clawhub-guard 1.0.0 → 1.1.0

package/package.json

@@ -1,10 +1,10 @@
 {
   "name": "clawhub-guard",
-  "version": "1.0.0",
-  "description": "Pre-install security scanner for ClawHub skills — scan before you install, never trust blindly.",
+  "version": "1.1.0",
+  "description": "Pre-install security scanner for ClawHub skills — scan, audit, watch, and block risky installs.",
   "main": "src/cli.js",
   "bin": {
-    "clawhub-guard": "./bin/clawhub-guard.js"
+    "clawhub-guard": "./src/cli.js"
   },
   "scripts": {
     "test": "node src/cli.js scan --help"

package/src/cli.js

@@ -1,32 +1,46 @@
 #!/usr/bin/env node
-// src/cli.js — Main CLI for clawhub-guard
+// src/cli.js — Main CLI for clawhub-guard v1.1.0
 
-const { scanLocal, getSkillInstallPath, isSkillInstalled } = require('./scan.js');
+const { 
+  scanLocal, scanUrl, auditAll, printAuditReport, saveReport,
+  getSkillInstallPath, isSkillInstalled 
+} = require('./scan.js');
 const { installSkill } = require('./install.js');
+const { printScanReport } = require('./report.js');
+const path = require('node:path');
+const fs = require('node:fs');
+const os = require('node:os');
 
 const args = process.argv.slice(2);
 const command = args[0];
 
 function usage() {
   console.log(`
-🛡️  clawhub-guard — Pre-install security scanner for ClawHub skills
+🛡️  clawhub-guard v1.1.0 — Pre-install security scanner for ClawHub skills
 
-Usage:
-  clawhub-guard install <skill-name>     Scan + install a ClawHub skill
-  clawhub-guard scan <skill-name>        Scan an installed ClawHub skill
-  clawhub-guard scan --local <path>      Scan a local skill directory
-  clawhub-guard --help                   Show this help
+Commands:
+  install <name>         Scan + install a ClawHub skill
+  scan <name>            Scan an installed skill (fuzzy name match)
+  scan --local <path>    Scan a local directory
+  scan --url <github>    Scan a GitHub repo (clones to temp, scans, cleans)
+  audit                  Audit ALL installed skills with summary table
+  watch                  Watch skills dir and auto-scan new installs
+  history                Show scan report history
 
 Options:
   --threshold <0-100>    Minimum score to pass (default: 70)
+  --fail-under <score>   CI mode: exit 1 if score below this
   --force                Skip security scan and install anyway
   --json                 Output scan result as JSON
+  --no-log               Skip saving to scan history
 
 Examples:
   clawhub-guard install summarize
-  clawhub-guard scan --local ./my-skill/
-  clawhub-guard install database-query --threshold 80
-  clawhub-guard scan skill-vetter --json
+  clawhub-guard scan --url https://github.com/user/skill-repo
+  clawhub-guard audit
+  clawhub-guard audit --fail-under 80
+  clawhub-guard watch
+  clawhub-guard history
 `);
 }
 
@@ -40,18 +54,31 @@ const options = {
   threshold: 70,
   force: false,
   json: false,
+  local: false,
+  url: false,
+  log: true,
+  failUnder: null,
 };
 for (let i = 0; i < args.length; i++) {
   if (args[i] === '--threshold' && args[i + 1]) {
     options.threshold = parseInt(args[i + 1], 10);
     i++;
   }
+  if (args[i] === '--fail-under' && args[i + 1]) {
+    options.failUnder = parseInt(args[i + 1], 10);
+    options.threshold = options.failUnder;
+    i++;
+  }
   if (args[i] === '--force') options.force = true;
   if (args[i] === '--json') options.json = true;
   if (args[i] === '--local') options.local = true;
+  if (args[i] === '--url') options.url = true;
+  if (args[i] === '--no-log') options.log = false;
 }
 
 switch (command) {
+
+  // ─── INSTALL ─────────────────────────────────────
   case 'install': {
     const skillName = args[1];
     if (!skillName) {
@@ -59,72 +86,209 @@ switch (command) {
       process.exit(1);
     }
     const result = installSkill(skillName, options);
+    if (options.log && result.scanResult) {
+      saveReport(result.scanResult, `install ${skillName}`);
+    }
     process.exit(result.success ? 0 : 1);
   }
 
+  // ─── SCAN ────────────────────────────────────────
   case 'scan': {
     let target = args[1];
-    if (!target && !options.local) {
-      console.error('❌ Error: skill name or --local <path> required.');
-      process.exit(1);
+
+    // --url mode
+    if (options.url) {
+      target = args.find((a, i) => args[i - 1] === '--url') || args[2] || target;
+      if (!target) {
+        console.error('❌ Error: URL required with --url flag.');
+        process.exit(1);
+      }
+      const result = scanUrl(target, options);
+      if (options.log) saveReport(result, `scan --url ${target}`);
+      if (options.json) {
+        console.log(JSON.stringify(result, null, 2));
+      } else {
+        printScanReport(result);
+      }
+      process.exit(result.passed ? 0 : 1);
     }
 
-    // --local mode: scan a directory
+    // --local mode
     if (options.local) {
       target = args.find((a, i) => args[i - 1] === '--local') || args[2];
       if (!target) {
-        // If --local was passed as the target itself (e.g., scan --local ./path)
-        target = args[1];
+        console.error('❌ Error: path required with --local flag.');
+        process.exit(1);
       }
+      const result = scanLocal(target, options);
+      if (options.log) saveReport(result, `scan --local ${target}`);
+      if (options.json) {
+        console.log(JSON.stringify(result, null, 2));
+      } else {
+        printScanReport(result);
+      }
+      process.exit(result.passed ? 0 : 1);
     }
 
-    const fs = require('node:fs');
-    const path = require('node:path');
-    const os = require('node:os');
+    // Skill name mode (default)
+    if (!target) {
+      console.error('❌ Error: skill name, --local <path>, or --url <url> required.');
+      process.exit(1);
+    }
 
     let scanTarget;
-    if (options.local || target.includes('/') || target.includes('\\')) {
+    if (target.includes('http://') || target.includes('https://')) {
+      // Auto-detect URL
+      scanTarget = target;
+      const result = scanUrl(scanTarget, options);
+      if (options.log) saveReport(result, `scan --url ${target}`);
+      if (options.json) console.log(JSON.stringify(result, null, 2));
+      else printScanReport(result);
+      process.exit(result.passed ? 0 : 1);
+    }
+
+    if (target.includes('/') || target.includes('\\')) {
       scanTarget = target;
     } else {
       scanTarget = getSkillInstallPath(target);
       if (!isSkillInstalled(target)) {
-        // Try fuzzy match
+        // Fuzzy match
         const workspace = process.env.OPENCLAW_WORKSPACE_DIR ||
           path.join(os.homedir(), '.openclaw', 'workspace');
         const skillsDir = path.join(workspace, 'skills');
         let installedList = [];
         if (fs.existsSync(skillsDir)) {
           installedList = fs.readdirSync(skillsDir, { withFileTypes: true })
-            .filter(d => d.isDirectory())
-            .map(d => d.name);
-          // Normalize names (strip hyphens, underscores) for fuzzy matching
+            .filter(d => d.isDirectory()).map(d => d.name);
           const normalize = s => s.toLowerCase().replace(/[-_]/g, '');
           const normTarget = normalize(target);
           const match = installedList.find(e =>
             normalize(e).includes(normTarget) || normTarget.includes(normalize(e))
           );
-          if (match) {
-            scanTarget = getSkillInstallPath(match);
-          }
+          if (match) scanTarget = getSkillInstallPath(match);
         }
         if (!scanTarget) {
           console.error(`❌ Skill '${target}' not installed.`);
-          console.error(`   Installed skills: ${installedList.join(', ') || 'none'}`);
+          console.error(`   Installed: ${installedList.join(', ') || 'none'}`);
           process.exit(1);
         }
       }
     }
 
     const result = scanLocal(scanTarget, options);
+    if (options.log) saveReport(result, `scan ${target}`);
     if (options.json) {
       console.log(JSON.stringify(result, null, 2));
     } else {
-      const { printScanReport } = require('./install.js');
       printScanReport(result);
     }
     process.exit(result.passed ? 0 : 1);
   }
 
+  // ─── AUDIT ───────────────────────────────────────
+  case 'audit': {
+    const result = auditAll(options);
+    if (options.json) {
+      console.log(JSON.stringify(result, null, 2));
+    } else {
+      printAuditReport(result, options);
+    }
+    if (options.log && result.summary) {
+      saveReport({ score: result.summary.avgScore, verdict: 'AUDIT', target: 'all', 
+                   findings: result.skills.flatMap(s => s.findings), summary: result.summary,
+                   passed: result.summary.blocked === 0 }, 'audit');
+    }
+    const exitCode = (options.failUnder && result.summary.avgScore < options.failUnder) ? 1 : 0;
+    process.exit(exitCode);
+  }
+
+  // ─── WATCH ───────────────────────────────────────
+  case 'watch': {
+    console.log('👀 Watching skills directory for changes...\n');
+    console.log('   New skill installs will be auto-scanned.\n');
+    console.log('   Press Ctrl+C to stop.\n');
+
+    const workspace = process.env.OPENCLAW_WORKSPACE_DIR ||
+      path.join(os.homedir(), '.openclaw', 'workspace');
+    const skillsDir = path.join(workspace, 'skills');
+    
+    let knownSkills = new Set();
+    if (fs.existsSync(skillsDir)) {
+      fs.readdirSync(skillsDir, { withFileTypes: true })
+        .filter(d => d.isDirectory())
+        .forEach(d => knownSkills.add(d.name));
+    }
+
+    const interval = setInterval(() => {
+      if (!fs.existsSync(skillsDir)) return;
+      const current = fs.readdirSync(skillsDir, { withFileTypes: true })
+        .filter(d => d.isDirectory())
+        .map(d => d.name);
+      
+      for (const skill of current) {
+        if (!knownSkills.has(skill)) {
+          knownSkills.add(skill);
+          const skillPath = path.join(skillsDir, skill);
+          console.log(`\n🔔 New skill detected: ${skill}`);
+          console.log(`🔍 Auto-scanning...\n`);
+          
+          const result = scanLocal(skillPath, options);
+          printScanReport(result);
+          
+          if (options.log) saveReport(result, `watch:${skill}`);
+          
+          if (!result.passed && result.verdict === 'BLOCK') {
+            console.log(`❌ AUTO-BLOCKED: ${skill} (${result.score}/100)`);
+            console.log(`   Run: openclaw skills uninstall ${skill}\n`);
+          }
+        }
+      }
+    }, 3000); // Poll every 3 seconds
+
+    process.on('SIGINT', () => { clearInterval(interval); process.exit(0); });
+    process.on('SIGTERM', () => { clearInterval(interval); process.exit(0); });
+    
+    // Keep alive
+    setInterval(() => {}, 60000);
+    break;
+  }
+
+  // ─── HISTORY ─────────────────────────────────────
+  case 'history': {
+    const logFile = path.join(os.homedir(), '.clawhub-guard', 'scan-history.jsonl');
+    if (!fs.existsSync(logFile)) {
+      console.log('📭 No scan history yet. Run some scans first!');
+      process.exit(0);
+    }
+
+    const lines = fs.readFileSync(logFile, 'utf-8').trim().split('\n').filter(Boolean);
+    const entries = lines.map(l => JSON.parse(l));
+
+    if (options.json) {
+      console.log(JSON.stringify(entries, null, 2));
+      process.exit(0);
+    }
+
+    console.log(`\n${'═'.repeat(70)}`);
+    console.log(`  SCAN HISTORY — clawhub-guard (${entries.length} entries)`);
+    console.log(`${'═'.repeat(70)}`);
+    console.log(`  ${'DATE'.padEnd(22)} ${'COMMAND'.padEnd(24)} ${'SCORE'.padEnd(8)} ${'VERDICT'.padEnd(8)} TARGET`);
+    console.log(`  ${'─'.repeat(68)}`);
+
+    for (const e of entries.slice(-20)) {
+      const date = new Date(e.timestamp).toLocaleString('zh-TW', { 
+        month: '2-digit', day: '2-digit', hour: '2-digit', minute: '2-digit' 
+      });
+      const icon = e.verdict === 'PASS' ? '✅' : e.verdict === 'WARN' ? '⚠️' : 
+                   e.verdict === 'BLOCK' ? '❌' : '📊';
+      const target = (e.target || '').split('/').slice(-1)[0] || e.target || '';
+      console.log(`  ${date.padEnd(22)} ${e.command.padEnd(24)} ${String(e.score).padEnd(8)} ${icon} ${String(e.verdict).padEnd(6)} ${target}`);
+    }
+    console.log(`${'═'.repeat(70)}\n`);
+    process.exit(0);
+  }
+
+  // ─── DEFAULT ─────────────────────────────────────
   default:
     console.error(`❌ Unknown command: ${command}`);
     usage();

package/src/install.js

@@ -1,26 +1,22 @@
 // src/install.js — Install logic with pre-scan guard
 
 const { execSync } = require('node:child_process');
-const { scanLocal, isSkillInstalled } = require('./scan.js');
+const path = require('node:path');
+const fs = require('node:fs');
+const os = require('node:os');
+const { scanLocal } = require('./scan.js');
+const { printScanReport } = require('./report.js');
 
 /**
  * Install a ClawHub skill with pre-scan security check
- * @param {string} skillName - Name of the ClawHub skill
- * @param {object} options
- * @param {number} options.threshold - Minimum security score (default 70)
- * @param {boolean} options.force - Skip scan and install anyway
- * @returns {object} Install result
  */
 function installSkill(skillName, options = {}) {
   const threshold = options.threshold ?? 70;
 
-  // Step 0: Force mode — skip scan
   if (options.force) {
     return doInstall(skillName);
   }
 
-  // Step 1: Can't pre-scan before download, so install first →
-  // scan the installed copy, then warn
   console.log(`\n📦 Installing ${skillName} for pre-scan...\n`);
   
   let installResult = doInstall(skillName);
@@ -28,17 +24,13 @@ function installSkill(skillName, options = {}) {
     return installResult;
   }
 
-  // Step 2: Scan the just-installed skill
   console.log(`\n🔍 Running security scan on ${skillName}...\n`);
   
   const scanResult = scanLocal(installResult.installPath, { threshold });
-
-  // Step 3: Print report
   printScanReport(scanResult);
 
-  // Step 4: If unsafe, offer to uninstall
   if (!scanResult.passed) {
-    console.log(`\n⚠️  RISK THRESHOLD NOT MET (${scanResult.score}/100, need ${threshold})`);
+    console.log(`⚠️  RISK THRESHOLD NOT MET (${scanResult.score}/100, need ${threshold})`);
     console.log(`   Verdict: ${scanResult.verdict}`);
     
     if (scanResult.verdict === 'BLOCK') {
@@ -49,31 +41,21 @@ function installSkill(skillName, options = {}) {
           stdio: 'pipe' 
         });
       } catch {
-        // Manual cleanup
-        const fs = require('node:fs');
-        const path = require('node:path');
-        const skillPath = installResult.installPath;
-        if (fs.existsSync(skillPath)) {
-          fs.rmSync(skillPath, { recursive: true, force: true });
+        if (fs.existsSync(installResult.installPath)) {
+          fs.rmSync(installResult.installPath, { recursive: true, force: true });
         }
       }
-      console.log(`💡 Tip: Review the findings above. Use --force to install anyway.\n`);
+      console.log(`💡 Tip: Review the findings. Use --force to install anyway.\n`);
       return { success: false, blocked: true, scanResult, installResult };
     }
     
-    if (scanResult.verdict === 'WARN') {
-      console.log(`⚠️  Installed with warnings — review the findings above.\n`);
-    }
+    console.log(`⚠️  Installed with warnings — review the findings above.\n`);
   }
 
   return { success: true, blocked: false, scanResult, installResult };
 }
 
 function doInstall(skillName) {
-  const path = require('node:path');
-  const fs = require('node:fs');
-  const os = require('node:os');
-
   try {
     const output = execSync(`openclaw.cmd skills install ${skillName}`, {
       encoding: 'utf-8',
@@ -82,8 +64,7 @@ function doInstall(skillName) {
     });
     console.log(output);
 
-    // Determine install path
-    const workspace = process.env.OPENCLAW_WORKSPACE_DIR || 
+    const workspace = process.env.OPENCLAW_WORKSPACE_DIR ||
       path.join(os.homedir(), '.openclaw', 'workspace');
     const installPath = path.join(workspace, 'skills', skillName);
 
@@ -95,39 +76,4 @@ function doInstall(skillName) {
   }
 }
 
-function printScanReport(result) {
-  console.log(`\n${'═'.repeat(55)}`);
-  console.log(`  SECURITY SCAN REPORT — clawhub-guard`);
-  console.log(`${'═'.repeat(55)}`);
-  console.log(`  Target:     ${result.target || 'N/A'}`);
-  console.log(`  Score:      ${result.score}/100`);
-  console.log(`  Threshold:  ${result.threshold}/100`);
-  console.log(`  Verdict:    ${result.passed ? '✅ PASS' : result.verdict === 'BLOCK' ? '❌ BLOCK' : '⚠️  WARN'}`);
-  console.log(`  Engines:    ${result.availableEngines}/${result.totalEngines} available`);
-  console.log(`  Findings:   ${(result.findings || []).length}`);
-  console.log(`${'─'.repeat(55)}`);
-
-  if (result.findings && result.findings.length > 0) {
-    const bySeverity = {};
-    for (const f of result.findings) {
-      bySeverity[f.severity] = (bySeverity[f.severity] || 0) + 1;
-    }
-    for (const [sev, count] of Object.entries(bySeverity)) {
-      const icon = sev === 'critical' ? '🔴' : sev === 'high' ? '🟠' : sev === 'medium' ? '🟡' : '⚪';
-      console.log(`    ${icon} ${sev}: ${count}`);
-    }
-    console.log(`${'─'.repeat(55)}`);
-    for (const f of (result.findings || []).slice(0, 5)) {
-      console.log(`  • [${f.severity}] ${f.rule}: ${f.message}`);
-    }
-    if (result.findings.length > 5) {
-      console.log(`  • ... and ${result.findings.length - 5} more`);
-    }
-  } else {
-    console.log(`  ✅ No findings — clean!`);
-  }
-
-  console.log(`${'═'.repeat(55)}\n`);
-}
-
-module.exports = { installSkill, printScanReport };
+module.exports = { installSkill, doInstall, printScanReport };

package/src/report.js

@@ -0,0 +1,54 @@
+// src/report.js — Report formatting for clawhub-guard
+
+/**
+ * Print formatted scan report for a single skill
+ */
+function printScanReport(result) {
+  console.log(`\n${'═'.repeat(55)}`);
+  console.log(`  SECURITY SCAN REPORT — clawhub-guard`);
+  console.log(`${'═'.repeat(55)}`);
+  console.log(`  Target:     ${result.target || result.sourceUrl || 'N/A'}`);
+  console.log(`  Score:      ${result.score}/100`);
+  console.log(`  Threshold:  ${result.threshold}/100`);
+  
+  const verdictIcon = result.passed ? '✅ PASS' : 
+    result.verdict === 'BLOCK' ? '❌ BLOCK' : '⚠️  WARN';
+  console.log(`  Verdict:    ${verdictIcon}`);
+  console.log(`  Engines:    ${result.availableEngines}/${result.totalEngines} available`);
+  console.log(`  Findings:   ${(result.findings || []).length}`);
+  console.log(`${'─'.repeat(55)}`);
+
+  if (result.findings && result.findings.length > 0) {
+    const bySeverity = {};
+    for (const f of result.findings) {
+      bySeverity[f.severity] = (bySeverity[f.severity] || 0) + 1;
+    }
+    for (const [sev, count] of Object.entries(bySeverity)) {
+      const icon = sev === 'critical' ? '🔴' : sev === 'high' ? '🟠' : 
+                   sev === 'medium' ? '🟡' : '⚪';
+      console.log(`    ${icon} ${sev}: ${count}`);
+    }
+    console.log(`${'─'.repeat(55)}`);
+    for (const f of (result.findings || []).slice(0, 8)) {
+      console.log(`  • [${f.severity}] ${f.rule}: ${f.message}`);
+    }
+    if (result.findings.length > 8) {
+      console.log(`  • ... and ${result.findings.length - 8} more`);
+    }
+  } else {
+    console.log(`  ✅ No findings — clean!`);
+  }
+
+  console.log(`${'═'.repeat(55)}\n`);
+}
+
+/**
+ * Print a section header
+ */
+function header(text) {
+  console.log(`\n${'─'.repeat(50)}`);
+  console.log(`  ${text}`);
+  console.log(`${'─'.repeat(50)}\n`);
+}
+
+module.exports = { printScanReport, header };

package/src/scan.js

@@ -7,14 +7,10 @@ const os = require('node:os');
 
 /**
  * Scan a local directory for security issues using agent-shield
- * @param {string} targetPath - Path to the skill directory
- * @param {object} options
- * @param {number} options.threshold - Minimum score to pass (0-100)
- * @returns {object} Scan result with score, findings, and verdict
  */
 function scanLocal(targetPath, options = {}) {
   const threshold = options.threshold ?? 70;
-  
+
   if (!fs.existsSync(targetPath)) {
     return {
       success: false,
@@ -36,20 +32,16 @@ function scanLocal(targetPath, options = {}) {
       }
     );
   } catch (err) {
-    // agent-shield exits non-zero if findings exist — still parse output
     stdout = err.stdout || err.stderr || '';
   }
 
-  // Try to extract JSON from agent-shield output (it may have noise)
   let result;
   try {
     const jsonStart = stdout.indexOf('{');
     if (jsonStart >= 0) {
       result = JSON.parse(stdout.slice(jsonStart));
     }
-  } catch {
-    // Fallback: parse manually
-  }
+  } catch { /* fall through */ }
 
   if (!result) {
     return {
@@ -61,7 +53,6 @@ function scanLocal(targetPath, options = {}) {
     };
   }
 
-  // Calculate score based on findings
   const allFindings = result.allFindings || [];
   const severityScores = { critical: 40, high: 25, medium: 10, low: 3 };
   let penalty = 0;
@@ -85,20 +76,172 @@ function scanLocal(targetPath, options = {}) {
 }
 
 /**
- * Determine ClawHub skill install directory
+ * Scan a GitHub URL by cloning to temp and scanning
  */
-function getSkillInstallPath(skillName) {
-  const workspace = process.env.OPENCLAW_WORKSPACE_DIR || 
+function scanUrl(url, options = {}) {
+  const tempDir = path.join(os.tmpdir(), `clawhub-guard-${Date.now()}`);
+  
+  try {
+    fs.mkdirSync(tempDir, { recursive: true });
+    
+    console.log(`\n📥 Cloning ${url}...\n`);
+    execSync(`git clone --depth 1 "${url}" "${tempDir}"`, {
+      encoding: 'utf-8',
+      timeout: 30000,
+      stdio: 'pipe',
+    });
+
+    console.log(`🔍 Scanning...\n`);
+    const result = scanLocal(tempDir, options);
+    result.sourceUrl = url;
+    return result;
+  } catch (err) {
+    return {
+      success: false,
+      error: `Failed to clone/scan URL: ${err.stderr || err.message}`,
+      score: 0,
+      verdict: 'ERROR',
+      sourceUrl: url,
+    };
+  } finally {
+    // Cleanup temp dir
+    try { fs.rmSync(tempDir, { recursive: true, force: true }); } catch {}
+  }
+}
+
+/**
+ * Audit all installed skills - scan everything and produce summary
+ */
+function auditAll(options = {}) {
+  const workspace = process.env.OPENCLAW_WORKSPACE_DIR ||
     path.join(os.homedir(), '.openclaw', 'workspace');
-  return path.join(workspace, 'skills', skillName);
+  const skillsDir = path.join(workspace, 'skills');
+
+  if (!fs.existsSync(skillsDir)) {
+    console.log('📦 No skills installed yet.');
+    return { skills: [], summary: { total: 0, passed: 0, warned: 0, blocked: 0 } };
+  }
+
+  const entries = fs.readdirSync(skillsDir, { withFileTypes: true })
+    .filter(d => d.isDirectory())
+    .map(d => d.name);
+
+  console.log(`\n🔍 Auditing ${entries.length} installed skill(s)...\n`);
+
+  const results = [];
+  for (const skill of entries) {
+    const skillPath = path.join(skillsDir, skill);
+    process.stdout.write(`  Scanning ${skill}... `);
+    const result = scanLocal(skillPath, options);
+    
+    const icon = result.verdict === 'PASS' ? '✅' : 
+                 result.verdict === 'WARN' ? '⚠️' : '❌';
+    console.log(`${icon} ${result.score}/100`);
+    
+    results.push({
+      name: skill,
+      path: skillPath,
+      score: result.score,
+      verdict: result.verdict,
+      findingsCount: (result.findings || []).length,
+      findings: result.findings || [],
+    });
+  }
+
+  const summary = {
+    total: results.length,
+    passed: results.filter(r => r.verdict === 'PASS').length,
+    warned: results.filter(r => r.verdict === 'WARN').length,
+    blocked: results.filter(r => r.verdict === 'BLOCK').length,
+    avgScore: results.length > 0 
+      ? Math.round(results.reduce((s, r) => s + r.score, 0) / results.length) 
+      : 0,
+  };
+
+  return { skills: results, summary, timestamp: new Date().toISOString() };
+}
+
+/**
+ * Print audit summary as a formatted table
+ */
+function printAuditReport(auditResult, options = {}) {
+  const { skills, summary } = auditResult;
+
+  console.log(`\n${'═'.repeat(65)}`);
+  console.log(`  SKILL AUDIT SUMMARY — clawhub-guard`);
+  console.log(`${'═'.repeat(65)}`);
+  
+  if (skills.length === 0) {
+    console.log(`  No skills installed.\n`);
+    return;
+  }
+
+  // Table header
+  console.log(`  ${'SKILL'.padEnd(28)} ${'SCORE'.padEnd(8)} ${'VERDICT'.padEnd(8)} FINDINGS`);
+  console.log(`  ${'─'.repeat(60)}`);
+
+  for (const r of skills) {
+    const icon = r.verdict === 'PASS' ? '✅' : r.verdict === 'WARN' ? '⚠️' : '❌';
+    console.log(`  ${r.name.padEnd(28)} ${String(r.score).padEnd(8)} ${icon} ${String(r.verdict).padEnd(6)} ${r.findingsCount}`);
+  }
+
+  console.log(`  ${'─'.repeat(60)}`);
+  console.log(`  TOTAL: ${summary.total} | ✅ ${summary.passed} passed | ⚠️ ${summary.warned} warned | ❌ ${summary.blocked} blocked`);
+  console.log(`  Average score: ${summary.avgScore}/100`);
+  console.log(`${'═'.repeat(65)}\n`);
+
+  // Highlight risky skills
+  const risky = skills.filter(r => r.verdict !== 'PASS');
+  if (risky.length > 0) {
+    console.log(`⚠️  Skills needing attention:\n`);
+    for (const r of risky) {
+      console.log(`  ${r.name} (${r.score}/100):`);
+      for (const f of r.findings.slice(0, 3)) {
+        console.log(`    - [${f.severity}] ${f.rule}: ${f.message}`);
+      }
+    }
+    console.log('');
+  }
 }
 
 /**
- * Check if a skill is already installed locally
+ * Save scan report to log file
  */
+function saveReport(result, command) {
+  const stateDir = path.join(os.homedir(), '.clawhub-guard');
+  fs.mkdirSync(stateDir, { recursive: true });
+  
+  const logFile = path.join(stateDir, 'scan-history.jsonl');
+  const entry = {
+    timestamp: new Date().toISOString(),
+    command,
+    score: result.score,
+    verdict: result.verdict,
+    target: result.target || result.sourceUrl || 'unknown',
+    findingsCount: (result.findings || []).length,
+    summary: result.summary || null,
+  };
+  
+  fs.appendFileSync(logFile, JSON.stringify(entry) + '\n', 'utf-8');
+  return logFile;
+}
+
+function getSkillInstallPath(skillName) {
+  const workspace = process.env.OPENCLAW_WORKSPACE_DIR ||
+    path.join(os.homedir(), '.openclaw', 'workspace');
+  return path.join(workspace, 'skills', skillName);
+}
+
 function isSkillInstalled(skillName) {
-  const installPath = getSkillInstallPath(skillName);
-  return fs.existsSync(installPath);
+  return fs.existsSync(getSkillInstallPath(skillName));
 }
 
-module.exports = { scanLocal, getSkillInstallPath, isSkillInstalled };
+module.exports = { 
+  scanLocal, 
+  scanUrl, 
+  auditAll, 
+  printAuditReport, 
+  saveReport,
+  getSkillInstallPath, 
+  isSkillInstalled 
+};