clawvet 0.2.3 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/LICENSE +21 -21
  2. package/README.md +86 -86
  3. package/dist/index.js +365 -81
  4. package/dist/index.js.map +1 -1
  5. package/package.json +57 -57
package/LICENSE CHANGED
@@ -1,21 +1,21 @@
1
- MIT License
2
-
3
- Copyright (c) 2026 ClawVet Contributors
4
-
5
- Permission is hereby granted, free of charge, to any person obtaining a copy
6
- of this software and associated documentation files (the "Software"), to deal
7
- in the Software without restriction, including without limitation the rights
8
- to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
- copies of the Software, and to permit persons to whom the Software is
10
- furnished to do so, subject to the following conditions:
11
-
12
- The above copyright notice and this permission notice shall be included in all
13
- copies or substantial portions of the Software.
14
-
15
- THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
- IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
- FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
- AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
- LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
- OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21
- SOFTWARE.
1
+ MIT License
2
+
3
+ Copyright (c) 2026 ClawVet Contributors
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in all
13
+ copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21
+ SOFTWARE.
package/README.md CHANGED
@@ -1,86 +1,86 @@
1
- # clawvet
2
-
3
- **Skill vetting & supply chain security for OpenClaw.**
4
-
5
- ClawVet scans OpenClaw `SKILL.md` files for prompt injection, credential theft, remote code execution, typosquatting, and social engineering — before they reach your agent.
6
-
7
- ## Install
8
-
9
- ```bash
10
- npm install -g clawvet
11
- ```
12
-
13
- ## Usage
14
-
15
- ### Scan a local skill
16
-
17
- ```bash
18
- clawvet scan ./my-skill/
19
- clawvet scan ./my-skill/SKILL.md
20
- ```
21
-
22
- ### JSON output (for CI/CD)
23
-
24
- ```bash
25
- clawvet scan ./my-skill/ --format json
26
- ```
27
-
28
- ### Fail on severity threshold
29
-
30
- ```bash
31
- clawvet scan ./my-skill/ --fail-on high
32
- # exits 1 if any high or critical findings
33
- ```
34
-
35
- ### Fetch and scan from ClawHub
36
-
37
- ```bash
38
- clawvet scan weather-forecast --remote
39
- ```
40
-
41
- ### Audit all installed skills
42
-
43
- ```bash
44
- clawvet audit
45
- ```
46
-
47
- ### Watch for new skill installs
48
-
49
- ```bash
50
- clawvet watch --threshold 50
51
- ```
52
-
53
- ## What it detects
54
-
55
- ClawVet runs a 6-pass analysis on every skill:
56
-
57
- | Pass | What it checks |
58
- |------|---------------|
59
- | **Skill Parser** | Extracts YAML frontmatter, code blocks, URLs, IPs, domains |
60
- | **Static Analysis** | 54 regex patterns: RCE, reverse shells, credential theft, obfuscation, DNS exfil, privilege escalation |
61
- | **Metadata Validator** | Undeclared binaries, env vars, missing descriptions, invalid semver |
62
- | **Dependency Checker** | `npx -y` auto-install, global `npm install`, risky packages |
63
- | **Typosquat Detector** | Levenshtein distance against popular skills, suspicious naming patterns |
64
- | **Semantic Analysis** | AI-powered detection of social engineering & prompt injection (optional) |
65
-
66
- ## Risk Scoring
67
-
68
- | Score | Grade | Action |
69
- |-------|-------|--------|
70
- | 0-10 | A | Approve |
71
- | 11-25 | B | Approve |
72
- | 26-50 | C | Warn |
73
- | 51-75 | D | Warn |
74
- | 76-100 | F | Block |
75
-
76
- ## CI/CD Integration
77
-
78
- ```yaml
79
- # GitHub Actions example
80
- - name: Vet skill
81
- run: npx clawvet scan ./my-skill --format json --fail-on high
82
- ```
83
-
84
- ## License
85
-
86
- MIT
1
+ # clawvet
2
+
3
+ **Skill vetting & supply chain security for OpenClaw.**
4
+
5
+ ClawVet scans OpenClaw `SKILL.md` files for prompt injection, credential theft, remote code execution, typosquatting, and social engineering — before they reach your agent.
6
+
7
+ ## Install
8
+
9
+ ```bash
10
+ npm install -g clawvet
11
+ ```
12
+
13
+ ## Usage
14
+
15
+ ### Scan a local skill
16
+
17
+ ```bash
18
+ clawvet scan ./my-skill/
19
+ clawvet scan ./my-skill/SKILL.md
20
+ ```
21
+
22
+ ### JSON output (for CI/CD)
23
+
24
+ ```bash
25
+ clawvet scan ./my-skill/ --format json
26
+ ```
27
+
28
+ ### Fail on severity threshold
29
+
30
+ ```bash
31
+ clawvet scan ./my-skill/ --fail-on high
32
+ # exits 1 if any high or critical findings
33
+ ```
34
+
35
+ ### Fetch and scan from ClawHub
36
+
37
+ ```bash
38
+ clawvet scan weather-forecast --remote
39
+ ```
40
+
41
+ ### Audit all installed skills
42
+
43
+ ```bash
44
+ clawvet audit
45
+ ```
46
+
47
+ ### Watch for new skill installs
48
+
49
+ ```bash
50
+ clawvet watch --threshold 50
51
+ ```
52
+
53
+ ## What it detects
54
+
55
+ ClawVet runs a 6-pass analysis on every skill:
56
+
57
+ | Pass | What it checks |
58
+ |------|---------------|
59
+ | **Skill Parser** | Extracts YAML frontmatter, code blocks, URLs, IPs, domains |
60
+ | **Static Analysis** | 54 regex patterns: RCE, reverse shells, credential theft, obfuscation, DNS exfil, privilege escalation |
61
+ | **Metadata Validator** | Undeclared binaries, env vars, missing descriptions, invalid semver |
62
+ | **Dependency Checker** | `npx -y` auto-install, global `npm install`, risky packages |
63
+ | **Typosquat Detector** | Levenshtein distance against popular skills, suspicious naming patterns |
64
+ | **Semantic Analysis** | AI-powered detection of social engineering & prompt injection (optional) |
65
+
66
+ ## Risk Scoring
67
+
68
+ | Score | Grade | Action |
69
+ |-------|-------|--------|
70
+ | 0-10 | A | Approve |
71
+ | 11-25 | B | Approve |
72
+ | 26-50 | C | Warn |
73
+ | 51-75 | D | Warn |
74
+ | 76-100 | F | Block |
75
+
76
+ ## CI/CD Integration
77
+
78
+ ```yaml
79
+ # GitHub Actions example
80
+ - name: Vet skill
81
+ run: npx clawvet scan ./my-skill --format json --fail-on high
82
+ ```
83
+
84
+ ## License
85
+
86
+ MIT