npm - clawarmor - Versions diffs - 2.2.0 → 2.2.1 - Mend

clawarmor 2.2.0 → 2.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/README.md +25 -0
package/lib/scanner/obfuscation.js +45 -1
package/lib/scanner/patterns.js +31 -0
package/package.json +2 -2
package/demo-preview.gif +0 -0
package/demo.cast +0 -680
package/demo.gif +0 -0

package/README.md CHANGED Viewed

@@ -40,6 +40,11 @@ clawarmor audit
 | `trend` | ASCII chart of your security score over time |
 | `compare` | Compare coverage vs openclaw security audit |
 | `fix` | Auto-apply safe fixes (--dry-run to preview, --apply to run) |
+| `snapshot` | Save a config snapshot manually (auto-saved before every harden/fix) |
+| `rollback` | Restore config from auto-snapshot (--list, --id <id>) |
+| `harden --monitor` | Enable monitor mode — observe before enforcing |
+| `harden --monitor-report` | Show what monitor mode has observed |
+| `harden --monitor-off` | Disable monitor mode |
 ## What it catches
@@ -56,6 +61,26 @@ clawarmor audit
 | Gateway exposure | TCP-connects to every non-loopback interface | Full |
 | Runtime policy enforcement | Requires a runtime layer (SupraWall) | None |
+## Safety features
+**Impact classification** — Every fix is tagged 🟢 Safe, 🟡 Caution, or 🔴 Breaking. `--auto` mode skips breaking changes unless you pass `--force`.
+**Config snapshots** — ClawArmor auto-saves your config before every `harden` or `fix` run. If something breaks, roll back instantly:
+```bash
+clawarmor rollback --list    # see all snapshots
+clawarmor rollback           # restore the latest
+clawarmor rollback --id <n>  # restore a specific one
+```
+**Monitor mode** — Observe what `harden` would do before enforcing:
+```bash
+clawarmor harden --monitor        # start monitoring
+clawarmor harden --monitor-report # see what it observed
+clawarmor harden --monitor-off    # stop monitoring
+```
 ## Philosophy
 ClawArmor runs entirely on your machine — no telemetry, no cloud, no accounts.

package/lib/scanner/obfuscation.js CHANGED Viewed

@@ -1,4 +1,4 @@
-// obfuscation.js — v1.2.0
+// obfuscation.js — v1.3.0
 // Detects obfuscated code patterns that bypass naive string-grep analysis.
 // Zero external dependencies. Pure regex, adversarially reviewed.
 //
@@ -10,6 +10,10 @@
 //   - globalThis/global bracket access to dangerous names
 //   - ['constructor'] escape pattern
 //   - Unicode/hex escape sequences for dangerous keywords
+//   - Dynamic import() with runtime-assembled module name
+//   - eval/exec called with interpolated template literal
+//   - Proxy/Reflect wrapping of dangerous objects
+//   - Variable aliasing of dangerous functions (const e = eval)
 export const OBFUSCATION_PATTERNS = [
   {
@@ -81,6 +85,46 @@ export const OBFUSCATION_PATTERNS = [
     description: "Calls require() or import() with a runtime-decoded string argument (atob, fromCharCode, etc.).",
     regex: /(?:require|import)\s*\(\s*(?:atob|String\.fromCharCode|Buffer\.from)\s*\(/,
   },
+  {
+    // Pattern: const mod = 'child' + '_process'; import(mod)
+    // The module name is never visible as a literal string, bypassing child_process regex.
+    id: 'obfus-dynamic-import-concat',
+    severity: 'CRITICAL',
+    title: 'Dynamic import() with runtime-assembled module name',
+    description: "import() called with a variable or concatenated string — module name assembled at runtime, bypassing static child_process/net detection.",
+    note: "Pattern: const mod = 'child' + '_process'; import(mod). The dangerous module name never appears intact in source.",
+    regex: /\bimport\s*\(\s*(?:[a-zA-Z_$][a-zA-Z0-9_$]*\s*\)|['"`][^'"`]*['"`]\s*\+)/,
+  },
+  {
+    // Pattern: eval(`(function() { ${userCode} })()`)
+    // Template literal interpolation allows runtime code injection hidden from literal-string scanners.
+    id: 'obfus-template-literal',
+    severity: 'HIGH',
+    title: 'eval/exec called with interpolated template literal',
+    description: "eval or exec invoked with a template literal containing ${...} interpolation — injects runtime values into executed code.",
+    note: "eval(`code ${var}`) assembles executable code from runtime values. Evades scanners that only check string literals.",
+    regex: /\b(?:eval|Function|exec|execSync)\s*\(\s*`[^`]*\$\{/,
+  },
+  {
+    // Pattern: new Proxy(process, handler) or Reflect.get(globalThis, 'eval')
+    // Proxying dangerous objects intercepts property access for exfiltration or modification.
+    id: 'obfus-proxy-reflect',
+    severity: 'HIGH',
+    title: 'Proxy/Reflect wrapping of dangerous object',
+    description: "Wrapping process, require, or globalThis in a Proxy intercepts all property access — used for covert exfiltration or to modify dangerous function behavior.",
+    note: "new Proxy(process, handler) can log every process property access. Reflect.get(globalThis, 'eval') accesses eval indirectly.",
+    regex: /new\s+Proxy\s*\(\s*(?:process|require|global|globalThis)\b|Reflect\s*\.\s*(?:get|apply)\s*\(\s*(?:globalThis|global|process)\b/,
+  },
+  {
+    // Pattern: const e = eval; e(code) or const {execSync: run} = require('child_process')
+    // Alias hides the dangerous function name at all call sites, bypassing keyword scanners.
+    id: 'obfus-var-alias',
+    severity: 'HIGH',
+    title: 'Variable aliasing of dangerous function',
+    description: "Assigning eval, exec, or spawn to a new variable name so call sites evade keyword detection.",
+    note: "const e = eval; e(code) — the dangerous eval() call is hidden as e(). Destructuring rename: const {execSync: run} = require('child_process').",
+    regex: /(?:const|let|var)\s+\w+\s*=\s*eval\b|(?:const|let|var)\s+\{[^}]*(?:exec|spawn)[^}]*:\s*\w+[^}]*\}\s*=/,
+  },
 ];
 /**

package/lib/scanner/patterns.js CHANGED Viewed

@@ -12,6 +12,12 @@ export const CRITICAL_PATTERNS = [
     title: 'Pipe-to-shell pattern', description: 'curl|bash or wget|sh — classic RCE.' },
   { id: 'vm-run', regex: /vm\.(runInNewContext|runInThisContext)\s*\(/,
     title: 'vm module code execution', description: 'Executes code in Node.js VM.' },
+  // Binding a raw TCP server is the primary reverse-shell / C2 setup technique.
+  // net.createServer in skill code has virtually no legitimate use case.
+  { id: 'reverse-shell',
+    regex: /net\.createServer\s*\(|(?:require\(['"`]net['"`]\)|import\(['"`]net['"`]\))[\s\S]{0,300}\.createServer\s*\(/,
+    title: 'net.createServer() — reverse shell / port binding',
+    description: 'Creating a raw TCP server is the primary mechanism for reverse shells and covert C2 listeners.' },
 ];
 export const HIGH_PATTERNS = [
@@ -27,6 +33,31 @@ export const HIGH_PATTERNS = [
   { id: 'exfil-combo', regex: /process\.env[\s\S]{0,200}(fetch|axios|http|request)\s*\(/,
     title: 'Env vars + network call (exfil pattern)',
     description: 'Reading env vars then making network calls — credential exfiltration pattern.' },
+  // WebSocket bypasses fetch/axios-based detection entirely — a silent exfil channel.
+  { id: 'websocket-exfil',
+    regex: /new\s+WebSocket\s*\(|(?:ws|socket)\s*\.send\s*\(/,
+    title: 'WebSocket usage (potential data exfiltration)',
+    description: 'WebSocket connections can silently exfiltrate data — not caught by fetch/axios-based detection rules.' },
+  // DNS can encode secrets in subdomain queries; no HTTP logs, evades most monitoring.
+  { id: 'dns-exfil',
+    regex: /require\(['"`](?:dns|node:dns)['"`]\)|from\s+['"`](?:dns|node:dns)['"`]/,
+    title: 'DNS module imported (covert channel risk)',
+    description: 'DNS can encode data in subdomain queries — a covert exfiltration channel that evades HTTP monitoring.' },
+  // __proto__ assignment or Object.prototype mutation corrupts the global object graph.
+  { id: 'proto-pollution',
+    regex: /__proto__\s*["'`]|Object\.prototype\s*\[/,
+    title: 'Prototype pollution',
+    description: 'Assigning to __proto__ or Object.prototype mutates all JS objects — enables object injection attacks.' },
+  // Extends exfil-combo to cover outbound channels beyond fetch: WebSocket and DNS.
+  { id: 'exfil-combo-broad',
+    regex: /process\.env[\s\S]{0,200}(?:new\s+WebSocket|ws\.send\s*\(|dns\.resolve\s*\(|dns\.lookup\s*\()/,
+    title: 'Env vars + WebSocket/DNS outbound (broad exfil)',
+    description: 'process.env followed by WebSocket or DNS send — exfiltration path not caught by fetch-only rules.' },
+  // Credential file + network call within same scope = high-confidence theft combo.
+  { id: 'cred-read-network',
+    regex: /readFileSync\s*\(['"`][^'"`]*(?:\.openclaw|agent-accounts|credentials)[^'"`]*['"`][\s\S]{0,500}(?:fetch|axios|new\s+WebSocket|ws\.send|http\.request)/,
+    title: 'Credential file read + outbound network call',
+    description: 'Reading a credential file then making a network call in the same scope — credential theft combo.' },
 ];
 export const MEDIUM_PATTERNS = [

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "clawarmor",
-  "version": "2.2.0",
-  "description": "Security armor for OpenClaw agents \u2014 audit, scan, monitor",
+  "version": "2.2.1",
+  "description": "Security armor for OpenClaw agents — audit, scan, monitor",
   "bin": {
     "clawarmor": "cli.js"
   },

package/demo-preview.gif DELETED Viewed

Binary file

package/demo.cast DELETED Viewed

@@ -1,680 +0,0 @@
-{"version": 2, "width": 110, "height": 35, "timestamp": 1772424511, "title": "ClawArmor v2.0 \u2014 Security Audit Demo", "env": {"SHELL": "/bin/zsh", "TERM": "xterm-256color"}}
-[0.0, "o", "$ "]
-[0.808, "o", "#"]
-[0.838, "o", " "]
-[0.868, "o", "S"]
-[0.898, "o", "t"]
-[0.928, "o", "e"]
-[0.958, "o", "p"]
-[0.988, "o", " "]
-[1.018, "o", "1"]
-[1.048, "o", ":"]
-[1.078, "o", " "]
-[1.108, "o", "C"]
-[1.138, "o", "h"]
-[1.168, "o", "e"]
-[1.198, "o", "c"]
-[1.228, "o", "k"]
-[1.258, "o", " "]
-[1.288, "o", "y"]
-[1.318, "o", "o"]
-[1.348, "o", "u"]
-[1.378, "o", "r"]
-[1.408, "o", " "]
-[1.438, "o", "O"]
-[1.468, "o", "p"]
-[1.498, "o", "e"]
-[1.528, "o", "n"]
-[1.558, "o", "C"]
-[1.588, "o", "l"]
-[1.618, "o", "a"]
-[1.648, "o", "w"]
-[1.678, "o", " "]
-[1.708, "o", "s"]
-[1.738, "o", "e"]
-[1.768, "o", "c"]
-[1.798, "o", "u"]
-[1.828, "o", "r"]
-[1.858, "o", "i"]
-[1.888, "o", "t"]
-[1.918, "o", "y"]
-[1.948, "o", " "]
-[1.978, "o", "p"]
-[2.008, "o", "o"]
-[2.038, "o", "s"]
-[2.068, "o", "t"]
-[2.098, "o", "u"]
-[2.128, "o", "r"]
-[2.158, "o", "e"]
-[2.188, "o", "\n"]
-[2.288, "o", "$ "]
-[2.796, "o", "c"]
-[2.841, "o", "l"]
-[2.886, "o", "a"]
-[2.931, "o", "w"]
-[2.976, "o", "a"]
-[3.021, "o", "r"]
-[3.066, "o", "m"]
-[3.111, "o", "o"]
-[3.156, "o", "r"]
-[3.201, "o", " "]
-[3.246, "o", "a"]
-[3.291, "o", "u"]
-[3.336, "o", "d"]
-[3.381, "o", "i"]
-[3.426, "o", "t"]
-[3.471, "o", "\n"]
-[3.671, "o", "\n"]
-[3.683, "o", "  \u2139  Config: local (~/.openclaw/openclaw.json)\n"]
-[3.695, "o", "     Probes: 127.0.0.1:18789 (local)\n"]
-[3.707, "o", "     Sends nothing. Source: github.com/pinzasai/clawarmor\n"]
-[3.719, "o", "\n"]
-[3.731, "o", "\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\n"]
-[3.743, "o", "\u2551         ClawArmor Audit  v2.0.0-alpha.1          \u2551\n"]
-[3.755, "o", "\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\n"]
-[3.767, "o", "\n"]
-[3.779, "o", "  Config:  /Users/pinzas/.openclaw/openclaw.json\n"]
-[3.791, "o", "  Scanned: Mar 1, 2026, 8:08 PM\n"]
-[3.803, "o", "\n"]
-[3.815, "o", "\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n"]
-[3.827, "o", "  LIVE GATEWAY PROBES  (connecting to 127.0.0.1:18789)\n"]
-[3.839, "o", "\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n"]
-[3.851, "o", "  \u2713 Gateway running on port 18789\n"]
-[3.863, "o", "  \u2713 Not reachable on network interfaces (probed live)\n"]
-[3.875, "o", "  \u2713 Authentication required (WebSocket probe confirmed)\n"]
-[3.887, "o", "  \u2713 /health endpoint does not leak sensitive data\n"]
-[3.899, "o", "  \u2713 CORS not open to arbitrary origins\n"]
-[3.911, "o", "\n"]
-[3.923, "o", "\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n"]
-[3.935, "o", "  Security Score: 45/100  \u2503  Grade: D\n"]
-[3.947, "o", "  \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591  45%\n"]
-[3.959, "o", "\n"]
-[3.971, "o", "  Verdict:  Your instance has CRITICAL exposure. Fix immediately before using.\n"]
-[3.983, "o", "\n"]
-[3.995, "o", "\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n"]
-[4.007, "o", "  CRITICAL  (1 finding)\n"]
-[4.019, "o", "\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n"]
-[4.031, "o", "\n"]
-[4.043, "o", "  \u2717 World-readable credential files in ~/.openclaw/ (3)\n"]
-[4.055, "o", "    The following files are readable by any user on the system:\n"]
-[4.067, "o", "    \u2022 .env (644)\n"]
-[4.079, "o", "    \u2022 google-auth-setup.py (644)\n"]
-[4.091, "o", "    \u2022 update-check.json (644)\n"]
-[4.103, "o", "    \n"]
-[4.115, "o", "    Any local process or user can read your API keys and tokens.\n"]
-[4.127, "o", "\n"]
-[4.139, "o", "    Fix: Fix immediately:\n"]
-[4.151, "o", "           chmod 600 /Users/pinzas/.openclaw/.env\n"]
-[4.163, "o", "           chmod 600 /Users/pinzas/.openclaw/google-auth-setup.py\n"]
-[4.175, "o", "           chmod 600 /Users/pinzas/.openclaw/update-check.json\n"]
-[4.187, "o", "\n"]
-[4.199, "o", "\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n"]
-[4.211, "o", "  HIGH  (2 findings)\n"]
-[4.223, "o", "\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n"]
-[4.235, "o", "\n"]
-[4.247, "o", "  \u2717 Exec approval disabled \u2014 all shell commands run without confirmation\n"]
-[4.259, "o", "    tools.exec.ask=\"off\" means every shell command the agent triggers\n"]
-[4.271, "o", "    runs immediately with zero user approval. Any prompt injection or malicious\n"]
-[4.283, "o", "    skill can execute arbitrary commands on your system without you seeing them.\n"]
-[4.295, "o", "    Attack: attacker injects \"run rm -rf ~/important\" \u2014 it executes silently.\n"]
-[4.307, "o", "\n"]
-[4.319, "o", "    Fix: openclaw config set tools.exec.ask always\n"]
-[4.331, "o", "         # or, to allow a specific set without prompts:\n"]
-[4.343, "o", "         openctl config set tools.exec.ask on-miss\n"]
-[4.355, "o", "         openctl config set tools.exec.allowed '[\"git\",\"npm\",\"node\"]'\n"]
-[4.367, "o", "\n"]
-[4.379, "o", "  \u2717 API key patterns found in ~/.openclaw/ JSON files (3 files)\n"]
-[4.391, "o", "    The following JSON files in ~/.openclaw/ contain patterns matching API keys or secrets:\n"]
-[4.403, "o", "    \u2022 agent-accounts.json\n"]
-[4.415, "o", "    \u2022 exec-approvals.json\n"]
-[4.427, "o", "    \u2022 openclaw.json\n"]
-[4.439, "o", "    \n"]
-[4.451, "o", "    Note: Only key name patterns are detected \u2014 actual values are never read or stored.\n"]
-[4.463, "o", "    Credentials in the wrong files may be at risk if file permissions are too open.\n"]
-[4.475, "o", "\n"]
-[4.487, "o", "    Fix: Ensure all credential files use 0600 permissions:\n"]
-[4.499, "o", "           chmod 600 ~/.openclaw/*.json\n"]
-[4.511, "o", "         \n"]
-[4.523, "o", "         If credentials are in unexpected files, move them to agent-accounts.json.\n"]
-[4.535, "o", "\n"]
-[4.547, "o", "\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n"]
-[4.559, "o", "  PASSED  (34 checks)\n"]
-[4.571, "o", "\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n"]
-[4.583, "o", "  \u2713 Gateway bound to loopback only\n"]
-[4.595, "o", "  \u2713 Tailscale Funnel not enabled\n"]
-[4.607, "o", "  \u2713 Auth token is strong\n"]
-[4.619, "o", "  \u2713 No dangerous flags enabled\n"]
-[4.631, "o", "  \u2713 mDNS mode: \"minimal\" (not leaking sensitive data)\n"]
-[4.643, "o", "  \u2713 Real-IP fallback disabled\n"]
-[4.655, "o", "  \u2713 Gateway is loopback-only \u2014 trustedProxies not needed\n"]
-[4.667, "o", "  \u2713 Trust model appropriate for current channel configuration\n"]
-[4.679, "o", "  \u2713 ~/.openclaw/ is owner-only (700)\n"]
-[4.691, "o", "  \u2713 openclaw.json is owner-only (600)\n"]
-[4.703, "o", "  \u2713 agent-accounts.json is owner-only (600)\n"]
-[4.715, "o", "  \u2713 credentials/ directory is locked down\n"]
-[4.727, "o", "  \u2713 Session transcripts are private\n"]
-[4.739, "o", "  \u2713 Telegram DM policy: \"pairing\" (restricted)\n"]
-[4.751, "o", "  \u2713 All group policies use allowlist\n"]
-[4.763, "o", "  \u2713 No open groups with elevated tools (safe)\n"]
-[4.775, "o", "  \u2713 DM sessions are isolated per user\n"]
-[4.787, "o", "  \u2713 Agent sandbox mode: \"all\" (sessions isolated)\n"]
-[4.799, "o", "  \u2713 exec sandbox configuration is consistent\n"]
-[4.811, "o", "  \u2713 Thinking stream not leaking reasoning\n"]
-[4.823, "o", "  \u2713 Elevated tools not configured\n"]
-[4.835, "o", "  \u2713 Filesystem restricted to workspace\n"]
-[4.847, "o", "  \u2713 apply_patch restricted to workspace\n"]
-[4.859, "o", "  \u2713 Browser SSRF to private networks blocked\n"]
-[4.871, "o", "  \u2713 Plugin allowlist configured\n"]
-[4.883, "o", "  \u2713 Log redaction enabled\n"]
-[4.895, "o", "  \u2713 OpenClaw 2026.2.26 (up to date)\n"]
-[4.907, "o", "  \u2713 Webhooks cannot control session routing\n"]
-[4.919, "o", "  \u2713 No webhook token configured\n"]
-[4.931, "o", "  \u2713 All channel allowFrom settings are restricted\n"]
-[4.943, "o", "  \u2713 All credential date fields are within 90 days\n"]
-[4.955, "o", "  \u2713 All installed skills have explicit version pins\n"]
-[4.967, "o", "  \u2713 Workspace directory not found \u2014 git credential leak check skipped\n"]
-[4.979, "o", "  \u2713 ~/.openclaw/ directory permissions are secure (700)\n"]
-[4.991, "o", "\n"]
-[5.003, "o", "\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n"]
-[5.015, "o", "  3 issues found. Fix above to improve score.\n"]
-[5.027, "o", "  Run clawarmor scan to check installed skills.\n"]
-[5.039, "o", "  Run clawarmor trend to see score history.\n"]
-[5.051, "o", "  Continuous monitoring: github.com/pinzasai/clawarmor\n"]
-[5.063, "o", "\n"]
-[5.075, "o", "\n"]
-[5.087, "o", "  !  Config changed since last clean audit\n"]
-[5.099, "o", "     Size: 4751 \u2192 5295 bytes (+544)\n"]
-[5.111, "o", "     Lines: 186 \u2192 197 (+11)\n"]
-[5.123, "o", "     Hash: fda00bbb0ac793f7 \u2192 d757fa979eb98f41\n"]
-[5.135, "o", "     Baseline set: 2026-03-01\n"]
-[5.147, "o", "     Run clawarmor audit --accept-changes to update baseline\n"]
-[5.159, "o", ""]
-[8.171, "o", "$ "]
-[8.679, "o", "#"]
-[8.709, "o", " "]
-[8.739, "o", "S"]
-[8.769, "o", "t"]
-[8.799, "o", "e"]
-[8.829, "o", "p"]
-[8.859, "o", " "]
-[8.889, "o", "2"]
-[8.919, "o", ":"]
-[8.949, "o", " "]
-[8.979, "o", "S"]
-[9.009, "o", "e"]
-[9.039, "o", "e"]
-[9.069, "o", " "]
-[9.099, "o", "w"]
-[9.129, "o", "h"]
-[9.159, "o", "a"]
-[9.189, "o", "t"]
-[9.219, "o", " "]
-[9.249, "o", "C"]
-[9.279, "o", "l"]
-[9.309, "o", "a"]
-[9.339, "o", "w"]
-[9.369, "o", "A"]
-[9.399, "o", "r"]
-[9.429, "o", "m"]
-[9.459, "o", "o"]
-[9.489, "o", "r"]
-[9.519, "o", " "]
-[9.549, "o", "c"]
-[9.579, "o", "a"]
-[9.609, "o", "n"]
-[9.639, "o", " "]
-[9.669, "o", "f"]
-[9.699, "o", "i"]
-[9.729, "o", "x"]
-[9.759, "o", " "]
-[9.789, "o", "a"]
-[9.819, "o", "u"]
-[9.849, "o", "t"]
-[9.879, "o", "o"]
-[9.909, "o", "m"]
-[9.939, "o", "a"]
-[9.969, "o", "t"]
-[9.999, "o", "i"]
-[10.029, "o", "c"]
-[10.059, "o", "a"]
-[10.089, "o", "l"]
-[10.119, "o", "l"]
-[10.149, "o", "y"]
-[10.179, "o", "\n"]
-[10.279, "o", "$ "]
-[10.787, "o", "c"]
-[10.832, "o", "l"]
-[10.877, "o", "a"]
-[10.922, "o", "w"]
-[10.967, "o", "a"]
-[11.012, "o", "r"]
-[11.057, "o", "m"]
-[11.102, "o", "o"]
-[11.147, "o", "r"]
-[11.192, "o", " "]
-[11.237, "o", "h"]
-[11.282, "o", "a"]
-[11.327, "o", "r"]
-[11.372, "o", "d"]
-[11.417, "o", "e"]
-[11.462, "o", "n"]
-[11.507, "o", " "]
-[11.552, "o", "-"]
-[11.597, "o", "-"]
-[11.642, "o", "d"]
-[11.687, "o", "r"]
-[11.732, "o", "y"]
-[11.777, "o", "-"]
-[11.822, "o", "r"]
-[11.867, "o", "u"]
-[11.912, "o", "n"]
-[11.957, "o", "\n"]
-[12.157, "o", "\n"]
-[12.169, "o", "  \u2139  Config: local (~/.openclaw/openclaw.json)\n"]
-[12.181, "o", "     Probes: 127.0.0.1:18789 (local)\n"]
-[12.193, "o", "     Sends nothing. Source: github.com/pinzasai/clawarmor\n"]
-[12.205, "o", "\n"]
-[12.217, "o", "\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\n"]
-[12.229, "o", "\u2551              ClawArmor Harden  v2.0              \u2551\n"]
-[12.241, "o", "\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\n"]
-[12.253, "o", "\n"]
-[12.265, "o", "  Dry run \u2014 showing what would be fixed (no changes applied):\n"]
-[12.277, "o", "\n"]
-[12.289, "o", "  !  .env is readable by other users (permissions: 644)\n"]
-[12.301, "o", "     Fix: Set permissions to 600 (owner-only) on /Users/pinzas/.openclaw/.env\n"]
-[12.313, "o", "     Cmd: chmod 600 /Users/pinzas/.openclaw/.env\n"]
-[12.325, "o", "\n"]
-[12.337, "o", "  !  google-auth-setup.py is readable by other users (permissions: 644)\n"]
-[12.349, "o", "     Fix: Set permissions to 600 (owner-only) on /Users/pinzas/.openclaw/google-auth-setup.py\n"]
-[12.361, "o", "     Cmd: chmod 600 /Users/pinzas/.openclaw/google-auth-setup.py\n"]
-[12.373, "o", "\n"]
-[12.385, "o", "  !  update-check.json is readable by other users (permissions: 644)\n"]
-[12.397, "o", "     Fix: Set permissions to 600 (owner-only) on /Users/pinzas/.openclaw/update-check.json\n"]
-[12.409, "o", "     Cmd: chmod 600 /Users/pinzas/.openclaw/update-check.json\n"]
-[12.421, "o", "\n"]
-[12.433, "o", "  !  exec.ask is off \u2014 shell commands run without user confirmation\n"]
-[12.445, "o", "     Fix: Enable exec.ask so shell commands require confirmation\n"]
-[12.457, "o", "     Cmd: openclaw config set exec.ask always\n"]
-[12.469, "o", "     Note: Restart gateway after applying: openclaw gateway restart\n"]
-[12.481, "o", "\n"]
-[12.493, "o", "\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n"]
-[12.505, "o", "  4 fixes available.\n"]
-[12.517, "o", "  Run clawarmor harden to apply interactively.\n"]
-[12.529, "o", "  Run clawarmor harden --auto to apply all without prompts.\n"]
-[12.541, "o", "\n"]
-[12.553, "o", "\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n"]
-[12.565, "o", "  Manual follow-up required:\n"]
-[12.577, "o", "    \u2022 Rotate tokens older than 90 days (run: clawarmor log --tokens)\n"]
-[12.589, "o", "    \u2022 Review and rotate any compromised or exposed credentials\n"]
-[12.601, "o", "    \u2022 Enable agent sandbox isolation if Docker Desktop is available\n"]
-[12.613, "o", "\n"]
-[12.625, "o", ""]
-[15.637, "o", "$ "]
-[16.145, "o", "#"]
-[16.175, "o", " "]
-[16.205, "o", "S"]
-[16.235, "o", "t"]
-[16.265, "o", "e"]
-[16.295, "o", "p"]
-[16.325, "o", " "]
-[16.355, "o", "3"]
-[16.385, "o", ":"]
-[16.415, "o", " "]
-[16.445, "o", "F"]
-[16.475, "o", "i"]
-[16.505, "o", "x"]
-[16.535, "o", " "]
-[16.565, "o", "e"]
-[16.595, "o", "v"]
-[16.625, "o", "e"]
-[16.655, "o", "r"]
-[16.685, "o", "y"]
-[16.715, "o", "t"]
-[16.745, "o", "h"]
-[16.775, "o", "i"]
-[16.805, "o", "n"]
-[16.835, "o", "g"]
-[16.865, "o", " "]
-[16.895, "o", "a"]
-[16.925, "o", "u"]
-[16.955, "o", "t"]
-[16.985, "o", "o"]
-[17.015, "o", "m"]
-[17.045, "o", "a"]
-[17.075, "o", "t"]
-[17.105, "o", "i"]
-[17.135, "o", "c"]
-[17.165, "o", "a"]
-[17.195, "o", "l"]
-[17.225, "o", "l"]
-[17.255, "o", "y"]
-[17.285, "o", "\n"]
-[17.385, "o", "$ "]
-[17.893, "o", "c"]
-[17.938, "o", "l"]
-[17.983, "o", "a"]
-[18.028, "o", "w"]
-[18.073, "o", "a"]
-[18.118, "o", "r"]
-[18.163, "o", "m"]
-[18.208, "o", "o"]
-[18.253, "o", "r"]
-[18.298, "o", " "]
-[18.343, "o", "h"]
-[18.388, "o", "a"]
-[18.433, "o", "r"]
-[18.478, "o", "d"]
-[18.523, "o", "e"]
-[18.568, "o", "n"]
-[18.613, "o", " "]
-[18.658, "o", "-"]
-[18.703, "o", "-"]
-[18.748, "o", "a"]
-[18.793, "o", "u"]
-[18.838, "o", "t"]
-[18.883, "o", "o"]
-[18.928, "o", "\n"]
-[19.128, "o", "\n"]
-[19.14, "o", "  \u2139  Config: local (~/.openclaw/openclaw.json)\n"]
-[19.152, "o", "     Probes: 127.0.0.1:18789 (local)\n"]
-[19.164, "o", "     Sends nothing. Source: github.com/pinzasai/clawarmor\n"]
-[19.176, "o", "\n"]
-[19.188, "o", "\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\n"]
-[19.2, "o", "\u2551              ClawArmor Harden  v2.0              \u2551\n"]
-[19.212, "o", "\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\n"]
-[19.224, "o", "\n"]
-[19.236, "o", "  Auto mode \u2014 applying all safe fixes without confirmation\n"]
-[19.248, "o", "\n"]
-[19.26, "o", "\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n"]
-[19.272, "o", "  Problem:  .env is readable by other users (permissions: 644)\n"]
-[19.284, "o", "  Fix:      Set permissions to 600 (owner-only) on /Users/pinzas/.openclaw/.env\n"]
-[19.296, "o", "  Command: chmod 600 /Users/pinzas/.openclaw/.env\n"]
-[19.308, "o", "\n"]
-[19.32, "o", "  \u2713 Fixed\n"]
-[19.332, "o", "\n"]
-[19.344, "o", "\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n"]
-[19.356, "o", "  Problem:  google-auth-setup.py is readable by other users (permissions: 644)\n"]
-[19.368, "o", "  Fix:      Set permissions to 600 (owner-only) on /Users/pinzas/.openclaw/google-auth-setup.py\n"]
-[19.38, "o", "  Command: chmod 600 /Users/pinzas/.openclaw/google-auth-setup.py\n"]
-[19.392, "o", "\n"]
-[19.404, "o", "  \u2713 Fixed\n"]
-[19.416, "o", "\n"]
-[19.428, "o", "\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n"]
-[19.44, "o", "  Problem:  update-check.json is readable by other users (permissions: 644)\n"]
-[19.452, "o", "  Fix:      Set permissions to 600 (owner-only) on /Users/pinzas/.openclaw/update-check.json\n"]
-[19.464, "o", "  Command: chmod 600 /Users/pinzas/.openclaw/update-check.json\n"]
-[19.476, "o", "\n"]
-[19.488, "o", "  \u2713 Fixed\n"]
-[19.5, "o", "\n"]
-[19.512, "o", "\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n"]
-[19.524, "o", "  Problem:  exec.ask is off \u2014 shell commands run without user confirmation\n"]
-[19.536, "o", "  Fix:      Enable exec.ask so shell commands require confirmation\n"]
-[19.548, "o", "  Command: openclaw config set exec.ask always\n"]
-[19.56, "o", "\n"]
-[19.572, "o", "  \u2717 Failed: Command failed: openclaw config set exec.ask always\n"]
-[19.584, "o", "\n"]
-[19.596, "o", "\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n"]
-[19.608, "o", "\n"]
-[19.62, "o", "  Applied: 3  Skipped: 0  Failed: 1\n"]
-[19.632, "o", "\n"]
-[19.644, "o", "\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n"]
-[19.656, "o", "  Manual follow-up required:\n"]
-[19.668, "o", "    \u2022 Rotate tokens older than 90 days (run: clawarmor log --tokens)\n"]
-[19.68, "o", "    \u2022 Review and rotate any compromised or exposed credentials\n"]
-[19.692, "o", "    \u2022 Enable agent sandbox isolation if Docker Desktop is available\n"]
-[19.704, "o", "\n"]
-[19.716, "o", "\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n"]
-[19.728, "o", "  Re-running audit to measure impact...\n"]
-[19.74, "o", "\n"]
-[19.752, "o", "  Before: 45/100  Grade: D\n"]
-[19.764, "o", "  After:  70/100  Grade: C  +25\n"]
-[19.776, "o", "\n"]
-[19.788, "o", ""]
-[22.3, "o", "$ "]
-[22.808, "o", "#"]
-[22.838, "o", " "]
-[22.868, "o", "S"]
-[22.898, "o", "t"]
-[22.928, "o", "e"]
-[22.958, "o", "p"]
-[22.988, "o", " "]
-[23.018, "o", "4"]
-[23.048, "o", ":"]
-[23.078, "o", " "]
-[23.108, "o", "V"]
-[23.138, "o", "e"]
-[23.168, "o", "r"]
-[23.198, "o", "i"]
-[23.228, "o", "f"]
-[23.258, "o", "y"]
-[23.288, "o", " "]
-[23.318, "o", "\u2014"]
-[23.348, "o", " "]
-[23.378, "o", "r"]
-[23.408, "o", "e"]
-[23.438, "o", "-"]
-[23.468, "o", "a"]
-[23.498, "o", "u"]
-[23.528, "o", "d"]
-[23.558, "o", "i"]
-[23.588, "o", "t"]
-[23.618, "o", " "]
-[23.648, "o", "a"]
-[23.678, "o", "f"]
-[23.708, "o", "t"]
-[23.738, "o", "e"]
-[23.768, "o", "r"]
-[23.798, "o", " "]
-[23.828, "o", "h"]
-[23.858, "o", "a"]
-[23.888, "o", "r"]
-[23.918, "o", "d"]
-[23.948, "o", "e"]
-[23.978, "o", "n"]
-[24.008, "o", "i"]
-[24.038, "o", "n"]
-[24.068, "o", "g"]
-[24.098, "o", "\n"]
-[24.198, "o", "$ "]
-[24.706, "o", "c"]
-[24.751, "o", "l"]
-[24.796, "o", "a"]
-[24.841, "o", "w"]
-[24.886, "o", "a"]
-[24.931, "o", "r"]
-[24.976, "o", "m"]
-[25.021, "o", "o"]
-[25.066, "o", "r"]
-[25.111, "o", " "]
-[25.156, "o", "a"]
-[25.201, "o", "u"]
-[25.246, "o", "d"]
-[25.291, "o", "i"]
-[25.336, "o", "t"]
-[25.381, "o", "\n"]
-[25.581, "o", "\n"]
-[25.593, "o", "  \u2139  Config: local (~/.openclaw/openclaw.json)\n"]
-[25.605, "o", "     Probes: 127.0.0.1:18789 (local)\n"]
-[25.617, "o", "     Sends nothing. Source: github.com/pinzasai/clawarmor\n"]
-[25.629, "o", "\n"]
-[25.641, "o", "\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\n"]
-[25.653, "o", "\u2551         ClawArmor Audit  v2.0.0-alpha.1          \u2551\n"]
-[25.665, "o", "\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\n"]
-[25.677, "o", "\n"]
-[25.689, "o", "  Config:  /Users/pinzas/.openclaw/openclaw.json\n"]
-[25.701, "o", "  Scanned: Mar 1, 2026, 8:08 PM\n"]
-[25.713, "o", "\n"]
-[25.725, "o", "\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n"]
-[25.737, "o", "  LIVE GATEWAY PROBES  (connecting to 127.0.0.1:18789)\n"]
-[25.749, "o", "\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n"]
-[25.761, "o", "  \u2713 Gateway running on port 18789\n"]
-[25.773, "o", "  \u2713 Not reachable on network interfaces (probed live)\n"]
-[25.785, "o", "  \u2713 Authentication required (WebSocket probe confirmed)\n"]
-[25.797, "o", "  \u2713 /health endpoint does not leak sensitive data\n"]
-[25.809, "o", "  \u2713 CORS not open to arbitrary origins\n"]
-[25.821, "o", "\n"]
-[25.833, "o", "\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n"]
-[25.845, "o", "  Security Score: 70/100  \u2503  Grade: C\n"]
-[25.857, "o", "  \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2591\u2591\u2591\u2591\u2591\u2591  70%\n"]
-[25.869, "o", "\n"]
-[25.881, "o", "  Verdict:  Your instance has HIGH-risk issues. Fix before going to production.\n"]
-[25.893, "o", "\n"]
-[25.905, "o", "\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n"]
-[25.917, "o", "  HIGH  (2 findings)\n"]
-[25.929, "o", "\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n"]
-[25.941, "o", "\n"]
-[25.953, "o", "  \u2717 Exec approval disabled \u2014 all shell commands run without confirmation\n"]
-[25.965, "o", "    tools.exec.ask=\"off\" means every shell command the agent triggers\n"]
-[25.977, "o", "    runs immediately with zero user approval. Any prompt injection or malicious\n"]
-[25.989, "o", "    skill can execute arbitrary commands on your system without you seeing them.\n"]
-[26.001, "o", "    Attack: attacker injects \"run rm -rf ~/important\" \u2014 it executes silently.\n"]
-[26.013, "o", "\n"]
-[26.025, "o", "    Fix: openclaw config set tools.exec.ask always\n"]
-[26.037, "o", "         # or, to allow a specific set without prompts:\n"]
-[26.049, "o", "         openctl config set tools.exec.ask on-miss\n"]
-[26.061, "o", "         openctl config set tools.exec.allowed '[\"git\",\"npm\",\"node\"]'\n"]
-[26.073, "o", "\n"]
-[26.085, "o", "  \u2717 API key patterns found in ~/.openclaw/ JSON files (3 files)\n"]
-[26.097, "o", "    The following JSON files in ~/.openclaw/ contain patterns matching API keys or secrets:\n"]
-[26.109, "o", "    \u2022 agent-accounts.json\n"]
-[26.121, "o", "    \u2022 exec-approvals.json\n"]
-[26.133, "o", "    \u2022 openclaw.json\n"]
-[26.145, "o", "    \n"]
-[26.157, "o", "    Note: Only key name patterns are detected \u2014 actual values are never read or stored.\n"]
-[26.169, "o", "    Credentials in the wrong files may be at risk if file permissions are too open.\n"]
-[26.181, "o", "\n"]
-[26.193, "o", "    Fix: Ensure all credential files use 0600 permissions:\n"]
-[26.205, "o", "           chmod 600 ~/.openclaw/*.json\n"]
-[26.217, "o", "         \n"]
-[26.229, "o", "         If credentials are in unexpected files, move them to agent-accounts.json.\n"]
-[26.241, "o", "\n"]
-[26.253, "o", "\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n"]
-[26.265, "o", "  PASSED  (35 checks)\n"]
-[26.277, "o", "\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n"]
-[26.289, "o", "  \u2713 Gateway bound to loopback only\n"]
-[26.301, "o", "  \u2713 Tailscale Funnel not enabled\n"]
-[26.313, "o", "  \u2713 Auth token is strong\n"]
-[26.325, "o", "  \u2713 No dangerous flags enabled\n"]
-[26.337, "o", "  \u2713 mDNS mode: \"minimal\" (not leaking sensitive data)\n"]
-[26.349, "o", "  \u2713 Real-IP fallback disabled\n"]
-[26.361, "o", "  \u2713 Gateway is loopback-only \u2014 trustedProxies not needed\n"]
-[26.373, "o", "  \u2713 Trust model appropriate for current channel configuration\n"]
-[26.385, "o", "  \u2713 ~/.openclaw/ is owner-only (700)\n"]
-[26.397, "o", "  \u2713 openclaw.json is owner-only (600)\n"]
-[26.409, "o", "  \u2713 agent-accounts.json is owner-only (600)\n"]
-[26.421, "o", "  \u2713 credentials/ directory is locked down\n"]
-[26.433, "o", "  \u2713 Session transcripts are private\n"]
-[26.445, "o", "  \u2713 Telegram DM policy: \"pairing\" (restricted)\n"]
-[26.457, "o", "  \u2713 All group policies use allowlist\n"]
-[26.469, "o", "  \u2713 No open groups with elevated tools (safe)\n"]
-[26.481, "o", "  \u2713 DM sessions are isolated per user\n"]
-[26.493, "o", "  \u2713 Agent sandbox mode: \"all\" (sessions isolated)\n"]
-[26.505, "o", "  \u2713 exec sandbox configuration is consistent\n"]
-[26.517, "o", "  \u2713 Thinking stream not leaking reasoning\n"]
-[26.529, "o", "  \u2713 Elevated tools not configured\n"]
-[26.541, "o", "  \u2713 Filesystem restricted to workspace\n"]
-[26.553, "o", "  \u2713 apply_patch restricted to workspace\n"]
-[26.565, "o", "  \u2713 Browser SSRF to private networks blocked\n"]
-[26.577, "o", "  \u2713 Plugin allowlist configured\n"]
-[26.589, "o", "  \u2713 Log redaction enabled\n"]
-[26.601, "o", "  \u2713 OpenClaw 2026.2.26 (up to date)\n"]
-[26.613, "o", "  \u2713 Webhooks cannot control session routing\n"]
-[26.625, "o", "  \u2713 No webhook token configured\n"]
-[26.637, "o", "  \u2713 All channel allowFrom settings are restricted\n"]
-[26.649, "o", "  \u2713 All credential date fields are within 90 days\n"]
-[26.661, "o", "  \u2713 All installed skills have explicit version pins\n"]
-[26.673, "o", "  \u2713 Workspace directory not found \u2014 git credential leak check skipped\n"]
-[26.685, "o", "  \u2713 ~/.openclaw/ directory permissions are secure (700)\n"]
-[26.697, "o", "  \u2713 Credential file permissions are secure (all \u2264 0600)\n"]
-[26.709, "o", "\n"]
-[26.721, "o", "\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n"]
-[26.733, "o", "  2 issues found. Fix above to improve score.\n"]
-[26.745, "o", "  Run clawarmor scan to check installed skills.\n"]
-[26.757, "o", "  Run clawarmor trend to see score history.\n"]
-[26.769, "o", "  Continuous monitoring: github.com/pinzasai/clawarmor\n"]
-[26.781, "o", "\n"]
-[26.793, "o", "\n"]
-[26.805, "o", "  !  Config changed since last clean audit\n"]
-[26.817, "o", "     Size: 4751 \u2192 5295 bytes (+544)\n"]
-[26.829, "o", "     Lines: 186 \u2192 197 (+11)\n"]
-[26.841, "o", "     Hash: fda00bbb0ac793f7 \u2192 d757fa979eb98f41\n"]
-[26.853, "o", "     Baseline set: 2026-03-01\n"]
-[26.865, "o", "     Run clawarmor audit --accept-changes to update baseline\n"]
-[26.877, "o", ""]
-[29.889, "o", "$ "]
-[30.397, "o", "#"]
-[30.427, "o", " "]
-[30.457, "o", "B"]
-[30.487, "o", "o"]
-[30.517, "o", "n"]
-[30.547, "o", "u"]
-[30.577, "o", "s"]
-[30.607, "o", ":"]
-[30.637, "o", " "]
-[30.667, "o", "F"]
-[30.697, "o", "u"]
-[30.727, "o", "l"]
-[30.757, "o", "l"]
-[30.787, "o", " "]
-[30.817, "o", "s"]
-[30.847, "o", "e"]
-[30.877, "o", "c"]
-[30.907, "o", "u"]
-[30.937, "o", "r"]
-[30.967, "o", "i"]
-[30.997, "o", "t"]
-[31.027, "o", "y"]
-[31.057, "o", " "]
-[31.087, "o", "d"]
-[31.117, "o", "a"]
-[31.147, "o", "s"]
-[31.177, "o", "h"]
-[31.207, "o", "b"]
-[31.237, "o", "o"]
-[31.267, "o", "a"]
-[31.297, "o", "r"]
-[31.327, "o", "d"]
-[31.357, "o", "\n"]
-[31.457, "o", "$ "]
-[31.965, "o", "c"]
-[32.01, "o", "l"]
-[32.055, "o", "a"]
-[32.1, "o", "w"]
-[32.145, "o", "a"]
-[32.19, "o", "r"]
-[32.235, "o", "m"]
-[32.28, "o", "o"]
-[32.325, "o", "r"]
-[32.37, "o", " "]
-[32.415, "o", "s"]
-[32.46, "o", "t"]
-[32.505, "o", "a"]
-[32.55, "o", "t"]
-[32.595, "o", "u"]
-[32.64, "o", "s"]
-[32.685, "o", "\n"]
-[32.885, "o", "\n"]
-[32.897, "o", "  \u2139  Config: local (~/.openclaw/openclaw.json)\n"]
-[32.909, "o", "     Probes: 127.0.0.1:18789 (local)\n"]
-[32.921, "o", "     Sends nothing. Source: github.com/pinzasai/clawarmor\n"]
-[32.933, "o", "\n"]
-[32.945, "o", "  ClawArmor v2.0.0 \u2014 Security Status\n"]
-[32.957, "o", "\n"]
-[32.969, "o", "  Posture       D 50/100   \u2014\n"]
-[32.981, "o", "  Last audit    0s ago  (manual)\n"]
-[32.993, "o", "  Watcher       \u25cf running (PID 16371)\n"]
-[33.005, "o", "  Intercept     \u2713 active (~/.zshrc)\n"]
-[33.017, "o", "  Audit log     36 events  (clawarmor log to view)\n"]
-[33.029, "o", "\n"]
-[33.041, "o", "\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n"]
-[33.053, "o", "  Skills        0 installed  (clawarmor scan to check)\n"]
-[33.065, "o", "  Config        No baseline yet \u2014 run: clawarmor audit\n"]
-[33.077, "o", "  Credentials   6 tokens, oldest: 1d \u2713\n"]
-[33.089, "o", "\n"]
-[33.101, "o", "\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n"]
-[33.113, "o", "  Next digest   not scheduled  (run: clawarmor protect --install)\n"]
-[33.125, "o", "\n"]
-[33.137, "o", "  Full protection: [\u2713 YES]\n"]
-[33.149, "o", "\n"]
-[33.161, "o", ""]
-[36.173, "o", "$ "]

package/demo.gif DELETED Viewed

Binary file