypass sandbox isolation.
+ */
+import { getValueAtPath } from '../utils.js';
+const check = {
+    id: 'EXEC-003',
+    severity: 'HIGH',
+    name: 'Elevated mode enabled without restrictions',
+    execute(ctx) {
+        const enabled = getValueAtPath(ctx.config, 'tools.elevated.enabled');
+        const allowFrom = getValueAtPath(ctx.config, 'tools.elevated.allowFrom');
+        if (enabled === true) {
+            const hasRestrictions = Array.isArray(allowFrom) && allowFrom.length > 0;
+            if (!hasRestrictions) {
+                return [{
+                        id: 'EXEC-003',
+                        severity: 'HIGH',
+                        name: 'Elevated mode enabled without restrictions',
+                        location: { file: ctx.configPath, path: 'tools.elevated' },
+                        currentValue: 'enabled with no allowFrom restrictions',
+                        expectedValue: 'tools.elevated.allowFrom configured with specific sources',
+                        risk: 'Elevated mode bypasses sandbox isolation and executes directly on the host. Without restrictions, any session can use elevated commands.',
+                        fix: {
+                            description: 'Disable elevated mode or configure allowFrom',
+                            command: `jq '.tools.elevated.enabled = false' ${ctx.configPath} > tmp.json && mv tmp.json ${ctx.configPath}`,
+                        },
+                        references: ['https://docs.openclaw.ai/tools/elevated'],
+                    }];
+            }
+        }
+        return [];
+    },
+};
+export default check;
+//# sourceMappingURL=exec-003-elevated-unrestricted.js.map

package/dist/checks/exec-004-approval-fallback.d.ts

@@ -0,0 +1,10 @@
+/**
+ * EXEC-004: Exec approval fallback not set to deny
+ *
+ * Detects when exec-approvals.json has askFallback set to something other than 'deny',
+ * which could allow commands through when no explicit approval rule matches.
+ */
+import type { Check } from './types.js';
+declare const check: Check;
+export default check;
+//# sourceMappingURL=exec-004-approval-fallback.d.ts.map

package/dist/checks/exec-004-approval-fallback.js

@@ -0,0 +1,50 @@
+/**
+ * EXEC-004: Exec approval fallback not set to deny
+ *
+ * Detects when exec-approvals.json has askFallback set to something other than 'deny',
+ * which could allow commands through when no explicit approval rule matches.
+ */
+import { join } from 'node:path';
+import { existsSync, readFileSync } from 'node:fs';
+const check = {
+    id: 'EXEC-004',
+    severity: 'MEDIUM',
+    name: 'Exec approval fallback not set to deny',
+    execute(ctx) {
+        // Look for exec-approvals.json in config directory
+        const approvalsPath = join(ctx.configDir, 'exec-approvals.json');
+        // Skip if file doesn't exist
+        if (!existsSync(approvalsPath))
+            return [];
+        let approvals;
+        try {
+            const content = readFileSync(approvalsPath, 'utf-8');
+            approvals = JSON.parse(content);
+        }
+        catch {
+            // Can't parse file, skip check
+            return [];
+        }
+        const askFallback = approvals.askFallback;
+        // Only 'deny' is secure
+        if (askFallback !== undefined && askFallback !== 'deny') {
+            return [{
+                    id: 'EXEC-004',
+                    severity: 'MEDIUM',
+                    name: 'Exec approval fallback not set to deny',
+                    location: { file: approvalsPath, path: 'askFallback' },
+                    currentValue: askFallback,
+                    expectedValue: 'deny',
+                    risk: `When no approval rule matches, commands will ${askFallback === 'allow' ? 'be allowed' : 'prompt the user'}. This could allow unintended command execution.`,
+                    fix: {
+                        description: 'Set askFallback to deny',
+                        command: `jq '.askFallback = "deny"' ${approvalsPath} > tmp.json && mv tmp.json ${approvalsPath}`,
+                    },
+                    references: ['https://docs.openclaw.ai/exec/approvals#fallback'],
+                }];
+        }
+        return [];
+    },
+};
+export default check;
+//# sourceMappingURL=exec-004-approval-fallback.js.map

package/dist/checks/exec-005-sandbox-non-main.d.ts

@@ -0,0 +1,10 @@
+/**
+ * EXEC-005: Sandbox only protects non-main sessions
+ *
+ * Detects when sandbox mode is set to "non-main", leaving the main/DM
+ * session without sandbox protection.
+ */
+import type { Check } from './types.js';
+declare const check: Check;
+export default check;
+//# sourceMappingURL=exec-005-sandbox-non-main.d.ts.map

package/dist/checks/exec-005-sandbox-non-main.js

@@ -0,0 +1,34 @@
+/**
+ * EXEC-005: Sandbox only protects non-main sessions
+ *
+ * Detects when sandbox mode is set to "non-main", leaving the main/DM
+ * session without sandbox protection.
+ */
+import { getValueAtPath } from '../utils.js';
+const check = {
+    id: 'EXEC-005',
+    severity: 'MEDIUM',
+    name: 'Sandbox only protects non-main sessions',
+    execute(ctx) {
+        const mode = getValueAtPath(ctx.config, 'agents.defaults.sandbox.mode');
+        if (mode === 'non-main') {
+            return [{
+                    id: 'EXEC-005',
+                    severity: 'MEDIUM',
+                    name: 'Sandbox only protects non-main sessions',
+                    location: { file: ctx.configPath, path: 'agents.defaults.sandbox.mode' },
+                    currentValue: 'non-main',
+                    expectedValue: 'all',
+                    risk: 'Commands from the main/DM session execute directly on the gateway host without sandbox isolation.',
+                    fix: {
+                        description: 'Enable sandbox for all sessions',
+                        command: `jq '.agents.defaults.sandbox.mode = "all"' ${ctx.configPath} > tmp.json && mv tmp.json ${ctx.configPath}`,
+                    },
+                    references: ['https://docs.openclaw.ai/agents/sandbox'],
+                }];
+        }
+        return [];
+    },
+};
+export default check;
+//# sourceMappingURL=exec-005-sandbox-non-main.js.map

package/dist/checks/exec-006-cross-agent-sandbox.d.ts

@@ -0,0 +1,10 @@
+/**
+ * EXEC-006: Sandbox scope enables cross-agent access
+ *
+ * Detects when sandbox scope is set to "shared", allowing agents to
+ * access each other's data and state.
+ */
+import type { Check } from './types.js';
+declare const check: Check;
+export default check;
+//# sourceMappingURL=exec-006-cross-agent-sandbox.d.ts.map

package/dist/checks/exec-006-cross-agent-sandbox.js

@@ -0,0 +1,34 @@
+/**
+ * EXEC-006: Sandbox scope enables cross-agent access
+ *
+ * Detects when sandbox scope is set to "shared", allowing agents to
+ * access each other's data and state.
+ */
+import { getValueAtPath } from '../utils.js';
+const check = {
+    id: 'EXEC-006',
+    severity: 'HIGH',
+    name: 'Sandbox scope enables cross-agent access',
+    execute(ctx) {
+        const scope = getValueAtPath(ctx.config, 'agents.defaults.sandbox.scope');
+        if (scope === 'shared') {
+            return [{
+                    id: 'EXEC-006',
+                    severity: 'HIGH',
+                    name: 'Sandbox scope enables cross-agent access',
+                    location: { file: ctx.configPath, path: 'agents.defaults.sandbox.scope' },
+                    currentValue: 'shared',
+                    expectedValue: 'isolated or per-session',
+                    risk: 'Agents share sandbox state, allowing one compromised agent to access or modify another agent\'s data and session state.',
+                    fix: {
+                        description: 'Set sandbox scope to isolated',
+                        command: `jq '.agents.defaults.sandbox.scope = "isolated"' ${ctx.configPath} > tmp.json && mv tmp.json ${ctx.configPath}`,
+                    },
+                    references: ['https://docs.openclaw.ai/agents/sandbox#scope'],
+                }];
+        }
+        return [];
+    },
+};
+export default check;
+//# sourceMappingURL=exec-006-cross-agent-sandbox.js.map

package/dist/checks/exec-007-workspace-rw.d.ts

@@ -0,0 +1,10 @@
+/**
+ * EXEC-007: Workspace access too permissive
+ *
+ * Detects when workspaceAccess is set to 'rw' (read-write),
+ * giving agents full write access to the workspace.
+ */
+import type { Check } from './types.js';
+declare const check: Check;
+export default check;
+//# sourceMappingURL=exec-007-workspace-rw.d.ts.map