clawarmor 1.1.0

package/lib/probes/gateway-probe.js

@@ -0,0 +1,260 @@
+// ClawArmor v0.6 — Live gateway behavioral probes
+// Uses ONLY Node.js built-ins: net, http, os, crypto
+// All probes timeout at 2000ms. Fails gracefully if gateway not running.
+
+import net from 'net';
+import http from 'http';
+import os from 'os';
+
+const TIMEOUT = 2000;
+
+function tcpProbe(host, port) {
+  return new Promise(resolve => {
+    const sock = net.createConnection({ host, port });
+    const timer = setTimeout(() => { sock.destroy(); resolve(false); }, TIMEOUT);
+    sock.on('connect', () => { clearTimeout(timer); sock.destroy(); resolve(true); });
+    sock.on('error', () => { clearTimeout(timer); resolve(false); });
+  });
+}
+
+function httpGet(url) {
+  return new Promise(resolve => {
+    const timer = setTimeout(() => resolve(null), TIMEOUT);
+    try {
+      http.get(url, res => {
+        clearTimeout(timer);
+        let body = '';
+        res.on('data', d => { body += d; if (body.length > 8192) res.destroy(); });
+        res.on('end', () => resolve({ status: res.statusCode, headers: res.headers, body }));
+        res.on('error', () => resolve(null));
+      }).on('error', () => { clearTimeout(timer); resolve(null); });
+    } catch { clearTimeout(timer); resolve(null); }
+  });
+}
+
+function httpOptions(url, origin) {
+  return new Promise(resolve => {
+    const parsed = new URL(url);
+    const timer = setTimeout(() => resolve(null), TIMEOUT);
+    const opts = {
+      hostname: parsed.hostname, port: parsed.port, path: parsed.pathname || '/',
+      method: 'OPTIONS',
+      headers: { Origin: origin, 'Access-Control-Request-Method': 'GET' },
+    };
+    try {
+      const req = http.request(opts, res => {
+        clearTimeout(timer);
+        resolve({ status: res.statusCode, headers: res.headers });
+      });
+      req.on('error', () => { clearTimeout(timer); resolve(null); });
+      req.end();
+    } catch { clearTimeout(timer); resolve(null); }
+  });
+}
+
+// Minimal WebSocket handshake without auth token — check if server accepts it
+function wsProbeNoAuth(host, port) {
+  return new Promise(resolve => {
+    const timer = setTimeout(() => { sock.destroy(); resolve('timeout'); }, TIMEOUT);
+    const key = Buffer.from(Math.random().toString(36)).toString('base64');
+    const sock = net.createConnection({ host, port });
+
+    sock.on('error', () => { clearTimeout(timer); resolve('error'); });
+
+    sock.on('connect', () => {
+      const handshake = [
+        `GET / HTTP/1.1`,
+        `Host: ${host}:${port}`,
+        `Upgrade: websocket`,
+        `Connection: Upgrade`,
+        `Sec-WebSocket-Key: ${key}`,
+        `Sec-WebSocket-Version: 13`,
+        `\r\n`,
+      ].join('\r\n');
+      sock.write(handshake);
+    });
+
+    let buf = '';
+    sock.on('data', data => {
+      buf += data.toString();
+      clearTimeout(timer);
+      sock.destroy();
+      // 101 = upgrade accepted (WS open without auth)
+      if (buf.includes('HTTP/1.1 101') || buf.includes('HTTP/1.0 101')) {
+        resolve('accepted');
+      } else if (buf.includes('401') || buf.includes('403') || buf.includes('400')) {
+        resolve('rejected');
+      } else {
+        resolve('rejected');
+      }
+    });
+  });
+}
+
+export async function probeGatewayLive(config, { host = '127.0.0.1', port: portOverride = null } = {}) {
+  const port = portOverride || config?.gateway?.port || 18789;
+  const results = [];
+
+  // ── PROBE 1: Is gateway actually running? ─────────────────────────────────
+  const running = await tcpProbe(host, port);
+  results.push({
+    id: 'probe.gateway_running',
+    severity: 'INFO',
+    passed: true,
+    title: running ? `Gateway running on port ${port}` : `Gateway not running on port ${port}`,
+    passedMsg: running ? `Gateway running on port ${port}` : `Gateway not running on port ${port}`,
+    live: true,
+    gatewayRunning: running,
+  });
+
+  if (!running) {
+    // Skip remaining probes — gateway is not up
+    return results;
+  }
+
+  // ── PROBE 2: Is gateway reachable on non-loopback interfaces? ────────────
+  const ifaces = os.networkInterfaces();
+  const nonLoopback = [];
+  for (const [, addrs] of Object.entries(ifaces)) {
+    for (const a of (addrs || [])) {
+      if (!a.internal && a.family === 'IPv4') nonLoopback.push(a.address);
+    }
+  }
+
+  const exposedOn = [];
+  for (const ip of nonLoopback) {
+    const reachable = await tcpProbe(ip, port);
+    if (reachable) exposedOn.push(ip);
+  }
+
+  if (exposedOn.length > 0) {
+    results.push({
+      id: 'probe.network_exposed',
+      severity: 'HIGH',
+      passed: false,
+      title: `Gateway reachable on network interface(s): ${exposedOn.join(', ')}`,
+      description: `Live probe: gateway responds on non-loopback IP(s).\nEven if config says "loopback", the process is listening on 0.0.0.0.\nAnyone on your network can connect.\nExposed on: ${exposedOn.join(', ')}`,
+      fix: `openclaw config set gateway.bind loopback\nopenctl gateway restart`,
+      live: true,
+    });
+  } else {
+    results.push({
+      id: 'probe.network_exposed',
+      severity: 'HIGH',
+      passed: true,
+      passedMsg: 'Not reachable on network interfaces (probed live)',
+      live: true,
+    });
+  }
+
+  // ── PROBE 3: Does gateway require auth? (WebSocket probe) ─────────────────
+  const wsResult = await wsProbeNoAuth(host, port);
+  if (wsResult === 'accepted') {
+    results.push({
+      id: 'probe.ws_auth',
+      severity: 'CRITICAL',
+      passed: false,
+      title: 'Gateway WebSocket accepts connections without authentication',
+      description: `Live probe: WebSocket upgrade accepted without an auth token.\nAny local process (malicious scripts, browser tabs) can connect and\nissue tool calls to your agent with no credentials.\nAttack: malicious web page uses ws://${host}:${port} to hijack agent.`,
+      fix: `openclaw config set gateway.auth.mode token\nopenctl config set gateway.auth.token $(node -e "console.log(require('crypto').randomBytes(32).toString('base64url'))")\nopenctl gateway restart`,
+      live: true,
+    });
+  } else {
+    results.push({
+      id: 'probe.ws_auth',
+      severity: 'CRITICAL',
+      passed: true,
+      passedMsg: wsResult === 'timeout'
+        ? 'Authentication required (WebSocket probe timed out — auth likely blocking)'
+        : 'Authentication required (WebSocket probe confirmed)',
+      live: true,
+    });
+  }
+
+  // ── PROBE 4: Does /health leak sensitive data? ────────────────────────────
+  const healthRes = await httpGet(`http://${host}:${port}/health`);
+  if (healthRes) {
+    const LEAK_KEYS = ['botToken', 'password', 'apiKey', 'token', 'secret', 'credential', 'privateKey'];
+    const leakedFields = [];
+    try {
+      const parsed = JSON.parse(healthRes.body);
+      const flat = JSON.stringify(parsed);
+      for (const k of LEAK_KEYS) {
+        const re = new RegExp(`"${k}"\\s*:\\s*"[^"]{8,}"`, 'i');
+        if (re.test(flat)) leakedFields.push(k);
+      }
+    } catch {
+      // Raw text response — check for token-like values
+      for (const k of LEAK_KEYS) {
+        if (new RegExp(`${k}[\"':\\s]+[A-Za-z0-9+/]{16,}`, 'i').test(healthRes.body)) {
+          leakedFields.push(k);
+        }
+      }
+    }
+
+    if (leakedFields.length > 0) {
+      results.push({
+        id: 'probe.health_leak',
+        severity: 'MEDIUM',
+        passed: false,
+        title: `/health endpoint leaks sensitive fields: ${leakedFields.join(', ')}`,
+        description: `Live probe: GET /health returned plaintext values for: ${leakedFields.join(', ')}.\nAny local process can read these credentials without authentication.`,
+        fix: `File issue with OpenClaw to redact sensitive keys from /health.\nWorkaround: firewall /health with a local reverse proxy.`,
+        live: true,
+      });
+    } else {
+      results.push({
+        id: 'probe.health_leak',
+        severity: 'MEDIUM',
+        passed: true,
+        passedMsg: '/health endpoint does not leak sensitive data',
+        live: true,
+      });
+    }
+  } else {
+    results.push({
+      id: 'probe.health_leak',
+      severity: 'MEDIUM',
+      passed: true,
+      passedMsg: '/health endpoint not reachable or not present',
+      live: true,
+    });
+  }
+
+  // ── PROBE 5: CORS headers ─────────────────────────────────────────────────
+  const evilOrigin = 'https://evil.example.com';
+  const corsRes = await httpOptions(`http://${host}:${port}/`, evilOrigin);
+  if (corsRes) {
+    const acao = (corsRes.headers['access-control-allow-origin'] || '').trim();
+    const corsOpen = acao === '*' || acao === evilOrigin;
+    if (corsOpen) {
+      results.push({
+        id: 'probe.cors',
+        severity: 'HIGH',
+        passed: false,
+        title: `CORS misconfigured — allows arbitrary origins (${acao})`,
+        description: `Live probe: OPTIONS with Origin: ${evilOrigin}\nreturned Access-Control-Allow-Origin: ${acao}.\nAny web page can make cross-origin requests to your gateway.\nAttack: malicious site reads agent responses via CORS.`,
+        fix: `openclaw config set gateway.cors.allowedOrigins '["http://localhost"]'\nopenctl gateway restart`,
+        live: true,
+      });
+    } else {
+      results.push({
+        id: 'probe.cors',
+        severity: 'HIGH',
+        passed: true,
+        passedMsg: acao ? `CORS restricted (allowed: ${acao})` : 'CORS not open to arbitrary origins',
+        live: true,
+      });
+    }
+  } else {
+    results.push({
+      id: 'probe.cors',
+      severity: 'HIGH',
+      passed: true,
+      passedMsg: 'CORS probe: no OPTIONS response (not exposed or not applicable)',
+      live: true,
+    });
+  }
+
+  return results;
+}

package/lib/scan.js

@@ -0,0 +1,129 @@
+import { paint, severityColor } from './output/colors.js';
+import { scanFile } from './scanner/file-scanner.js';
+import { findInstalledSkills } from './scanner/skill-finder.js';
+import { scanSkillMdFiles } from './scanner/skill-md-scanner.js';
+
+const SEP = paint.dim('─'.repeat(52));
+const HOME = process.env.HOME || '';
+
+function short(p) { return p.replace(HOME,'~'); }
+
+function box(title) {
+  const W=52, pad=W-2-title.length, l=Math.floor(pad/2), r=pad-l;
+  return [paint.dim('╔'+'═'.repeat(W-2)+'╗'),
+    paint.dim('║')+' '.repeat(l)+paint.bold(title)+' '.repeat(r)+paint.dim('║'),
+    paint.dim('╚'+'═'.repeat(W-2)+'╝')].join('\n');
+}
+
+export async function runScan() {
+  console.log(''); console.log(box('ClawArmor Skill Scan  v0.6')); console.log('');
+  console.log(`  ${paint.dim('Scanning:')} Installed OpenClaw skills (code + SKILL.md)`);
+  console.log(`  ${paint.dim('Started:')}  ${new Date().toLocaleString('en-US',{dateStyle:'medium',timeStyle:'short'})}`);
+  console.log('');
+
+  const skills = findInstalledSkills();
+  if (!skills.length) {
+    console.log(`  ${paint.dim('No installed skills found.')}`); console.log(''); return 0;
+  }
+
+  const userSkills = skills.filter(s => !s.isBuiltin);
+  const builtinSkills = skills.filter(s => s.isBuiltin);
+  console.log(`  ${paint.dim('Found')} ${paint.bold(String(skills.length))} ${paint.dim('skills')} ${paint.dim(`(${userSkills.length} user-installed, ${builtinSkills.length} built-in)`)}`);
+  console.log('');
+
+  let totalCritical = 0, totalHigh = 0;
+  const flagged = [];
+
+  for (const skill of skills) {
+    process.stdout.write(`  ${skill.isBuiltin ? paint.dim('⊙') : paint.cyan('▶')} ${paint.bold(skill.name)}${paint.dim(skill.isBuiltin?' [built-in]':' [user]')}...`);
+
+    // Code findings (JS, py, sh, etc.)
+    const codeFindings = skill.files.flatMap(f => scanFile(f, skill.isBuiltin));
+
+    // SKILL.md instruction findings
+    const mdResults = scanSkillMdFiles(skill.files, skill.isBuiltin);
+    const mdFindings = mdResults.flatMap(r => r.findings);
+
+    const allFindings = [...codeFindings, ...mdFindings];
+
+    const critical = allFindings.filter(f => f.severity==='CRITICAL');
+    const high = allFindings.filter(f => f.severity==='HIGH');
+    const medium = allFindings.filter(f => f.severity==='MEDIUM');
+    const info = allFindings.filter(f => f.severity==='INFO'||f.severity==='LOW');
+
+    totalCritical += critical.length; totalHigh += high.length;
+
+    if (!allFindings.length) { process.stdout.write(` ${paint.green('✓ clean')}\n`); continue; }
+
+    const parts = [];
+    if (critical.length) parts.push(paint.red(`${critical.length} critical`));
+    if (high.length) parts.push(paint.yellow(`${high.length} high`));
+    if (medium.length) parts.push(paint.cyan(`${medium.length} medium`));
+    if (info.length) parts.push(paint.dim(`${info.length} info`));
+    process.stdout.write(` ${parts.join(', ')}\n`);
+
+    if (critical.length || high.length || medium.length) {
+      flagged.push({ skill, codeFindings, mdResults });
+    }
+  }
+
+  // Detailed report for flagged skills
+  for (const {skill, codeFindings, mdResults} of flagged) {
+    console.log(''); console.log(SEP);
+    console.log(`  ${paint.bold(skill.name)}  ${paint.dim(short(skill.path))}`);
+    if (skill.isBuiltin) console.log(`  ${paint.dim('ℹ  Built-in skill — review only if recently updated or unexpected')}`);
+    else console.log(`  ${paint.yellow('⚠')}  ${paint.bold('Third-party skill — review carefully')}`);
+    console.log(SEP);
+
+    // Code findings
+    const codeFlagged = codeFindings.filter(f => ['CRITICAL','HIGH','MEDIUM'].includes(f.severity));
+    if (codeFlagged.length) {
+      console.log(`\n  ${paint.dim('── Code Findings ──')}`);
+      for (const sev of ['CRITICAL','HIGH','MEDIUM','INFO','LOW']) {
+        for (const f of codeFindings.filter(x=>x.severity===sev)) {
+          console.log('');
+          console.log(`  ${paint.red('✗')} ${(severityColor[sev]||paint.dim)('['+sev+']')} ${paint.bold(f.title)}`);
+          console.log(`    ${paint.dim(f.description)}`);
+          if (f.note) console.log(`    ${paint.dim('Note: '+f.note)}`);
+          for (const m of f.matches) {
+            console.log(`    ${paint.dim('→')} ${paint.cyan(short(f.file)+':'+m.line)}`);
+            console.log(`      ${paint.dim(m.snippet)}`);
+          }
+        }
+      }
+    }
+
+    // SKILL.md findings
+    if (mdResults.length) {
+      console.log(`\n  ${paint.dim('── SKILL.md Instruction Findings ──')}`);
+      for (const { filePath, findings } of mdResults) {
+        console.log(`  ${paint.dim(short(filePath))}`);
+        for (const f of findings) {
+          const sc = severityColor[f.severity] || paint.dim;
+          console.log('');
+          console.log(`  ${paint.red('✗')} ${sc('['+f.severity+']')} ${paint.bold(f.title)}`);
+          console.log(`    ${paint.dim(f.description)}`);
+          if (f.note) console.log(`    ${paint.dim('Note: '+f.note)}`);
+          for (const m of f.matches) {
+            console.log(`    ${paint.dim('→')} ${paint.cyan(short(filePath)+':'+m.line)}`);
+            console.log(`      ${paint.dim(m.snippet)}`);
+          }
+        }
+      }
+    }
+  }
+
+  console.log(''); console.log(SEP);
+  if (!totalCritical && !totalHigh) {
+    console.log(`  ${paint.green('✓')} No critical or high findings across ${skills.length} skills.`);
+  } else {
+    if (totalCritical) console.log(`  ${paint.red('✗')} ${paint.bold(String(totalCritical))} CRITICAL — review immediately`);
+    if (totalHigh) console.log(`  ${paint.yellow('✗')} ${paint.bold(String(totalHigh))} HIGH — review before next session`);
+    console.log('');
+    console.log(`  ${paint.dim('ClawArmor scans ALL skill files (.js .sh .py .ts) + SKILL.md')}`);
+    console.log(`  ${paint.dim('not just code — dangerous natural language instructions caught too.')}`);
+  }
+  console.log(`  ${paint.dim('Run')} ${paint.cyan('clawarmor audit')} ${paint.dim('to check your config.')}`);
+  console.log('');
+  return totalCritical > 0 ? 1 : 0;
+}

package/lib/scanner/file-scanner.js

@@ -0,0 +1,69 @@
+import { readFileSync } from 'fs';
+import { extname, basename } from 'path';
+import { CRITICAL_PATTERNS, HIGH_PATTERNS, MEDIUM_PATTERNS,
+  SCANNABLE_EXTENSIONS, SKIP_EXTENSIONS, isSpawnInBinaryWrapper } from './patterns.js';
+
+function getExt(p) { return extname(p).replace('.','').toLowerCase(); }
+
+function findMatches(content, pattern) {
+  const lines = content.split('\n');
+  const matches = [];
+  const regex = new RegExp(pattern.regex.source, 'gi');
+  let m;
+  while ((m = regex.exec(content)) !== null) {
+    const lineNum = content.substring(0, m.index).split('\n').length;
+    const line = lines[lineNum-1]?.trim() || '';
+    if (/^\s*(\/\/|#|\*)/.test(line)) continue; // skip comments
+    matches.push({ line: lineNum, snippet: line.substring(0,120) });
+    if (matches.length >= 3) break;
+  }
+  return matches;
+}
+
+export function scanFile(filePath, isBuiltin = false) {
+  const ext = getExt(filePath);
+  if (SKIP_EXTENSIONS.has(ext)) return [];
+  if (!SCANNABLE_EXTENSIONS.has(ext) && ext !== 'md' && ext !== '') return [];
+
+  let content;
+  try { content = readFileSync(filePath, 'utf8'); }
+  catch { return []; }
+  if (content.length > 500_000) return [];
+
+  const findings = [];
+  const allPatterns = [
+    ...CRITICAL_PATTERNS.map(p => ({...p, severity:'CRITICAL'})),
+    ...HIGH_PATTERNS.map(p => ({...p, severity:'HIGH'})),
+    ...MEDIUM_PATTERNS.map(p => ({...p, severity:'MEDIUM'})),
+  ];
+
+  for (const pattern of allPatterns) {
+    const matches = findMatches(content, pattern);
+    if (!matches.length) continue;
+
+    // Context-aware severity reduction for built-in skills
+    let severity = pattern.severity;
+    let note = null;
+
+    if (isBuiltin && pattern.builtinOk) {
+      severity = 'INFO';
+      note = 'Built-in skill — pattern is likely legitimate. Review only if recently updated.';
+    }
+
+    // spawnSync/exec in binary wrapper = legitimate (TTS, image tools)
+    if (['eval','child-process','exec-spawn','vm-run'].includes(pattern.id)) {
+      if (isSpawnInBinaryWrapper(filePath, matches[0]?.snippet || '')) {
+        severity = isBuiltin ? 'INFO' : 'LOW';
+        note = 'Pattern detected in binary wrapper context — likely legitimate subprocess call.';
+      }
+    }
+
+    // built-in skills: cap max severity at LOW for most patterns
+    if (isBuiltin && !pattern.builtinOk && severity === 'CRITICAL') severity = 'LOW';
+    if (isBuiltin && !pattern.builtinOk && severity === 'HIGH') severity = 'INFO';
+
+    findings.push({ patternId: pattern.id, severity, title: pattern.title,
+      description: pattern.description, file: filePath, matches, note });
+  }
+  return findings;
+}

package/lib/scanner/patterns.js

@@ -0,0 +1,74 @@
+// v0.5 — context-aware patterns, adversarially reviewed
+
+export const CRITICAL_PATTERNS = [
+  { id: 'eval', regex: /\beval\s*\((?!\s*\/\/)/, title: 'eval() usage',
+    description: 'Executes arbitrary code strings. Classic injection vector.',
+    contextDeny: [/\bcomment\b/, /example/i] },
+  { id: 'new-function', regex: /new\s+Function\s*\(/, title: 'new Function()',
+    description: 'Equivalent to eval() — executes arbitrary code.' },
+  { id: 'child-process', regex: /require\(['"`]child_process['"`]\)|from\s+['"`]child_process['"`]/,
+    title: 'child_process imported', description: 'Allows shell command execution.' },
+  { id: 'pipe-to-shell', regex: /[`'"]\s*\|\s*(sh|bash|zsh|fish)\b/,
+    title: 'Pipe-to-shell pattern', description: 'curl|bash or wget|sh — classic RCE.' },
+  { id: 'vm-run', regex: /vm\.(runInNewContext|runInThisContext)\s*\(/,
+    title: 'vm module code execution', description: 'Executes code in Node.js VM.' },
+];
+
+export const HIGH_PATTERNS = [
+  { id: 'credential-file', regex: /agent-accounts|\/\.openclaw\/.*token|credentials\/.*\.json/i,
+    title: 'Credential file path referenced',
+    description: 'May attempt to read API keys or bot tokens.',
+    builtinOk: true }, // gh-issues legitimately reads this — flag as INFO for builtins
+  { id: 'ssh-key', regex: /\.ssh\/(id_rsa|id_ed25519|id_ecdsa|authorized_keys)/,
+    title: 'SSH key path referenced', description: 'May attempt SSH credential theft.' },
+  { id: 'known-bad-domains',
+    regex: /webhook\.site|requestbin\.|pipedream\.net|beeceptor\.com|hookbin\.com/,
+    title: 'Known data-collection domain', description: 'Used for data interception/exfiltration.' },
+  { id: 'exfil-combo', regex: /process\.env[\s\S]{0,200}(fetch|axios|http|request)\s*\(/,
+    title: 'Env vars + network call (exfil pattern)',
+    description: 'Reading env vars then making network calls — credential exfiltration pattern.' },
+];
+
+export const MEDIUM_PATTERNS = [
+  { id: 'dynamic-require', regex: /require\s*\(\s*(?!['"`])[a-zA-Z_$][a-zA-Z0-9_$]*\s*\)/,
+    title: 'Dynamic require()', description: 'Cannot be statically analyzed — may load arbitrary modules.' },
+  { id: 'large-base64', regex: /[A-Za-z0-9+\/]{150,}={0,2}/,
+    title: 'Large base64 blob (>150 chars)', description: 'May be obfuscated payload.' },
+  { id: 'http-cleartext', regex: /fetch\s*\(\s*['"`]http:\/\/(?!localhost|127\.)/,
+    title: 'Cleartext HTTP outbound', description: 'Data sent unencrypted.' },
+  { id: 'settimeout-encoded', regex: /setTimeout\s*\([^,)]*(?:atob|fromCharCode|unescape)/,
+    title: 'setTimeout with encoded callback', description: 'Evasion technique.' },
+  { id: 'fromcharcode-obfuscation', regex: /String\.fromCharCode\s*\(\s*\d{2,3}\s*,\s*\d/,
+    title: 'String.fromCharCode obfuscation', description: 'Classic string obfuscation used in malicious code.' },
+  { id: 'hex-obfuscation', regex: /\\x[0-9a-f]{2}\\x[0-9a-f]{2}\\x[0-9a-f]{2}/i,
+    title: 'Hex-encoded string sequence', description: 'Multiple hex escapes may indicate obfuscated payload.' },
+];
+
+// Built-in skills (node_modules/openclaw): these patterns are OK — lower severity
+export const BUILTIN_SAFE_PATTERN_IDS = new Set([
+  'credential-file', // gh-issues reads config for API key — legitimate
+]);
+
+// Spawning a subprocess is OK in binary wrappers (TTS, image tools, etc.)
+export function isSpawnInBinaryWrapper(filePath, snippet) {
+  const isBinPath = /\/bin\/[^/]+$/.test(filePath);
+  const hasTtsContext = /tts|speech|audio|whisper|sherpa|onnx/i.test(filePath + snippet);
+  const hasImageContext = /image|vision|ffmpeg|convert/i.test(filePath + snippet);
+  return isBinPath && (hasTtsContext || hasImageContext);
+}
+
+export const ALLOWLISTED_DOMAINS = new Set([
+  'api.anthropic.com', 'api.openai.com', 'api.github.com',
+  'registry.npmjs.org', 'raw.githubusercontent.com',
+  'api.telegram.org', 'discord.com', 'slack.com',
+  '127.0.0.1', 'localhost', '::1',
+]);
+
+export const SCANNABLE_EXTENSIONS = new Set([
+  'js','ts','mjs','cjs','jsx','tsx','py','rb','sh','bash','zsh',
+]);
+
+export const SKIP_EXTENSIONS = new Set([
+  'png','jpg','jpeg','gif','webp','ico','svg','ttf','woff','woff2',
+  'zip','gz','tar','mp3','mp4','pdf','lock','sum',
+]);

package/lib/scanner/skill-finder.js

@@ -0,0 +1,58 @@
+import { existsSync, readdirSync } from 'fs';
+import { join } from 'path';
+import { homedir } from 'os';
+
+const HOME = homedir();
+const BUILTIN_PATHS = new Set([
+  join(HOME, '.npm-global', 'lib', 'node_modules', 'openclaw', 'skills'),
+  '/opt/homebrew/lib/node_modules/openclaw/skills',
+  '/usr/local/lib/node_modules/openclaw/skills',
+]);
+const USER_PATHS = [
+  join(HOME, '.openclaw', 'skills'),
+  join(HOME, '.openclaw', 'workspace', 'skills'),
+];
+
+function getAllFiles(dir, files = []) {
+  try {
+    for (const e of readdirSync(dir, { withFileTypes: true })) {
+      if (e.name.startsWith('.') || e.name === 'node_modules' || e.name === '__pycache__') continue;
+      const fp = join(dir, e.name);
+      if (e.isDirectory()) getAllFiles(fp, files);
+      else files.push(fp);
+    }
+  } catch { /* permission denied */ }
+  return files;
+}
+
+export function findInstalledSkills() {
+  const skills = [];
+  const seenNames = new Set();
+
+  // User-installed skills first (higher priority, higher severity)
+  for (const searchPath of USER_PATHS) {
+    if (!existsSync(searchPath)) continue;
+    for (const e of readdirSync(searchPath, { withFileTypes: true })) {
+      if (!e.isDirectory() || seenNames.has(e.name)) continue;
+      seenNames.add(e.name);
+      const skillPath = join(searchPath, e.name);
+      skills.push({ name: e.name, path: skillPath, files: getAllFiles(skillPath), isBuiltin: false });
+    }
+  }
+
+  // Built-in skills (lower severity findings)
+  for (const searchPath of BUILTIN_PATHS) {
+    if (!existsSync(searchPath)) continue;
+    try {
+      for (const e of readdirSync(searchPath, { withFileTypes: true })) {
+        if (!e.isDirectory() || seenNames.has(e.name)) continue;
+        seenNames.add(e.name);
+        const skillPath = join(searchPath, e.name);
+        skills.push({ name: e.name, path: skillPath, files: getAllFiles(skillPath), isBuiltin: true });
+      }
+    } catch { continue; }
+    break; // Only scan one built-in path (first found = deduped)
+  }
+
+  return skills;
+}