@upx-us/shield 0.7.13 → 0.8.1

package/dist/src/case-monitor.d.ts

@@ -19,6 +19,11 @@ export declare function setDirectSendDispatcher(opts: {
     to: string;
     channel: string;
 }): void;
+declare const SEVERITY_ORDER: Record<string, number>;
+declare function formatCaseTimestamp(isoDate: string): string;
+declare function buildCaseUrl(c: CaseSummary | CaseDetail): string;
+declare function formatBatchCaseBlock(c: CaseSummary | CaseDetail): string;
+declare function dispatchCaseNotifications(cases: (CaseSummary | CaseDetail)[]): void;
 export interface CaseSummary {
     id: string;
     rule_id: string;
@@ -77,4 +82,8 @@ export declare function formatCaseNotification(c: CaseSummary | CaseDetail): str
 export declare function _resetForTesting(): void;
 export declare function _simulateFailuresForTesting(count: number, firstFailureAgeMs: number): void;
 export declare function _simulateSuccessForTesting(): void;
-export {};
+export { SEVERITY_ORDER as _SEVERITY_ORDER };
+export declare const _formatCaseTimestamp: typeof formatCaseTimestamp;
+export declare const _buildCaseUrl: typeof buildCaseUrl;
+export declare const _formatBatchCaseBlock: typeof formatBatchCaseBlock;
+export declare const _dispatchCaseNotifications: typeof dispatchCaseNotifications;

package/dist/src/case-monitor.js

@@ -33,6 +33,7 @@ var __importStar = (this && this.__importStar) || (function () {
     };
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
+exports._dispatchCaseNotifications = exports._formatBatchCaseBlock = exports._buildCaseUrl = exports._formatCaseTimestamp = exports._SEVERITY_ORDER = void 0;
 exports.setCaseNotificationDispatcher = setCaseNotificationDispatcher;
 exports.setDirectSendDispatcher = setDirectSendDispatcher;
 exports.initCaseMonitor = initCaseMonitor;
@@ -96,6 +97,42 @@ function setDirectSendDispatcher(opts) {
     _directSendChannel = opts.channel;
     log.info('case-monitor', `Direct send configured (channel: ${opts.channel}, to: ${opts.to})`);
 }
+const SEVERITY_ORDER = {
+    CRITICAL: 0, HIGH: 1, MEDIUM: 2, LOW: 3, INFO: 4,
+};
+exports._SEVERITY_ORDER = SEVERITY_ORDER;
+function formatCaseTimestamp(isoDate) {
+    const d = new Date(isoDate);
+    if (isNaN(d.getTime()))
+        return isoDate;
+    const pad = (n) => String(n).padStart(2, '0');
+    return `${d.getUTCFullYear()}-${pad(d.getUTCMonth() + 1)}-${pad(d.getUTCDate())} ${pad(d.getUTCHours())}:${pad(d.getUTCMinutes())} UTC`;
+}
+function buildCaseUrl(c) {
+    if (isCaseDetail(c) && c.url)
+        return c.url;
+    return `https://uss.upx.com/cases/${c.id}`;
+}
+function formatBatchCaseBlock(c) {
+    const severityEmoji = {
+        CRITICAL: '🔴', HIGH: '🟠', MEDIUM: '🟡', LOW: '🔵', INFO: 'ℹ️',
+    };
+    const emoji = severityEmoji[c.severity] || '⚠️';
+    const sev = c.severity || '';
+    const description = (isCaseDetail(c) && c.rule?.description)
+        ? c.rule.description
+        : (c.description || c.summary || '');
+    const ts = formatCaseTimestamp(c.created_at);
+    const url = buildCaseUrl(c);
+    const lines = [
+        `${emoji} ${c.rule_title} · ${sev}`,
+    ];
+    if (description)
+        lines.push(description);
+    lines.push(`🕐 ${ts}`);
+    lines.push(`🔗 View case: ${url}`);
+    return lines.join('\n');
+}
 function dispatchCaseNotifications(cases) {
     if (cases.length === 0)
         return;
@@ -104,19 +141,18 @@ function dispatchCaseNotifications(cases) {
         text = formatCaseNotification(cases[0]);
     }
     else {
-        const lines = cases.map(c => {
-            const emoji = { CRITICAL: '🔴', HIGH: '🟠', MEDIUM: '🟡', LOW: '🔵' };
-            const sev = c.severity ? ` (${c.severity})` : '';
-            return `${emoji[c.severity] || '⚠️'} **${c.rule_title}**${sev} — ${c.event_count} events`;
+        const sorted = [...cases].sort((a, b) => {
+            const oa = SEVERITY_ORDER[a.severity] ?? 99;
+            const ob = SEVERITY_ORDER[b.severity] ?? 99;
+            return oa - ob;
         });
+        const agentLabel = _agentId || 'agent';
+        const separator = '─────────────────────';
+        const blocks = sorted.map(c => `${separator}\n${formatBatchCaseBlock(c)}`);
         text = [
-            `⚠️ **Shield Alert — ${cases.length} New Cases**`,
-            '',
-            ...lines,
-            '',
+            `⚠️ Shield — ${cases.length} new cases · ${agentLabel}`,
             '',
-            '💡 **Next steps:**',
-            ...cases.map(c => `  • _"Investigate case ${c.id}"_`),
+            ...blocks,
         ].join('\n');
     }
     if (_directSendFn && _directSendTo) {
@@ -456,3 +492,7 @@ function _simulateSuccessForTesting() {
         _degradedSinceMs = null;
     }
 }
+exports._formatCaseTimestamp = formatCaseTimestamp;
+exports._buildCaseUrl = buildCaseUrl;
+exports._formatBatchCaseBlock = formatBatchCaseBlock;
+exports._dispatchCaseNotifications = dispatchCaseNotifications;

package/dist/src/config.js

@@ -163,7 +163,7 @@ function loadConfig(overrides) {
         sessionDirs = discoverSessionDirs();
     }
     if (sessionDirs.length === 0) {
-        log.warn('config', 'No OpenClaw session directories found. Run: npx shield-setup');
+        log.warn('config', `No OpenClaw session directories found under ${OPENCLAW_AGENTS_DIR}. Shield is loaded but has no event sources. Set OPENCLAW_AGENTS_DIR or SESSION_DIR if your gateway stores sessions elsewhere.`);
     }
     const credentials = overrides?.credentials ?? loadCredentials();
     return {

package/dist/src/events/browser/validations.js

@@ -1,10 +1,14 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.validate = validate;
+const URL_REQUIRED_ACTIONS = new Set(['navigate', 'open']);
 function validate(event) {
-    if (!event.url)
-        return { valid: false, field: 'url', error: 'missing url' };
-    if (!event.target?.url)
-        return { valid: false, field: 'target.url', error: 'missing target.url' };
+    const action = event.tool_metadata?.browser_action ?? null;
+    if (URL_REQUIRED_ACTIONS.has(action)) {
+        if (!event.url)
+            return { valid: false, field: 'url', error: 'missing url' };
+        if (!event.target?.url)
+            return { valid: false, field: 'target.url', error: 'missing target.url' };
+    }
     return { valid: true };
 }

package/dist/src/sender.d.ts

@@ -8,6 +8,7 @@ export interface SendResult {
     statusCode?: number;
     body?: string;
     eventCount: number;
+    failureKind?: 'missing_credentials' | 'pending_namespace' | 'needs_registration' | 'quota_exceeded' | 'http_error' | 'network_error' | 'circuit_breaker';
     pendingNamespace?: boolean;
     retryAfterMs?: number;
     needsRegistration?: boolean;
@@ -22,6 +23,9 @@ export interface InstanceScore {
 export interface ReportInstanceResult {
     ok: boolean;
     score?: InstanceScore;
+    statusCode?: number;
+    error?: string;
+    needsRegistration?: boolean;
 }
 export declare function reportInstance(payload: Record<string, unknown>, credentials: ShieldCredentials): Promise<ReportInstanceResult>;
 export declare function reportLifecycleEvent(type: 'plugin_started' | 'update_restart_failed' | 'plugin_integrity_drift' | 'update_check_failing' | 'update_integrity_failed', data: Record<string, unknown>, credentials: ShieldCredentials): Promise<void>;

package/dist/src/sender.js

@@ -95,7 +95,7 @@ async function sendEvents(events, config) {
     const { apiUrl, instanceId, hmacSecret, shieldEnv } = config.credentials;
     if (!apiUrl || !instanceId || !hmacSecret) {
         log.error('sender', 'Missing credentials (apiUrl, instanceId, or hmacSecret). Run: npx shield-setup');
-        return [{ success: false, statusCode: 0, body: 'missing credentials', eventCount: events.length }];
+        return [{ success: false, statusCode: 0, body: 'missing credentials', eventCount: events.length, failureKind: 'missing_credentials' }];
     }
     const results = [];
     let consecutiveBatchFailures = 0;
@@ -103,7 +103,7 @@ async function sendEvents(events, config) {
         if (consecutiveBatchFailures >= exports.CIRCUIT_BREAKER_THRESHOLD) {
             const remaining = events.slice(i);
             log.warn('sender', `Circuit breaker: ${consecutiveBatchFailures} consecutive failures — skipping ${remaining.length} remaining events`);
-            results.push({ success: false, statusCode: 0, body: 'circuit breaker', eventCount: remaining.length });
+            results.push({ success: false, statusCode: 0, body: 'circuit breaker', eventCount: remaining.length, failureKind: 'circuit_breaker' });
             break;
         }
         if (i > 0)
@@ -144,7 +144,7 @@ async function sendEvents(events, config) {
                     catch { }
                     log.warn('sender', `Batch ${batchNum} — namespace pending (202). Holding events, retry in ${retryAfterMs / 1000}s`);
                     results.push({ success: false, statusCode: 202, body: data, eventCount: batch.length,
-                        pendingNamespace: true, retryAfterMs });
+                        pendingNamespace: true, retryAfterMs, failureKind: 'pending_namespace' });
                     break;
                 }
                 if (res.status === 403) {
@@ -156,7 +156,7 @@ async function sendEvents(events, config) {
                     if (needsReg) {
                         log.error('sender', `Batch ${batchNum} — instance not registered (403). Shield deactivated — re-run wizard.`);
                         results.push({ success: false, statusCode: 403, body: data, eventCount: batch.length,
-                            needsRegistration: true });
+                            needsRegistration: true, failureKind: 'needs_registration' });
                         break;
                     }
                 }
@@ -170,21 +170,21 @@ async function sendEvents(events, config) {
                 }
                 catch { }
                 if (res.status === 402 || (res.status === 429 && parsedData?.error === 'quota_exceeded')) {
-                    log.warn('sender', `⚠ Event quota exhausted or subscription inactive — events are being dropped. Renew your subscription to resume delivery.`);
-                    results.push({ success: false, statusCode: res.status, body: data, eventCount: batch.length });
+                    log.warn('sender', '⚠ Event quota exhausted or subscription inactive — delivery is paused. Shield will retain cursor position and retry after service is restored.');
+                    results.push({ success: false, statusCode: res.status, body: data, eventCount: batch.length, failureKind: 'quota_exceeded' });
                     break;
                 }
                 const safeBody = sanitizeResponseBodyForLog(data);
                 log.error('sender', `Batch ${batchNum} — HTTP ${res.status}: ${safeBody}`);
                 consecutiveBatchFailures++;
-                results.push({ success: false, statusCode: res.status, body: data, eventCount: batch.length });
+                results.push({ success: false, statusCode: res.status, body: data, eventCount: batch.length, failureKind: 'http_error' });
                 break;
             }
             catch (err) {
                 log.error('sender', `Batch ${batchNum} attempt ${attempt + 1} — ${errMsg(err)}`);
                 if (attempt === 1) {
                     consecutiveBatchFailures++;
-                    results.push({ success: false, statusCode: 0, body: errMsg(err), eventCount: batch.length });
+                    results.push({ success: false, statusCode: 0, body: errMsg(err), eventCount: batch.length, failureKind: 'network_error' });
                 }
             }
         }
@@ -195,7 +195,7 @@ async function reportInstance(payload, credentials) {
     const { apiUrl, instanceId, hmacSecret, shieldEnv } = credentials;
     if (!apiUrl || !instanceId || !hmacSecret) {
         log.warn('sender', 'reportInstance: missing credentials, skipping');
-        return { ok: false };
+        return { ok: false, statusCode: 0, error: 'missing credentials' };
     }
     const nonce = generateNonce();
     const signature = signRequest(instanceId, nonce, hmacSecret);
@@ -217,7 +217,12 @@ async function reportInstance(payload, credentials) {
         if (!res.ok) {
             const body = await res.text();
             log.warn('sender', `reportInstance HTTP ${res.status}: ${sanitizeResponseBodyForLog(body)}`);
-            return { ok: false };
+            let needsRegistration = false;
+            try {
+                needsRegistration = JSON.parse(body).needs_registration === true;
+            }
+            catch { }
+            return { ok: false, statusCode: res.status, error: body, needsRegistration };
         }
         let score;
         try {
@@ -227,11 +232,11 @@ async function reportInstance(payload, credentials) {
         }
         catch {
         }
-        return { ok: true, score };
+        return { ok: true, score, statusCode: res.status };
     }
     catch (err) {
         log.warn('sender', `reportInstance error: ${errMsg(err)}`);
-        return { ok: false };
+        return { ok: false, statusCode: 0, error: errMsg(err) };
     }
 }
 async function reportLifecycleEvent(type, data, credentials) {

package/dist/src/updater.d.ts

@@ -10,6 +10,9 @@ export interface UpdateState {
     consecutiveFailures: number;
     pendingRestart: boolean;
     restartAttempts: number;
+    lastFailureStage: string | null;
+    lastFailureAt: number;
+    rollbackPending: boolean;
 }
 export interface UpdateCheckResult {
     updateAvailable: boolean;
@@ -33,6 +36,10 @@ export declare function classifyUpdate(current: string, candidate: string): {
     isMajor: boolean;
 };
 export declare function loadUpdateState(): UpdateState;
+export declare function preflightAutoUpdateEnvironment(): {
+    ok: boolean;
+    missing: string[];
+};
 export declare function saveUpdateState(state: UpdateState): void;
 export declare function checkNpmVersion(): string | null;
 export declare function checkForUpdate(overrideInterval?: number): UpdateCheckResult | null;

package/dist/src/updater.js

@@ -37,6 +37,7 @@ exports.parseSemVer = parseSemVer;
 exports.isNewerVersion = isNewerVersion;
 exports.classifyUpdate = classifyUpdate;
 exports.loadUpdateState = loadUpdateState;
+exports.preflightAutoUpdateEnvironment = preflightAutoUpdateEnvironment;
 exports.saveUpdateState = saveUpdateState;
 exports.checkNpmVersion = checkNpmVersion;
 exports.checkForUpdate = checkForUpdate;
@@ -117,12 +118,43 @@ function loadUpdateState() {
         consecutiveFailures: 0,
         pendingRestart: false,
         restartAttempts: 0,
+        lastFailureStage: null,
+        lastFailureAt: 0,
+        rollbackPending: false,
     };
     if (!(0, fs_1.existsSync)(UPDATE_STATE_FILE))
         return defaults;
     const loaded = (0, safe_io_1.readJsonSafe)(UPDATE_STATE_FILE, {}, 'update-state');
     return { ...defaults, ...loaded };
 }
+function recordUpdateFailure(state, stage, error, extra) {
+    state.lastFailureStage = stage;
+    state.lastFailureAt = Date.now();
+    state.lastError = error;
+    Object.assign(state, extra ?? {});
+    saveUpdateState(state);
+}
+function preflightAutoUpdateEnvironment() {
+    const checks = [
+        { name: 'npm', command: 'npm --version' },
+        { name: 'tar', command: 'tar --version' },
+        { name: 'openclaw', command: 'openclaw --version' },
+    ];
+    const missing = [];
+    for (const check of checks) {
+        try {
+            (0, child_process_1.execSync)(check.command, {
+                encoding: 'utf-8',
+                timeout: 10_000,
+                stdio: ['pipe', 'pipe', 'pipe'],
+            });
+        }
+        catch {
+            missing.push(check.name);
+        }
+    }
+    return { ok: missing.length === 0, missing };
+}
 function saveUpdateState(state) {
     ensureDir((0, path_1.dirname)(UPDATE_STATE_FILE));
     (0, safe_io_1.writeJsonSafe)(UPDATE_STATE_FILE, state);
@@ -166,9 +198,8 @@ function checkForUpdate(overrideInterval) {
     state.lastCheckAt = now;
     state.currentVersion = version_1.VERSION;
     if (!latestVersion) {
-        state.lastError = 'Failed to query npm registry';
         state.consecutiveFailures = (state.consecutiveFailures ?? 0) + 1;
-        saveUpdateState(state);
+        recordUpdateFailure(state, 'check', 'Failed to query npm registry');
         const FAILURE_THRESHOLD = 3;
         if (state.consecutiveFailures >= FAILURE_THRESHOLD) {
             const nextRetryAt = new Date(now + CHECK_INTERVAL_MS).toISOString();
@@ -189,6 +220,8 @@ function checkForUpdate(overrideInterval) {
         state.updateAvailable = true;
         state.lastError = null;
         state.consecutiveFailures = 0;
+        state.lastFailureStage = null;
+        state.lastFailureAt = 0;
         saveUpdateState(state);
         const classification = classifyUpdate(version_1.VERSION, latestVersion);
         log.info('updater', `Update available: ${version_1.VERSION} → ${latestVersion} (${classification.isPatch ? 'patch' : classification.isMinor ? 'minor' : 'major'})`);
@@ -202,6 +235,8 @@ function checkForUpdate(overrideInterval) {
     state.updateAvailable = false;
     state.lastError = null;
     state.consecutiveFailures = 0;
+    state.lastFailureStage = null;
+    state.lastFailureAt = 0;
     saveUpdateState(state);
     return null;
 }
@@ -472,6 +507,8 @@ function performAutoUpdate(mode, checkIntervalMs) {
             log.info('updater', `Clearing stale pendingRestart — running version matches stored currentVersion (${version_1.VERSION})`);
             st.pendingRestart = false;
             st.restartAttempts = 0;
+            st.rollbackPending = false;
+            st.lastFailureStage = null;
             saveUpdateState(st);
         }
     }
@@ -499,6 +536,7 @@ function performAutoUpdate(mode, checkIntervalMs) {
                 }
                 state.pendingRestart = false;
                 state.restartAttempts = 0;
+                state.rollbackPending = false;
                 saveUpdateState(state);
             }
             else {
@@ -507,10 +545,14 @@ function performAutoUpdate(mode, checkIntervalMs) {
                 if (restarted) {
                     state.pendingRestart = false;
                     state.restartAttempts = 0;
+                    state.rollbackPending = false;
+                    state.lastFailureStage = null;
                     saveUpdateState(state);
                 }
                 else {
                     state.restartAttempts = (state.restartAttempts ?? 0) + 1;
+                    state.lastFailureStage = 'restart';
+                    state.lastFailureAt = Date.now();
                     saveUpdateState(state);
                 }
             }
@@ -550,11 +592,22 @@ function performAutoUpdate(mode, checkIntervalMs) {
     }
     const state = loadUpdateState();
     log.info('updater', `Auto-updating: ${version_1.VERSION} → ${check.latestVersion}`);
+    const preflight = preflightAutoUpdateEnvironment();
+    if (!preflight.ok) {
+        state.consecutiveFailures++;
+        recordUpdateFailure(state, 'preflight', `Missing required commands for auto-update: ${preflight.missing.join(', ')}`);
+        return {
+            action: 'error',
+            fromVersion: version_1.VERSION,
+            toVersion: check.latestVersion,
+            message: `Auto-update aborted: missing required commands (${preflight.missing.join(', ')})`,
+            requiresRestart: false,
+        };
+    }
     const backupPath = backupCurrentVersion();
     if (!backupPath) {
         state.consecutiveFailures++;
-        state.lastError = 'Backup failed — update aborted';
-        saveUpdateState(state);
+        recordUpdateFailure(state, 'backup', 'Backup failed — update aborted');
         return {
             action: 'error',
             fromVersion: version_1.VERSION,
@@ -568,8 +621,7 @@ function performAutoUpdate(mode, checkIntervalMs) {
         log.warn('updater', 'Install failed — rolling back...');
         const restored = restoreFromBackup(backupPath);
         state.consecutiveFailures++;
-        state.lastError = 'Install failed — rolled back';
-        saveUpdateState(state);
+        recordUpdateFailure(state, restored ? 'install' : 'rollback', restored ? 'Install failed — rolled back' : 'Install failed and rollback failed', { rollbackPending: !restored });
         return {
             action: restored ? 'rollback' : 'error',
             fromVersion: version_1.VERSION,
@@ -591,8 +643,7 @@ function performAutoUpdate(mode, checkIntervalMs) {
         log.warn('updater', 'Rolling back...');
         restoreFromBackup(backupPath);
         state.consecutiveFailures++;
-        state.lastError = 'Post-install validation failed — rolled back';
-        saveUpdateState(state);
+        recordUpdateFailure(state, 'validation', 'Post-install validation failed — rolled back');
         return {
             action: 'rollback',
             fromVersion: version_1.VERSION,
@@ -614,8 +665,7 @@ function performAutoUpdate(mode, checkIntervalMs) {
         }
         catch { }
         state.consecutiveFailures++;
-        state.lastError = 'Integrity check failed — rolled back';
-        saveUpdateState(state);
+        recordUpdateFailure(state, 'integrity', 'Integrity check failed — rolled back');
         return noOp;
     }
     const restarted = requestGatewayRestart();
@@ -626,6 +676,9 @@ function performAutoUpdate(mode, checkIntervalMs) {
         state.lastUpdateAt = Date.now();
         state.consecutiveFailures = 0;
         state.lastError = null;
+        state.lastFailureStage = 'restart';
+        state.lastFailureAt = Date.now();
+        state.rollbackPending = false;
         saveUpdateState(state);
         log.warn('updater', `Gateway restart failed after update to ${check.latestVersion} — will retry on next poll cycle.`);
         return {
@@ -644,6 +697,9 @@ function performAutoUpdate(mode, checkIntervalMs) {
     state.currentVersion = check.latestVersion;
     state.consecutiveFailures = 0;
     state.lastError = null;
+    state.lastFailureStage = null;
+    state.lastFailureAt = 0;
+    state.rollbackPending = false;
     saveUpdateState(state);
     log.info('updater', `✅ Auto-updated: ${version_1.VERSION} → ${check.latestVersion}. Gateway restart initiated.`);
     return {

package/openclaw.plugin.json

@@ -2,7 +2,7 @@
   "id": "shield",
   "name": "OpenClaw Shield",
   "description": "Real-time security monitoring — streams enriched, redacted security events to the Shield detection platform.",
-  "version": "0.7.13",
+  "version": "0.8.1",
   "skills": [
     "./skills"
   ],
@@ -47,7 +47,7 @@
           }
         ],
         "default": true,
-        "description": "Auto-update mode: true (auto-update patch versions), false (disabled), or 'notify-only' (log available updates without installing)."
+        "description": "Auto-update mode: true (auto-update patch and minor versions with rollback safety), false (disabled), or 'notify-only' (log available updates without installing)."
       },
       "debugLog": {
         "type": "boolean",
@@ -78,7 +78,7 @@
     },
     "autoUpdate": {
       "label": "Auto-update mode",
-      "description": "true = auto-install patch updates, 'notify-only' = log only, false = disabled"
+      "description": "true = auto-install patch and minor updates, 'notify-only' = log only, false = disabled"
     },
     "debugLog": {
       "label": "Debug logging",

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@upx-us/shield",
-  "version": "0.7.13",
-  "description": "Security monitoring plugin for OpenClaw agents — streams enriched security events to the Shield detection platform",
+  "version": "0.8.1",
+  "description": "Security monitoring and SIEM integration for OpenClaw agents — behavioral detection, case generation, and forensic audit trail via Google SecOps (Chronicle).",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "bin": {

package/skills/shield/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: openclaw-shield-upx
-description: "Security monitoring and threat detection for OpenClaw agents — protect your agent with real-time SIEM, detect threats, monitor agent activity, and audit events. Use when: user asks about security status, Shield health, event logs, redaction vault, setting up agent protection, enabling SIEM, detecting threats, monitoring agent activity, or auditing agent actions. NOT for: general OS hardening, firewall config, or network security unrelated to OpenClaw agents."
+description: "Security monitoring and threat detection for OpenClaw agents — powered by Google SecOps (Chronicle). Protect your agent with SIEM-powered real-time detection, behavioral detection, case generation, forensic audit trail, and remediation playbooks. Use when: user asks about security status, Shield health, event logs, redaction vault, setting up agent protection, enabling SIEM, detecting threats, monitoring agent activity, or auditing agent actions. NOT for: general OS hardening, firewall config, or network security unrelated to OpenClaw agents."
 homepage: https://www.upx.com/en/lp/openclaw-shield-upx
 source: https://www.npmjs.com/package/@upx-us/shield
 license: "Proprietary — UPX Technologies, Inc. All rights reserved."
@@ -16,7 +16,7 @@ Security monitoring for OpenClaw agents by [UPX](https://www.upx.com). Shield ru
 Shield requires the `@upx-us/shield` plugin and an active subscription.
 
 - **Plugin**: [@upx-us/shield](https://www.npmjs.com/package/@upx-us/shield)
-- **Subscribe / Free 30-day trial**: [upx.com/en/lp/openclaw-shield-upx](https://www.upx.com/en/lp/openclaw-shield-upx)
+- **Subscribe / Free 60-day trial (no credit card required)**: [upx.com/en/lp/openclaw-shield-upx](https://www.upx.com/en/lp/openclaw-shield-upx)
 - **Dashboard**: [uss.upx.com](https://uss.upx.com)
 
 ## Commands
@@ -43,7 +43,7 @@ Before responding to ANY Shield-related request, run `openclaw shield status` an
 ### State A — Plugin not installed
 (command not found, or exit code non-zero with plugin_not_found)
 Respond with:
-> Shield is not installed yet. Start your free 30-day trial at:
+> Shield is not installed yet. Start your free 60-day trial (no credit card required) at:
 > https://www.upx.com/en/lp/openclaw-shield-upx
 >
 > Then install the plugin:
@@ -79,6 +79,10 @@ Proceed normally. No onboarding message needed.
 
 **Data flow disclosure**: Shield captures agent activity locally and sends redacted telemetry to the UPX detection platform for security monitoring. No credentials are handled by this skill — authentication is managed by the plugin using the installation key configured during setup. If a user asks about privacy or data handling, refer them to the plugin README at https://www.npmjs.com/package/@upx-us/shield for full details.
 
+## Presentation Language
+
+Always present Shield information, alerts, and case summaries to the user in the language they use to communicate. Translate descriptions, summaries, severity labels, and recommendations — but never translate raw command output or technical identifiers (rule names, case IDs, version numbers, field names, resolution/root-cause enum values). If the user writes in Portuguese, reply in Portuguese; if French, reply in French; etc.
+
 ## Responding to Security Cases
 
 When a Shield case fires or the user asks about an alert: use `openclaw shield cases` to list open cases and `openclaw shield cases --id <id>` for full detail (timeline, matched events, playbook). Severity guidance: **CRITICAL/HIGH** → surface immediately and ask if they want to investigate; **MEDIUM** → present and offer a playbook walkthrough; **LOW/INFO** → mention without interrupting the current task. Always include: rule name, what it detects, when it fired, and the first recommended remediation step. Confirm with the user before resolving — never resolve autonomously.
@@ -109,6 +113,7 @@ When asked "is my agent secure?", "am I protected?", or "what's being detected?"
 
 Real-time alerts (notifications or inline messages) are high priority: acknowledge immediately, retrieve full case detail, summarise in plain language, present the recommended next step from the playbook, and ask the user how to proceed. Do not take remediation action without explicit approval.
 
+
 ## When to use this skill
 
 - "Is Shield running?" → `openclaw shield status`
@@ -123,10 +128,13 @@ Real-time alerts (notifications or inline messages) are high priority: acknowled
 
 After running `openclaw shield status`, check:
 
-- **Connected** → healthy, nothing to do
-- **Disconnected** → gateway may need a restart
-- **High failure count** → platform connectivity issue, usually self-recovers; try `openclaw shield flush`
+- **✅ Running · Connected** → healthy, nothing to do
+- **⚠️ Degraded · Connected** → capturing but sync issues; try `openclaw shield flush`
+- **❌ Disconnected** → gateway may need a restart
+- **Failures: N poll** → platform connectivity issue, usually self-recovers; try `openclaw shield flush`
+- **Failures: N telemetry** → instance reporting failing, monitoring still active
 - **Rising quarantine** → possible version mismatch, suggest checking for plugin updates
+- **Last data: capture Xm ago** (stale) → agent may be idle, or capture pipeline issue
 
 ## RPCs