clawarmor 1.1.0

package/lib/checks/gateway.js

@@ -0,0 +1,177 @@
+import { get } from '../config.js';
+import { execSync } from 'child_process';
+
+const WEAK_TOKEN_PATTERNS = [
+  /^change.?me$/i, /^your.?token/i, /^example/i, /^test/i,
+  /^demo/i, /^default/i, /^openclaw$/i, /^secret$/i,
+  /^password$/i, /^12345/, /^token$/i,
+];
+
+function isWeakToken(t) {
+  if (!t || typeof t !== 'string') return true;
+  if (t.length < 16) return true;
+  if (/^(.)\1+$/.test(t)) return true;
+  if (WEAK_TOKEN_PATTERNS.some(p => p.test(t))) return true;
+  if (t.length < 20 && /^[a-z]+$/.test(t)) return true;
+  return false;
+}
+
+export function checkGatewayBind(config) {
+  const bind = get(config, 'gateway.bind', '');
+  const mode = get(config, 'gateway.mode', '');
+  const authMode = get(config, 'gateway.auth.mode', '');
+  const isLoopback = !bind || bind === 'loopback' || bind === 'localhost' || bind === '127.0.0.1' || mode === 'local';
+  const isExposed = !isLoopback;
+  const hasAuth = authMode && authMode !== 'none';
+
+  if (isExposed && !hasAuth) {
+    return { id: 'gateway.bind_no_auth', severity: 'CRITICAL', passed: false,
+      title: 'Gateway exposed to network with NO authentication',
+      description: `gateway.bind="${bind}", auth.mode="${authMode||'none'}" — anyone on your network\nor the internet can connect, read conversations, and run tool calls.\nAttack scenario: attacker sends exec("cat ~/.openclaw/agent-accounts.json")\nto your open gateway and gets all your API keys in seconds.`,
+      fix: `openclaw config set gateway.auth.mode token\nopenctl config set gateway.auth.token $(node -e "console.log(require('crypto').randomBytes(32).toString('base64url'))")\nopenctl config set gateway.bind loopback\nopenctl gateway restart` };
+  }
+  if (isExposed) {
+    return { id: 'gateway.bind', severity: 'HIGH', passed: false,
+      title: 'Gateway exposed to network',
+      description: `gateway.bind="${bind}" — reachable from your network. Auth is set but\ntoken brute-force and protocol exploits are possible over the network.\nAttack scenario: attacker on same LAN brute-forces your short token.`,
+      fix: `openclaw config set gateway.bind loopback\nopenctl gateway restart\nUse Tailscale Serve for secure remote access instead.` };
+  }
+  return { id: 'gateway.bind', severity: 'CRITICAL', passed: true, passedMsg: 'Gateway bound to loopback only' };
+}
+
+export function checkTailscaleFunnel(config) {
+  const tsMode = get(config, 'gateway.tailscale.mode', 'off');
+  const authMode = get(config, 'gateway.auth.mode', '');
+  if (tsMode === 'funnel' && !['password','token'].includes(authMode)) {
+    return { id: 'tailscale.funnel', severity: 'CRITICAL', passed: false,
+      title: 'Tailscale Funnel without authentication',
+      description: `Funnel is active — gateway is on the public internet. auth.mode="${authMode||'none'}"\nmeans anyone with your Tailscale URL can access your agent.\nAttack: your Funnel URL is <machine>.ts.net — trivially discoverable.`,
+      fix: `openclaw config set gateway.auth.mode password` };
+  }
+  return { id: 'tailscale.funnel', severity: 'CRITICAL', passed: true,
+    passedMsg: tsMode === 'funnel' ? 'Funnel active with auth' : 'Tailscale Funnel not enabled' };
+}
+
+export function checkAuthToken(config) {
+  const authMode = get(config, 'gateway.auth.mode', '');
+  if (authMode !== 'token') return { id: 'gateway.auth.token', severity: 'MEDIUM', passed: true,
+    passedMsg: `Auth mode: "${authMode||'none'}"` };
+  const token = get(config, 'gateway.auth.token', '');
+  if (isWeakToken(token)) {
+    return { id: 'gateway.auth.token', severity: 'MEDIUM', passed: false,
+      title: 'Weak gateway auth token',
+      description: `Token is short, simple, or a known default. Brute-forceable.\nAttack: automated tools try common tokens in seconds.`,
+      fix: `node -e "console.log(require('crypto').randomBytes(32).toString('base64url'))"\nopenctl config set gateway.auth.token <output>` };
+  }
+  return { id: 'gateway.auth.token', severity: 'MEDIUM', passed: true, passedMsg: 'Auth token is strong' };
+}
+
+export function checkDangerousFlags(config) {
+  const checks = [
+    ['gateway.controlUi.dangerouslyDisableDeviceAuth', 'Disables device pairing — any browser can access Control UI'],
+    ['gateway.controlUi.dangerouslyAllowHostHeaderOriginFallback', 'DNS rebinding attacks possible'],
+    ['gateway.controlUi.allowInsecureAuth', 'Downgrades Control UI auth security'],
+  ];
+  const on = checks.filter(([p]) => get(config, p, false) === true);
+  if (on.length) {
+    return { id: 'gateway.dangerous_flags', severity: 'CRITICAL', passed: false,
+      title: `Dangerous flags enabled (${on.length})`,
+      description: on.map(([p,d]) => `• ${p.split('.').pop()}: ${d}`).join('\n'),
+      fix: on.map(([p]) => `openclaw config set ${p} false`).join('\n') };
+  }
+  return { id: 'gateway.dangerous_flags', severity: 'CRITICAL', passed: true, passedMsg: 'No dangerous flags enabled' };
+}
+
+export function checkMdns(config) {
+  const mode = get(config, 'discovery.mdns.mode', 'minimal');
+  if (mode === 'full') {
+    return { id: 'discovery.mdns', severity: 'MEDIUM', passed: false,
+      title: 'mDNS leaking CLI path and SSH port on LAN',
+      description: `mdns.mode="full" broadcasts your binary path (reveals username) and SSH port\nto everyone on your local network — passive reconnaissance, no auth needed.`,
+      fix: `openclaw config set discovery.mdns.mode minimal` };
+  }
+  return { id: 'discovery.mdns', severity: 'MEDIUM', passed: true, passedMsg: `mDNS mode: "${mode}" (not leaking sensitive data)` };
+}
+
+export function checkRealIpFallback(config) {
+  if (get(config, 'gateway.allowRealIpFallback', false) === true) {
+    return { id: 'gateway.realip', severity: 'HIGH', passed: false,
+      title: 'Real-IP fallback enables IP spoofing',
+      description: `allowRealIpFallback=true means forged X-Real-IP: 127.0.0.1 headers\ncan make attacker requests appear to come from localhost, bypassing local trust checks.`,
+      fix: `openclaw config set gateway.allowRealIpFallback false` };
+  }
+  return { id: 'gateway.realip', severity: 'HIGH', passed: true, passedMsg: 'Real-IP fallback disabled' };
+}
+
+export default [checkGatewayBind, checkTailscaleFunnel, checkAuthToken, checkDangerousFlags, checkMdns, checkRealIpFallback, checkTrustedProxies, checkMultiUserTrustModel];
+
+
+// Check: trustedProxies configured when behind reverse proxy
+export function checkTrustedProxies(config) {
+  const gw = config.gateway || {};
+  const trustedProxies = gw.trustedProxies || config.trustedProxies;
+  // Read bind from multiple possible config locations
+  const bind = gw.bind || config.bind || '127.0.0.1';
+
+  // Only relevant if bind is not loopback (i.e., they're behind a proxy or exposed)
+  const isLoopback = bind === '127.0.0.1' || bind === 'localhost' || bind === '::1' || bind === '' || bind === 'loopback';
+  if (isLoopback) {
+    return { id: 'gateway.trusted_proxies', severity: 'INFO', passed: true,
+      passedMsg: 'Gateway is loopback-only — trustedProxies not needed' };
+  }
+
+  if (!trustedProxies || !Array.isArray(trustedProxies) || trustedProxies.length === 0) {
+    return {
+      id: 'gateway.trusted_proxies',
+      severity: 'HIGH',
+      passed: false,
+      title: 'No trustedProxies configured for public-facing gateway',
+      description: 'Gateway is not loopback-only but trustedProxies is not set. ' +
+        'Without this, proxy IP spoofing can bypass authentication checks. ' +
+        'Attack: attacker sends X-Forwarded-For header to impersonate a trusted IP.',
+      fix: 'openclaw config set gateway.trustedProxies \'["<your-proxy-ip>"]\''
+    };
+  }
+  return { id: 'gateway.trusted_proxies', severity: 'INFO', passed: true,
+    passedMsg: `trustedProxies configured (${trustedProxies.length} proxy IPs)` };
+}
+
+// Check: multi-user heuristic — multiple channels with different users but no sandbox
+export function checkMultiUserTrustModel(config) {
+  const channels = config.channels || {};
+  const channelCount = Object.keys(channels).filter(k =>
+    channels[k] && typeof channels[k] === 'object' && channels[k].enabled !== false
+  ).length;
+
+  const groups = Object.values(channels).flatMap(ch => {
+    if (ch && ch.groups) return Object.values(ch.groups);
+    return [];
+  });
+  const hasGroups = groups.length > 0;
+
+  const sandboxMode = config.agents?.defaults?.sandbox?.mode;
+  const sandboxEnabled = sandboxMode && sandboxMode !== 'off';
+
+  // Multi-user signal: groups with non-allowlisted access and no sandbox
+  // Single-operator allowlisted groups are fine without sandbox
+  const hasOpenGroups = groups.some(g => {
+    const policy = g.policy || g.groupPolicy || 'allowlist';
+    const allowFrom = g.allowFrom || [];
+    return policy !== 'allowlist' && policy !== 'disabled' && 
+           (allowFrom.length === 0 || allowFrom.includes('*'));
+  });
+  if (hasOpenGroups && !sandboxEnabled) {
+    return {
+      id: 'security.trust_model.multi_user',
+      severity: 'MEDIUM',
+      passed: false,
+      title: 'Multi-user setup without sandbox isolation',
+      description: `You have ${channelCount} channel(s)${hasGroups ? ' with group access' : ''} but no sandbox isolation. ` +
+        'Multiple users sharing an agent without sandboxing means one user\'s session can affect another\'s workspace. ' +
+        'Attack: user A triggers a task that reads or writes workspace files belonging to user B.',
+      fix: 'Install Docker, then: openclaw config set agents.defaults.sandbox.mode non-main'
+    };
+  }
+  return { id: 'security.trust_model.multi_user', severity: 'INFO', passed: true,
+    passedMsg: 'Trust model appropriate for current channel configuration' };
+}

package/lib/checks/hooks.js

@@ -0,0 +1,33 @@
+import { get } from '../config.js';
+
+export function checkHooksSessionKey(config) {
+  if (get(config, 'hooks.allowRequestSessionKey', false) === true) {
+    const prefixes = get(config, 'hooks.allowedSessionKeyPrefixes', null);
+    if (!prefixes || (Array.isArray(prefixes) && prefixes.length === 0)) {
+      return { id: 'hooks.sessionKey', severity: 'HIGH', passed: false,
+        title: 'Webhooks allow external session key control (unbounded)',
+        description: `hooks.allowRequestSessionKey=true with no allowedSessionKeyPrefixes.\nExternal callers can inject into ANY session by choosing its key.\nAttack: attacker sends webhook with sessionKey="main" to hijack your primary session.`,
+        fix: `openclaw config set hooks.allowRequestSessionKey false\nOR set hooks.allowedSessionKeyPrefixes to restrict shapes` };
+    }
+    return { id: 'hooks.sessionKey', severity: 'MEDIUM', passed: false,
+      title: 'Webhooks allow external session key control (prefixes set)',
+      description: `hooks.allowRequestSessionKey=true — external callers can pick session keys\nmatching your allowedSessionKeyPrefixes. Review if this is intentional.`,
+      fix: `Set hooks.allowRequestSessionKey false if not needed` };
+  }
+  return { id: 'hooks.sessionKey', severity: 'HIGH', passed: true,
+    passedMsg: 'Webhooks cannot control session routing' };
+}
+
+export function checkHooksTokenLength(config) {
+  const token = get(config, 'hooks.token', null);
+  if (!token) return { id: 'hooks.token', severity: 'LOW', passed: true, passedMsg: 'No webhook token configured' };
+  if (token.length < 16) {
+    return { id: 'hooks.token', severity: 'MEDIUM', passed: false,
+      title: 'Webhook token is too short (brute-forceable)',
+      description: `hooks.token is ${token.length} chars — minimum 16 required.\nAttack: attacker brute-forces short token to trigger arbitrary webhook sessions.`,
+      fix: `node -e "console.log(require('crypto').randomBytes(24).toString('base64url'))"\nopenctl config set hooks.token <output>` };
+  }
+  return { id: 'hooks.token', severity: 'MEDIUM', passed: true, passedMsg: `Webhook token length: ${token.length} chars (sufficient)` };
+}
+
+export default [checkHooksSessionKey, checkHooksTokenLength];

package/lib/checks/tools.js

@@ -0,0 +1,75 @@
+import { get } from '../config.js';
+
+export function checkElevatedTools(config) {
+  const elevated = get(config, 'tools.elevated', null);
+  const allowFrom = get(config, 'tools.elevated.allowFrom', null);
+  if (!elevated) return { id: 'tools.elevated', severity: 'MEDIUM', passed: true, passedMsg: 'Elevated tools not configured' };
+  const restricted = Array.isArray(allowFrom) && allowFrom.length > 0 &&
+    !allowFrom.includes('*') && !allowFrom.includes('all');
+  if (!restricted) {
+    return { id: 'tools.elevated', severity: 'MEDIUM', passed: false,
+      title: 'Elevated tools not restricted to trusted sources',
+      description: `tools.elevated.allowFrom is unrestricted.\nElevated exec runs on the host bypassing any sandbox.\nAttack: anyone who can reach the agent can trigger host-level commands.`,
+      fix: `openclaw config set tools.elevated.allowFrom ["your-session-key"]` };
+  }
+  return { id: 'tools.elevated', severity: 'MEDIUM', passed: true, passedMsg: 'Elevated tools restricted to allowlist' };
+}
+
+export function checkWorkspaceOnly(config) {
+  const wo = get(config, 'tools.fs.workspaceOnly', null);
+  if (wo !== true) {
+    return { id: 'tools.fs.workspaceOnly', severity: 'LOW', passed: false,
+      title: 'Agent can read/write anywhere on filesystem',
+      description: `tools.fs.workspaceOnly is not true — the agent can read/write any file\nyour user account can access: SSH keys, ~/.zshenv, browser profiles, etc.\nAttack: prompt injection causes read("~/.ssh/id_rsa") and exfiltrates your private key.`,
+      fix: `openclaw config set tools.fs.workspaceOnly true` };
+  }
+  return { id: 'tools.fs.workspaceOnly', severity: 'LOW', passed: true, passedMsg: 'Filesystem restricted to workspace' };
+}
+
+export function checkApplyPatchWorkspaceOnly(config) {
+  const wo = get(config, 'tools.exec.applyPatch.workspaceOnly', true);
+  if (wo === false) {
+    return { id: 'tools.applyPatch.workspaceOnly', severity: 'MEDIUM', passed: false,
+      title: 'apply_patch can write files outside workspace',
+      description: `tools.exec.applyPatch.workspaceOnly=false allows apply_patch to create\nor delete files anywhere on your system, even without exec permissions.\nAttack: attacker uses apply_patch to overwrite ~/.zshenv or crontabs.`,
+      fix: `openclaw config set tools.exec.applyPatch.workspaceOnly true` };
+  }
+  return { id: 'tools.applyPatch.workspaceOnly', severity: 'MEDIUM', passed: true, passedMsg: 'apply_patch restricted to workspace' };
+}
+
+export function checkBrowserSsrf(config) {
+  const allowPrivate = get(config, 'browser.ssrfPolicy.dangerouslyAllowPrivateNetwork', true);
+  if (allowPrivate !== false) {
+    return { id: 'browser.ssrf', severity: 'MEDIUM', passed: false,
+      title: 'Browser tool can access private/internal network',
+      description: `browser.ssrfPolicy.dangerouslyAllowPrivateNetwork is not explicitly false.\nDefault allows browser to reach 192.168.x.x, 10.x.x.x, 172.16.x.x, localhost.\nAttack: prompt injection causes browser.navigate("http://192.168.1.1/admin")\nand exfiltrates your router admin panel or internal services.`,
+      fix: `openclaw config set browser.ssrfPolicy.dangerouslyAllowPrivateNetwork false` };
+  }
+  return { id: 'browser.ssrf', severity: 'MEDIUM', passed: true, passedMsg: 'Browser SSRF to private networks blocked' };
+}
+
+export function checkPluginAllowlist(config) {
+  const plugins = get(config, 'plugins', null);
+  const allow = get(config, 'plugins.allow', null);
+  if (plugins && (!allow || (Array.isArray(allow) && allow.length === 0))) {
+    return { id: 'plugins.allowlist', severity: 'MEDIUM', passed: false,
+      title: 'Plugins loaded without explicit allowlist',
+      description: `plugins are configured but plugins.allow is not set.\nPlugins run in-process with the gateway — treat as fully trusted code.\nAttack: malicious ClawHub plugin installed without review, runs arbitrary code\nin the gateway process, reads all credentials and sessions.`,
+      fix: `openclaw config set plugins.allow ["your-trusted-plugin-id"]` };
+  }
+  return { id: 'plugins.allowlist', severity: 'MEDIUM', passed: true, passedMsg: 'Plugin allowlist configured' };
+}
+
+export function checkLogRedaction(config) {
+  const redact = get(config, 'logging.redactSensitive', 'tools');
+  if (redact === false || redact === 'off' || redact === 'none') {
+    return { id: 'logging.redact', severity: 'MEDIUM', passed: false,
+      title: 'Log redaction disabled — tokens leak to disk logs',
+      description: `logging.redactSensitive="${redact}" — gateway logs will contain\nraw API keys, bot tokens, and tool arguments in plaintext.\nAttack: attacker with log read access extracts all credentials passively.`,
+      fix: `openclaw config set logging.redactSensitive tools` };
+  }
+  return { id: 'logging.redact', severity: 'MEDIUM', passed: true, passedMsg: 'Log redaction enabled' };
+}
+
+export default [checkElevatedTools, checkWorkspaceOnly, checkApplyPatchWorkspaceOnly,
+  checkBrowserSsrf, checkPluginAllowlist, checkLogRedaction];

package/lib/checks/version.js

@@ -0,0 +1,61 @@
+import { execSync } from 'child_process';
+
+export async function checkVersion() {
+  let installed = null;
+  let latest = null;
+
+  // Read from binary, not config (v0.1 false positive fix)
+  const candidates = [
+    process.env.HOME + '/.npm-global/bin/openclaw',
+    '/opt/homebrew/bin/openclaw',
+    '/usr/local/bin/openclaw',
+    'openclaw',
+  ];
+  for (const bin of candidates) {
+    try {
+      const out = execSync(`${bin} --version 2>/dev/null`, { timeout: 3000, encoding: 'utf8' }).trim();
+      if (out && /^\d{4}\./.test(out)) { installed = out; break; }
+    } catch { continue; }
+  }
+
+  if (!installed) {
+    return { id: 'version.check', severity: 'LOW', passed: true,
+      passedMsg: 'Could not detect OpenClaw version (binary not in PATH)' };
+  }
+
+  // Fetch latest from npm registry
+  try {
+    const res = await fetch('https://registry.npmjs.org/openclaw/latest', {
+      signal: AbortSignal.timeout(4000),
+      headers: { 'User-Agent': 'clawarmor-audit/0.5.0' },
+    });
+    if (res.ok) {
+      const data = await res.json();
+      latest = data.version;
+    }
+  } catch { /* no network — skip */ }
+
+  if (!latest) {
+    return { id: 'version.check', severity: 'LOW', passed: true,
+      passedMsg: `OpenClaw ${installed} (could not check latest — offline?)` };
+  }
+
+  if (installed === latest) {
+    return { id: 'version.check', severity: 'MEDIUM', passed: true,
+      passedMsg: `OpenClaw ${installed} (up to date)` };
+  }
+
+  // Compare: installed < latest?
+  const toNum = v => v.replace(/\./g, '').padStart(10, '0');
+  if (toNum(installed) < toNum(latest)) {
+    return { id: 'version.check', severity: 'MEDIUM', passed: false,
+      title: 'OpenClaw is out of date',
+      description: `Installed: ${installed} → Latest: ${latest}\nOutdated versions may have known security vulnerabilities.\nAttack: known CVEs against your version are publicly documented.`,
+      fix: `npm install -g openclaw@latest && openclaw gateway restart` };
+  }
+
+  return { id: 'version.check', severity: 'MEDIUM', passed: true,
+    passedMsg: `OpenClaw ${installed} (up to date)` };
+}
+
+export default [checkVersion];

package/lib/compare.js

@@ -0,0 +1,96 @@
+import { paint, severityColor } from './output/colors.js';
+import { execSync } from 'child_process';
+
+const SEP = paint.dim('─'.repeat(52));
+
+function box(title) {
+  const W=52, pad=W-2-title.length, l=Math.floor(pad/2), r=pad-l;
+  return [paint.dim('╔'+'═'.repeat(W-2)+'╗'),
+    paint.dim('║')+' '.repeat(l)+paint.bold(title)+' '.repeat(r)+paint.dim('║'),
+    paint.dim('╚'+'═'.repeat(W-2)+'╝')].join('\n');
+}
+
+export async function runCompare() {
+  console.log(''); console.log(box('ClawArmor vs openclaw audit')); console.log('');
+
+  // Run ClawArmor audit (capture)
+  console.log(`  ${paint.dim('Running clawarmor audit...')}`);
+  let caFindings = [];
+  try {
+    const { loadConfig } = await import('./config.js');
+    const { config } = loadConfig();
+    const mods = ['./checks/gateway.js','./checks/filesystem.js','./checks/channels.js',
+      './checks/auth.js','./checks/tools.js','./checks/version.js','./checks/hooks.js'];
+    for (const m of mods) {
+      const mod = await import(m);
+      const checks = mod.default || [];
+      for (const check of checks) {
+        try { const r = await check(config); if (!r.passed) caFindings.push(r); }
+        catch { /* skip */ }
+      }
+    }
+  } catch(e) { console.log(`  ${paint.red('✗')} ClawArmor error: ${e.message}`); }
+
+  // Run openclaw security audit --json
+  console.log(`  ${paint.dim('Running openclaw security audit --json...')}`);
+  let ocFindings = [];
+  let ocAvailable = false;
+  try {
+    const raw = execSync('openclaw security audit --json 2>/dev/null', { timeout: 15000, encoding: 'utf8' });
+    const data = JSON.parse(raw);
+    ocFindings = (data.findings || data.checks || []).filter(f => !f.passed);
+    ocAvailable = true;
+  } catch { /* openclaw audit not available or no --json */ }
+
+  console.log('');
+
+  // What ClawArmor catches
+  console.log(SEP);
+  console.log(`  ${paint.cyan('ClawArmor findings')} ${paint.dim('('+caFindings.length+')')}`);
+  console.log(SEP);
+  if (!caFindings.length) {
+    console.log(`  ${paint.green('✓')} No issues found`);
+  } else {
+    for (const f of caFindings) {
+      const col = severityColor[f.severity] || paint.dim;
+      console.log(`  ${paint.red('✗')} ${col('['+f.severity+']')} ${f.title}`);
+    }
+  }
+
+  if (ocAvailable) {
+    console.log('');
+    console.log(SEP);
+    console.log(`  ${paint.cyan('openclaw security audit findings')} ${paint.dim('('+ocFindings.length+')')}`);
+    console.log(SEP);
+    if (!ocFindings.length) {
+      console.log(`  ${paint.green('✓')} No issues found`);
+    } else {
+      for (const f of ocFindings) {
+        console.log(`  ${paint.yellow('!')} [${f.severity||'warn'}] ${f.checkId||f.id||f.title||'unknown'}`);
+      }
+    }
+
+    // Unique to each
+    console.log(''); console.log(SEP);
+    console.log(`  ${paint.bold('Coverage gap analysis')}`);
+    console.log(SEP);
+    console.log(`  ${paint.cyan('Only in ClawArmor:')}       supply chain scan, compare command`);
+    console.log(`  ${paint.cyan('Only in openclaw audit:')}  gateway probe (--deep), live WS test, auto-fix`);
+    console.log(`  ${paint.cyan('Both cover:')}              config checks, file permissions, channel policies`);
+  } else {
+    console.log('');
+    console.log(`  ${paint.dim('openclaw security audit --json not available.')}`);
+    console.log(`  ${paint.dim('Run both manually to compare.')}`);
+  }
+
+  console.log('');
+  console.log(SEP);
+  console.log(`  ${paint.bold('What ClawArmor adds over the built-in auditor:')}`);
+  console.log(`  ${paint.green('✓')} ${paint.dim('Skill supply chain scan (ALL files, not just SKILL.md)')}`);
+  console.log(`  ${paint.green('✓')} ${paint.dim('External exposure detection (github.com/pinzasai/clawarmor)')}`);
+  console.log(`  ${paint.green('✓')} ${paint.dim('Zero-FP scoring with floor rules for CRITICAL findings')}`);
+  console.log(`  ${paint.green('✓')} ${paint.dim('Context-aware scan (binary wrappers, built-in skills)')}`);
+  console.log(`  ${paint.green('✓')} ${paint.dim('Attack scenario descriptions per finding')}`);
+  console.log('');
+  return 0;
+}

package/lib/config.js

@@ -0,0 +1,48 @@
+import { readFileSync, statSync, existsSync } from 'fs';
+import { join } from 'path';
+import { homedir } from 'os';
+
+const HOME = homedir();
+const OC_DIR = join(HOME, '.openclaw');
+
+export function getConfigPath() { return join(OC_DIR, 'openclaw.json'); }
+export function getAgentAccountsPath() { return join(OC_DIR, 'agent-accounts.json'); }
+
+export function getOctalPermissions(filePath) {
+  if (!existsSync(filePath)) return null;
+  try { return (statSync(filePath).mode & 0o777).toString(8).padStart(3, '0'); }
+  catch { return null; }
+}
+
+export function get(obj, path, def = undefined) {
+  if (!obj || typeof obj !== 'object') return def;
+  const parts = path.split('.');
+  let cur = obj;
+  for (const p of parts) {
+    if (cur == null || typeof cur !== 'object') return def;
+    cur = cur[p];
+  }
+  return cur === undefined ? def : cur;
+}
+
+export function loadConfig(overridePath = null) {
+  const configPath = overridePath || getConfigPath();
+  if (!existsSync(configPath)) {
+    return { config: {}, configPath, error: `Config not found at ${configPath}\nRun: openclaw doctor` };
+  }
+  try {
+    const raw = readFileSync(configPath, 'utf8');
+    // Strip JS-style comments and trailing commas (openclaw.json may use JSON5)
+    let clean = raw
+      .replace(/\/\/[^\n]*/g, '')           // single-line comments
+      .replace(/\/\*[\s\S]*?\*\//g, '')     // block comments
+      .replace(/,(\s*[}\]])/g, '$1');       // trailing commas
+    // Try cleaned first, fall back to raw
+    let config;
+    try { config = JSON.parse(clean); }
+    catch { config = JSON.parse(raw); }     // raw is valid JSON — use it
+    return { config, configPath, error: null };
+  } catch (err) {
+    return { config: {}, configPath, error: `Failed to parse openclaw.json: ${err.message}` };
+  }
+}

package/lib/discovery.js

@@ -0,0 +1,92 @@
+// ClawArmor — Discovers the actual running OpenClaw instance
+// Uses only Node.js built-ins: child_process, fs, os
+// Runs fast (<500ms) via execSync with timeout
+
+import { execSync } from 'child_process';
+import { existsSync } from 'fs';
+import { join } from 'path';
+import { homedir } from 'os';
+
+const DEFAULT_CONFIG_PATH = join(homedir(), '.openclaw', 'openclaw.json');
+const DEFAULT_PORT = 18789;
+
+function runPs() {
+  try {
+    const out = execSync('ps aux', { timeout: 400, encoding: 'utf8', stdio: ['ignore', 'pipe', 'ignore'] });
+    return out;
+  } catch {
+    return '';
+  }
+}
+
+function parseInstances(psOutput) {
+  const instances = [];
+  for (const line of psOutput.split('\n')) {
+    // Match node processes running openclaw gateway
+    if (!/node\b/.test(line)) continue;
+    if (!/openclaw/.test(line)) continue;
+    if (!/gateway/.test(line)) continue;
+
+    // Extract PID (second field in ps aux)
+    const fields = line.trim().split(/\s+/);
+    const pid = parseInt(fields[1], 10);
+
+    // Extract --config flag value
+    const configMatch = line.match(/--config\s+([^\s]+)/);
+    const configPath = configMatch ? configMatch[1] : DEFAULT_CONFIG_PATH;
+
+    // Extract --port flag value
+    const portMatch = line.match(/--port\s+(\d+)/);
+    const port = portMatch ? parseInt(portMatch[1], 10) : DEFAULT_PORT;
+
+    instances.push({ pid, configPath, port });
+  }
+  return instances;
+}
+
+/**
+ * Discovers the running OpenClaw instance.
+ *
+ * Returns:
+ *   { configPath, port, pid, multiple: false, instances: [] }
+ *   or
+ *   { configPath, port, pid, multiple: true, instances: [{ pid, configPath, port }, ...] }
+ *
+ * Falls back gracefully: if ps fails or no process found, returns defaults.
+ */
+export async function discoverRunningInstance() {
+  const psOutput = runPs();
+  const instances = parseInstances(psOutput);
+
+  if (instances.length === 0) {
+    // No process found — return defaults (probe will check if port responds)
+    return {
+      configPath: existsSync(DEFAULT_CONFIG_PATH) ? DEFAULT_CONFIG_PATH : null,
+      port: DEFAULT_PORT,
+      pid: null,
+      multiple: false,
+      instances: [],
+    };
+  }
+
+  if (instances.length === 1) {
+    const inst = instances[0];
+    return {
+      configPath: inst.configPath,
+      port: inst.port,
+      pid: inst.pid,
+      multiple: false,
+      instances,
+    };
+  }
+
+  // Multiple instances: prefer the one on default port, else first
+  const preferred = instances.find(i => i.port === DEFAULT_PORT) || instances[0];
+  return {
+    configPath: preferred.configPath,
+    port: preferred.port,
+    pid: preferred.pid,
+    multiple: true,
+    instances,
+  };
+}