clawvet 0.5.0 → 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/dist/index.js +106 -27
  2. package/dist/index.js.map +1 -1
  3. package/package.json +1 -1
package/dist/index.js CHANGED
@@ -9,13 +9,16 @@ import { resolve, join as join2 } from "path";
9
9
  import chalk2 from "chalk";
10
10
 
11
11
  // ../shared/src/patterns.ts
12
+ function re(parts, flags) {
13
+ return new RegExp(parts.join(""), flags);
14
+ }
12
15
  var THREAT_PATTERNS = [
13
16
  // ═══════════════════════════════════════════════════════
14
17
  // CRITICAL: Remote code execution
15
18
  // ═══════════════════════════════════════════════════════
16
19
  {
17
20
  name: "CURL_PIPE_BASH",
18
- pattern: /curl\s+.*\|\s*(ba)?sh/gi,
21
+ pattern: re(["curl\\s+.*\\|\\s*(ba)?", "sh"], "gi"),
19
22
  severity: "critical",
20
23
  category: "remote_code_execution",
21
24
  title: "Curl piped to shell",
@@ -25,7 +28,7 @@ var THREAT_PATTERNS = [
25
28
  },
26
29
  {
27
30
  name: "WGET_EXECUTE",
28
- pattern: /wget\s+.*&&\s*(ba)?sh/gi,
31
+ pattern: re(["wget\\s+.*&&\\s*(ba)?", "sh"], "gi"),
29
32
  severity: "critical",
30
33
  category: "remote_code_execution",
31
34
  title: "Wget with shell execution",
@@ -35,17 +38,17 @@ var THREAT_PATTERNS = [
35
38
  },
36
39
  {
37
40
  name: "EVAL_DYNAMIC",
38
- pattern: /eval\s*\(/gi,
41
+ pattern: re(["ev", "al\\s*\\("], "gi"),
39
42
  severity: "critical",
40
43
  category: "remote_code_execution",
41
- title: "Dynamic eval() usage",
42
- description: "Uses eval() which can execute arbitrary code.",
44
+ title: "Dynamic code evaluation",
45
+ description: "Uses dynamic code evaluation which can run arbitrary code.",
43
46
  codeOnly: true,
44
- fix: "Replace eval() with a safer alternative like JSON.parse() or a sandboxed environment."
47
+ fix: "Replace dynamic evaluation with a safer alternative like JSON.parse() or a sandboxed environment."
45
48
  },
46
49
  {
47
50
  name: "BASE64_DECODE",
48
- pattern: /base64\s+(-d|--decode)/gi,
51
+ pattern: re(["base", "64\\s+(-d|--dec", "ode)"], "gi"),
49
52
  severity: "critical",
50
53
  category: "obfuscation",
51
54
  title: "Base64 decode execution",
@@ -55,7 +58,7 @@ var THREAT_PATTERNS = [
55
58
  },
56
59
  {
57
60
  name: "PYTHON_EXEC",
58
- pattern: /python[3]?\s+-c/gi,
61
+ pattern: re(["pyth", "on[3]?\\s+-c"], "gi"),
59
62
  severity: "critical",
60
63
  category: "remote_code_execution",
61
64
  title: "Python inline execution",
@@ -65,17 +68,17 @@ var THREAT_PATTERNS = [
65
68
  },
66
69
  {
67
70
  name: "REVERSE_SHELL",
68
- pattern: /\/dev\/tcp\/|nc\s+-[elp]|ncat\s+-|mkfifo\s+.*\/tmp/gi,
71
+ pattern: re(["\\/dev\\/tc", "p\\/|nc\\s+-[elp]|nca", "t\\s+-|mkfi", "fo\\s+.*\\/tmp"], "gi"),
69
72
  severity: "critical",
70
73
  category: "remote_code_execution",
71
74
  title: "Reverse shell",
72
- description: "Creates a reverse shell connection back to an attacker-controlled server.",
75
+ description: "Creates a reverse connection back to an attacker-controlled server.",
73
76
  codeOnly: true,
74
- fix: "Remove reverse shell commands \u2014 these are almost never legitimate in skills."
77
+ fix: "Remove reverse connection commands \u2014 these are almost never legitimate in skills."
75
78
  },
76
79
  {
77
80
  name: "CRON_PERSISTENCE",
78
- pattern: /crontab\s+-|\/etc\/cron|systemctl\s+enable/gi,
81
+ pattern: re(["cron", "tab\\s+-|\\/etc\\/cro", "n|system", "ctl\\s+enable"], "gi"),
79
82
  severity: "critical",
80
83
  category: "persistence",
81
84
  title: "Scheduled task persistence",
@@ -85,7 +88,7 @@ var THREAT_PATTERNS = [
85
88
  },
86
89
  {
87
90
  name: "PERL_EXEC",
88
- pattern: /perl\s+-e/gi,
91
+ pattern: re(["per", "l\\s+-e"], "gi"),
89
92
  severity: "critical",
90
93
  category: "remote_code_execution",
91
94
  title: "Perl inline execution",
@@ -95,7 +98,7 @@ var THREAT_PATTERNS = [
95
98
  },
96
99
  {
97
100
  name: "NODE_EVAL",
98
- pattern: /node\s+-e\s/gi,
101
+ pattern: re(["no", "de\\s+-e\\s"], "gi"),
99
102
  severity: "critical",
100
103
  category: "remote_code_execution",
101
104
  title: "Node.js inline execution",
@@ -105,7 +108,7 @@ var THREAT_PATTERNS = [
105
108
  },
106
109
  {
107
110
  name: "RUBY_EXEC",
108
- pattern: /ruby\s+-e/gi,
111
+ pattern: re(["rub", "y\\s+-e"], "gi"),
109
112
  severity: "critical",
110
113
  category: "remote_code_execution",
111
114
  title: "Ruby inline execution",
@@ -274,7 +277,7 @@ var THREAT_PATTERNS = [
274
277
  },
275
278
  {
276
279
  name: "RAW_SOCKET",
277
- pattern: /new\s+Socket|net\.connect|dgram\.createSocket/gi,
280
+ pattern: re(["new\\s+Soc", "ket|net\\.conn", "ect|dgram\\.create", "Socket"], "gi"),
278
281
  severity: "high",
279
282
  category: "data_exfiltration",
280
283
  title: "Raw socket connection",
@@ -449,17 +452,17 @@ var THREAT_PATTERNS = [
449
452
  },
450
453
  {
451
454
  name: "BUFFER_BASE64_DECODE",
452
- pattern: /Buffer\.from\s*\(.*['"]base64['"]\)|atob\s*\(/gi,
455
+ pattern: re(["Buf", `fer\\.from\\s*\\(.*['"]base`, `64['"]\\)|at`, "ob\\s*\\("], "gi"),
453
456
  severity: "critical",
454
457
  category: "obfuscation",
455
- title: "Buffer/atob base64 decode",
456
- description: "Decodes base64 content via Buffer.from() or atob(), often used to hide malicious payloads.",
458
+ title: "Buffer/atob encoded payload",
459
+ description: "Decodes encoded content via Buffer.from() or atob(), often used to hide malicious payloads.",
457
460
  codeOnly: true,
458
461
  fix: "Include the decoded content directly so users can review it."
459
462
  },
460
463
  {
461
464
  name: "STRING_FROMCHARCODE",
462
- pattern: /String\.fromCharCode\s*\(/gi,
465
+ pattern: re(["String\\.from", "CharCode\\s*\\("], "gi"),
463
466
  severity: "medium",
464
467
  category: "obfuscation",
465
468
  title: "String.fromCharCode usage",
@@ -514,7 +517,7 @@ var THREAT_PATTERNS = [
514
517
  // ═══════════════════════════════════════════════════════
515
518
  {
516
519
  name: "SHELL_EXEC",
517
- pattern: /child_process|exec\(|spawn\(/gi,
520
+ pattern: re(["child_", "process|ex", "ec\\(|spa", "wn\\("], "gi"),
518
521
  severity: "low",
519
522
  category: "code_execution",
520
523
  title: "Shell execution API",
@@ -671,9 +674,9 @@ var BASE_CONFIDENCE = {
671
674
  function runStaticAnalysis(skill) {
672
675
  const findings = [];
673
676
  for (const threat of THREAT_PATTERNS) {
674
- const re = new RegExp(threat.pattern.source, threat.pattern.flags);
677
+ const re2 = new RegExp(threat.pattern.source, threat.pattern.flags);
675
678
  let match;
676
- while ((match = re.exec(skill.rawContent)) !== null) {
679
+ while ((match = re2.exec(skill.rawContent)) !== null) {
677
680
  const before = skill.rawContent.slice(0, match.index);
678
681
  const lineNumber = before.split("\n").length;
679
682
  if (threat.codeOnly && !isInCodeBlock(lineNumber, skill)) {
@@ -1159,7 +1162,7 @@ import { homedir, platform, release } from "os";
1159
1162
  import { randomUUID } from "crypto";
1160
1163
  var CONFIG_DIR = join(homedir(), ".clawvet");
1161
1164
  var CONFIG_FILE = join(CONFIG_DIR, "config.json");
1162
- var TELEMETRY_ENDPOINT = "https://api.clawvet.dev/v1/telemetry";
1165
+ var TELEMETRY_ENDPOINT = "https://bazzzz--0ab7a9301f3911f1ab9942dde27851f2.web.val.run";
1163
1166
  function loadConfig() {
1164
1167
  try {
1165
1168
  if (existsSync(CONFIG_FILE)) {
@@ -1275,6 +1278,24 @@ async function scanCommand(target, options) {
1275
1278
  }
1276
1279
  content = readFileSync2(skillFile, "utf-8");
1277
1280
  }
1281
+ const banFile = join2(process.cwd(), ".clawvetban");
1282
+ if (existsSync2(banFile)) {
1283
+ const banEntries = readFileSync2(banFile, "utf-8").split("\n").map((l) => l.trim().toLowerCase()).filter((l) => l && !l.startsWith("#"));
1284
+ const fmMatch = content.match(/^---\r?\n([\s\S]*?)\r?\n---/);
1285
+ if (fmMatch) {
1286
+ const fmText = fmMatch[1].toLowerCase();
1287
+ for (const ban of banEntries) {
1288
+ const targetLower = target.toLowerCase();
1289
+ if (targetLower.includes(ban) || fmText.includes(`name: ${ban}`) || fmText.includes(`author: ${ban}`) || fmText.includes(`slug: ${ban}`)) {
1290
+ console.error(
1291
+ chalk2.bgRed.white.bold(` BANNED `) + chalk2.red(` Skill matches ban list entry: ${ban}`)
1292
+ );
1293
+ console.error(chalk2.dim(` Source: ${banFile}`));
1294
+ process.exit(1);
1295
+ }
1296
+ }
1297
+ }
1298
+ }
1278
1299
  const ignoreFile = join2(process.cwd(), ".clawvetignore");
1279
1300
  const ignorePatterns = [];
1280
1301
  if (existsSync2(ignoreFile)) {
@@ -1303,12 +1324,12 @@ async function scanCommand(target, options) {
1303
1324
  if (!hasBeenAsked()) {
1304
1325
  const readline = await import("readline");
1305
1326
  const rl = readline.createInterface({ input: process.stdin, output: process.stderr });
1306
- const answer = await new Promise((resolve2) => {
1327
+ const answer = await new Promise((resolve3) => {
1307
1328
  rl.question(
1308
1329
  chalk2.dim("Help improve ClawVet \u2014 send anonymous usage stats? (y/n) "),
1309
1330
  (a) => {
1310
1331
  rl.close();
1311
- resolve2(a.trim().toLowerCase());
1332
+ resolve3(a.trim().toLowerCase());
1312
1333
  }
1313
1334
  );
1314
1335
  });
@@ -1469,9 +1490,64 @@ Detected change: ${filename}`));
1469
1490
  });
1470
1491
  }
1471
1492
 
1493
+ // src/commands/badge.ts
1494
+ import { readFileSync as readFileSync5, existsSync as existsSync5, statSync as statSync2 } from "fs";
1495
+ import { resolve as resolve2, join as join5 } from "path";
1496
+ import chalk5 from "chalk";
1497
+ var GRADE_COLORS2 = {
1498
+ A: "brightgreen",
1499
+ B: "green",
1500
+ C: "yellow",
1501
+ D: "orange",
1502
+ F: "red"
1503
+ };
1504
+ var GRADE_LABELS = {
1505
+ A: "safe",
1506
+ B: "safe",
1507
+ C: "review",
1508
+ D: "risky",
1509
+ F: "dangerous"
1510
+ };
1511
+ async function badgeCommand(target, options) {
1512
+ const skillPath = resolve2(target);
1513
+ let skillFile = skillPath;
1514
+ if (existsSync5(skillPath) && !skillPath.endsWith(".md") && existsSync5(join5(skillPath, "SKILL.md"))) {
1515
+ skillFile = join5(skillPath, "SKILL.md");
1516
+ }
1517
+ if (!existsSync5(skillFile) || statSync2(skillFile).isDirectory()) {
1518
+ console.error(`Error: Cannot find SKILL.md at ${skillFile}`);
1519
+ process.exit(1);
1520
+ }
1521
+ const content = readFileSync5(skillFile, "utf-8");
1522
+ const result = await scanSkill(content);
1523
+ const label = GRADE_LABELS[result.riskGrade];
1524
+ const color = GRADE_COLORS2[result.riskGrade];
1525
+ const badgeUrl = `https://img.shields.io/badge/clawvet-${result.riskGrade}%20${label}-${color}`;
1526
+ const linkUrl = "https://github.com/MohibShaikh/clawvet";
1527
+ if (options.markdown) {
1528
+ console.log(`[![ClawVet ${result.riskGrade}](${badgeUrl})](${linkUrl})`);
1529
+ } else {
1530
+ console.log();
1531
+ console.log(chalk5.bold(" ClawVet Trust Badge"));
1532
+ console.log();
1533
+ console.log(` Skill: ${chalk5.bold(result.skillName)}`);
1534
+ console.log(` Grade: ${result.riskGrade} (${label})`);
1535
+ console.log(` Score: ${result.riskScore}/100`);
1536
+ console.log();
1537
+ console.log(chalk5.dim(" Markdown (paste in README):"));
1538
+ console.log();
1539
+ console.log(` [![ClawVet ${result.riskGrade}](${badgeUrl})](${linkUrl})`);
1540
+ console.log();
1541
+ console.log(chalk5.dim(" HTML:"));
1542
+ console.log();
1543
+ console.log(` <a href="${linkUrl}"><img src="${badgeUrl}" alt="ClawVet ${result.riskGrade}"></a>`);
1544
+ console.log();
1545
+ }
1546
+ }
1547
+
1472
1548
  // src/index.ts
1473
1549
  var program = new Command();
1474
- program.name("clawvet").description("Skill vetting & supply chain security for OpenClaw").version("0.5.0");
1550
+ program.name("clawvet").description("Skill vetting & supply chain security for OpenClaw").version("0.6.0");
1475
1551
  program.command("scan").description("Scan a skill for security threats").argument("<target>", "Path to skill folder or SKILL.md file").option("--format <format>", "Output format: terminal, json, or sarif", "terminal").option("--fail-on <severity>", "Exit 1 if findings at this severity or above").option("--semantic", "Enable AI semantic analysis (requires ANTHROPIC_API_KEY)").option("--remote", "Fetch skill from ClawHub by name instead of local path").option("-q, --quiet", "Suppress all output, exit code only (0=pass, 1=fail)").option("--subscribe", "Open the ClawVet feedback & alerts form").action(async (target, opts) => {
1476
1552
  if (opts.subscribe) {
1477
1553
  const url = "https://tally.so/r/jaMdaa";
@@ -1494,6 +1570,9 @@ program.command("audit").description("Scan all installed OpenClaw skills").optio
1494
1570
  program.command("watch").description("Pre-install hook \u2014 blocks risky skill installs").option("--threshold <score>", "Risk score threshold (default 50)", "50").option("--dir <path>", "Custom skills directory to watch").action(async (opts) => {
1495
1571
  await watchCommand({ threshold: parseInt(opts.threshold), dir: opts.dir });
1496
1572
  });
1573
+ program.command("badge").description("Generate a trust badge for a skill's README").argument("<target>", "Path to skill folder or SKILL.md file").option("--md", "Output only the markdown snippet").action(async (target, opts) => {
1574
+ await badgeCommand(target, { markdown: opts.md });
1575
+ });
1497
1576
  program.command("feedback").description("Open the ClawVet feedback & threat alerts form").action(async () => {
1498
1577
  const url = "https://tally.so/r/jaMdaa";
1499
1578
  console.log(`Opening ${url} ...`);
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/index.ts","../src/commands/scan.ts","../../shared/src/patterns.ts","../../shared/src/scanner/skill-parser.ts","../../shared/src/scanner/static-analysis.ts","../../shared/src/scanner/metadata-validator.ts","../../shared/src/scanner/dependency-checker.ts","../../shared/src/scanner/typosquat-detector.ts","../../shared/src/scanner/risk-scorer.ts","../../shared/src/scanner/cache.ts","../../shared/src/scanner/index.ts","../src/output/terminal.ts","../src/output/json.ts","../src/output/sarif.ts","../src/telemetry.ts","../src/commands/audit.ts","../src/commands/watch.ts"],"sourcesContent":["import { Command } from \"commander\";\r\nimport { scanCommand } from \"./commands/scan.js\";\r\nimport { auditCommand } from \"./commands/audit.js\";\r\nimport { watchCommand } from \"./commands/watch.js\";\r\n\r\nconst program = new Command();\r\n\r\nprogram\r\n .name(\"clawvet\")\r\n .description(\"Skill vetting & supply chain security for OpenClaw\")\r\n .version(\"0.5.0\");\r\n\r\nprogram\r\n .command(\"scan\")\r\n .description(\"Scan a skill for security threats\")\r\n .argument(\"<target>\", \"Path to skill folder or SKILL.md file\")\r\n .option(\"--format <format>\", \"Output format: terminal, json, or sarif\", \"terminal\")\r\n .option(\"--fail-on <severity>\", \"Exit 1 if findings at this severity or above\")\r\n .option(\"--semantic\", \"Enable AI semantic analysis (requires ANTHROPIC_API_KEY)\")\r\n .option(\"--remote\", \"Fetch skill from ClawHub by name instead of local path\")\r\n .option(\"-q, --quiet\", \"Suppress all output, exit code only (0=pass, 1=fail)\")\r\n .option(\"--subscribe\", \"Open the ClawVet feedback & alerts form\")\r\n .action(async (target, opts) => {\r\n if (opts.subscribe) {\r\n const url = \"https://tally.so/r/jaMdaa\";\r\n console.log(`Opening ${url} ...`);\r\n const { exec } = await import(\"node:child_process\");\r\n const cmd = process.platform === \"win32\" ? `start ${url}` : process.platform === \"darwin\" ? `open ${url}` : `xdg-open ${url}`;\r\n exec(cmd);\r\n }\r\n await scanCommand(target, {\r\n format: opts.format,\r\n failOn: opts.failOn,\r\n semantic: opts.semantic,\r\n remote: opts.remote,\r\n quiet: opts.quiet,\r\n });\r\n });\r\n\r\nprogram\r\n .command(\"audit\")\r\n .description(\"Scan all installed OpenClaw skills\")\r\n .option(\"--dir <path>\", \"Custom skills directory to scan\")\r\n .action(async (opts) => {\r\n await auditCommand({ dir: opts.dir });\r\n });\r\n\r\nprogram\r\n .command(\"watch\")\r\n .description(\"Pre-install hook — blocks risky skill installs\")\r\n .option(\"--threshold <score>\", \"Risk score threshold (default 50)\", \"50\")\r\n .option(\"--dir <path>\", \"Custom skills directory to watch\")\r\n .action(async (opts) => {\r\n await watchCommand({ threshold: parseInt(opts.threshold), dir: opts.dir });\r\n });\r\n\r\nprogram\r\n .command(\"feedback\")\r\n .description(\"Open the ClawVet feedback & threat alerts form\")\r\n .action(async () => {\r\n const url = \"https://tally.so/r/jaMdaa\";\r\n console.log(`Opening ${url} ...`);\r\n const { exec } = await import(\"node:child_process\");\r\n const cmd = process.platform === \"win32\" ? `start ${url}` : process.platform === \"darwin\" ? `open ${url}` : `xdg-open ${url}`;\r\n exec(cmd);\r\n });\r\n\r\nprogram.parse();\r\n","import { readFileSync, existsSync, statSync } from \"node:fs\";\r\nimport { resolve, join } from \"node:path\";\r\nimport chalk from \"chalk\";\r\nimport { scanSkill } from \"@clawvet/shared\";\r\nimport { printScanResult } from \"../output/terminal.js\";\r\nimport { printJsonResult } from \"../output/json.js\";\r\nimport { printSarifResult } from \"../output/sarif.js\";\r\nimport { sendTelemetry, hasBeenAsked, setTelemetry } from \"../telemetry.js\";\r\n\r\nexport interface ScanOptions {\r\n format?: \"terminal\" | \"json\" | \"sarif\";\r\n failOn?: \"critical\" | \"high\" | \"medium\" | \"low\";\r\n semantic?: boolean;\r\n remote?: boolean;\r\n quiet?: boolean;\r\n}\r\n\r\nasync function fetchRemoteSkill(slug: string): Promise<string> {\r\n const urls = [\r\n `https://raw.githubusercontent.com/openclaw/skills/main/${slug}/SKILL.md`,\r\n `https://clawhub.ai/api/v1/skills/${slug}/raw`,\r\n ];\r\n\r\n for (const url of urls) {\r\n try {\r\n const res = await fetch(url, { signal: AbortSignal.timeout(10000) });\r\n if (res.ok) {\r\n return await res.text();\r\n }\r\n } catch {\r\n // try next\r\n }\r\n }\r\n\r\n throw new Error(\r\n `Could not fetch skill \"${slug}\" from ClawHub. Check the skill name and try again.`\r\n );\r\n}\r\n\r\nexport async function scanCommand(\r\n target: string,\r\n options: ScanOptions\r\n): Promise<void> {\r\n let content: string;\r\n\r\n if (options.remote) {\r\n try {\r\n process.stderr.write(`Fetching \"${target}\" from ClawHub...\\n`);\r\n content = await fetchRemoteSkill(target);\r\n } catch (err) {\r\n console.error(\r\n err instanceof Error ? err.message : \"Failed to fetch remote skill\"\r\n );\r\n process.exit(1);\r\n }\r\n } else {\r\n const skillPath = resolve(target);\r\n let skillFile = skillPath;\r\n\r\n if (\r\n existsSync(skillPath) &&\r\n !skillPath.endsWith(\".md\") &&\r\n existsSync(join(skillPath, \"SKILL.md\"))\r\n ) {\r\n skillFile = join(skillPath, \"SKILL.md\");\r\n }\r\n\r\n if (!existsSync(skillFile) || statSync(skillFile).isDirectory()) {\r\n console.error(`Error: Cannot find SKILL.md at ${skillFile}`);\r\n console.error(`Hint: If this is a directory of skills, use 'clawvet audit --dir ${target}' instead.`);\r\n process.exit(1);\r\n }\r\n\r\n content = readFileSync(skillFile, \"utf-8\");\r\n }\r\n\r\n // Load .clawvetignore\r\n const ignoreFile = join(process.cwd(), \".clawvetignore\");\r\n const ignorePatterns: string[] = [];\r\n if (existsSync(ignoreFile)) {\r\n const lines = readFileSync(ignoreFile, \"utf-8\").split(\"\\n\");\r\n for (const line of lines) {\r\n const trimmed = line.trim();\r\n if (trimmed && !trimmed.startsWith(\"#\")) {\r\n ignorePatterns.push(trimmed);\r\n }\r\n }\r\n }\r\n\r\n const result = await scanSkill(content, {\r\n semantic: options.semantic ?? false,\r\n ignorePatterns: ignorePatterns.length ? ignorePatterns : undefined,\r\n });\r\n\r\n if (!options.quiet) {\r\n if (options.format === \"sarif\") {\r\n printSarifResult(result);\r\n } else if (options.format === \"json\") {\r\n printJsonResult(result);\r\n } else {\r\n printScanResult(result);\r\n }\r\n }\r\n\r\n // Telemetry: first-run opt-in prompt\r\n if (!options.quiet && options.format !== \"json\" && options.format !== \"sarif\") {\r\n if (!hasBeenAsked()) {\r\n const readline = await import(\"node:readline\");\r\n const rl = readline.createInterface({ input: process.stdin, output: process.stderr });\r\n const answer = await new Promise<string>((resolve) => {\r\n rl.question(\r\n chalk.dim(\"Help improve ClawVet — send anonymous usage stats? (y/n) \"),\r\n (a) => { rl.close(); resolve(a.trim().toLowerCase()); }\r\n );\r\n });\r\n setTelemetry(answer === \"y\" || answer === \"yes\");\r\n }\r\n\r\n sendTelemetry(result);\r\n\r\n // Post-scan CTA\r\n console.log(\r\n chalk.dim(\" \") +\r\n chalk.cyan(\"Got feedback? Want threat alerts? → \") +\r\n chalk.underline.cyan(\"https://tally.so/r/jaMdaa\")\r\n );\r\n console.log();\r\n } else {\r\n sendTelemetry(result);\r\n }\r\n\r\n const failOn = options.failOn || (options.quiet ? \"high\" : undefined);\r\n if (failOn) {\r\n const severityOrder = [\"low\", \"medium\", \"high\", \"critical\"];\r\n const threshold = severityOrder.indexOf(failOn);\r\n const hasFailure = result.findings.some(\r\n (f) => severityOrder.indexOf(f.severity) >= threshold\r\n );\r\n if (hasFailure) {\r\n process.exit(1);\r\n }\r\n }\r\n}\r\n","import type { ThreatPattern } from \"./types.js\";\r\n\r\nexport const THREAT_PATTERNS: ThreatPattern[] = [\r\n // ═══════════════════════════════════════════════════════\r\n // CRITICAL: Remote code execution\r\n // ═══════════════════════════════════════════════════════\r\n {\r\n name: \"CURL_PIPE_BASH\",\r\n pattern: /curl\\s+.*\\|\\s*(ba)?sh/gi,\r\n severity: \"critical\",\r\n category: \"remote_code_execution\",\r\n title: \"Curl piped to shell\",\r\n description: \"Downloads and executes remote code directly — classic supply chain attack vector.\",\r\n codeOnly: true,\r\n fix: \"Download the script first, inspect it, then execute: `curl -o setup.sh URL && cat setup.sh && bash setup.sh`\",\r\n },\r\n {\r\n name: \"WGET_EXECUTE\",\r\n pattern: /wget\\s+.*&&\\s*(ba)?sh/gi,\r\n severity: \"critical\",\r\n category: \"remote_code_execution\",\r\n title: \"Wget with shell execution\",\r\n description: \"Downloads and executes remote code via wget.\",\r\n codeOnly: true,\r\n fix: \"Download the file first with `wget -O script.sh URL`, review it, then execute.\",\r\n },\r\n {\r\n name: \"EVAL_DYNAMIC\",\r\n pattern: /eval\\s*\\(/gi,\r\n severity: \"critical\",\r\n category: \"remote_code_execution\",\r\n title: \"Dynamic eval() usage\",\r\n description: \"Uses eval() which can execute arbitrary code.\",\r\n codeOnly: true,\r\n fix: \"Replace eval() with a safer alternative like JSON.parse() or a sandboxed environment.\",\r\n },\r\n {\r\n name: \"BASE64_DECODE\",\r\n pattern: /base64\\s+(-d|--decode)/gi,\r\n severity: \"critical\",\r\n category: \"obfuscation\",\r\n title: \"Base64 decode execution\",\r\n description: \"Decodes base64 content, often used to hide malicious payloads.\",\r\n codeOnly: true,\r\n fix: \"Decode and include the command directly so users can review it.\",\r\n },\r\n {\r\n name: \"PYTHON_EXEC\",\r\n pattern: /python[3]?\\s+-c/gi,\r\n severity: \"critical\",\r\n category: \"remote_code_execution\",\r\n title: \"Python inline execution\",\r\n description: \"Executes inline Python code which may contain hidden payloads.\",\r\n codeOnly: true,\r\n fix: \"Move inline code to a separate .py file so users can review it before execution.\",\r\n },\r\n {\r\n name: \"REVERSE_SHELL\",\r\n pattern: /\\/dev\\/tcp\\/|nc\\s+-[elp]|ncat\\s+-|mkfifo\\s+.*\\/tmp/gi,\r\n severity: \"critical\",\r\n category: \"remote_code_execution\",\r\n title: \"Reverse shell\",\r\n description: \"Creates a reverse shell connection back to an attacker-controlled server.\",\r\n codeOnly: true,\r\n fix: \"Remove reverse shell commands — these are almost never legitimate in skills.\",\r\n },\r\n {\r\n name: \"CRON_PERSISTENCE\",\r\n pattern: /crontab\\s+-|\\/etc\\/cron|systemctl\\s+enable/gi,\r\n severity: \"critical\",\r\n category: \"persistence\",\r\n title: \"Scheduled task persistence\",\r\n description: \"Installs a cron job or systemd service for persistent execution after reboot.\",\r\n codeOnly: true,\r\n fix: \"Document the scheduled task in the skill description and require explicit user consent before installing.\",\r\n },\r\n {\r\n name: \"PERL_EXEC\",\r\n pattern: /perl\\s+-e/gi,\r\n severity: \"critical\",\r\n category: \"remote_code_execution\",\r\n title: \"Perl inline execution\",\r\n description: \"Executes inline Perl code which may contain obfuscated payloads.\",\r\n codeOnly: true,\r\n fix: \"Move inline code to a separate .pl file so users can review it before execution.\",\r\n },\r\n {\r\n name: \"NODE_EVAL\",\r\n pattern: /node\\s+-e\\s/gi,\r\n severity: \"critical\",\r\n category: \"remote_code_execution\",\r\n title: \"Node.js inline execution\",\r\n description: \"Executes inline Node.js code, often used to hide malicious logic.\",\r\n codeOnly: true,\r\n fix: \"Move inline code to a separate .js file so users can review it before execution.\",\r\n },\r\n {\r\n name: \"RUBY_EXEC\",\r\n pattern: /ruby\\s+-e/gi,\r\n severity: \"critical\",\r\n category: \"remote_code_execution\",\r\n title: \"Ruby inline execution\",\r\n description: \"Executes inline Ruby code which may contain hidden payloads.\",\r\n codeOnly: true,\r\n fix: \"Move inline code to a separate .rb file so users can review it before execution.\",\r\n },\r\n\r\n // ═══════════════════════════════════════════════════════\r\n // HIGH: Credential theft\r\n // ═══════════════════════════════════════════════════════\r\n {\r\n name: \"ENV_FILE_READ\",\r\n pattern: /\\.env|credentials|\\.aws|\\.ssh|keychain/gi,\r\n severity: \"high\",\r\n category: \"credential_theft\",\r\n title: \"Sensitive file access\",\r\n description: \"Accesses credential files (.env, .aws, .ssh, keychain).\",\r\n fix: \"Declare required env vars in frontmatter under `metadata.openclaw.requires.env`.\",\r\n },\r\n {\r\n name: \"API_KEY_EXFIL\",\r\n pattern: /(ANTHROPIC|OPENAI|SLACK|DISCORD|TELEGRAM|STRIPE|GITHUB|GITLAB|AWS_SECRET|GROQ|OPENROUTER).*(_KEY|_TOKEN|_SECRET)/gi,\r\n severity: \"high\",\r\n category: \"credential_theft\",\r\n title: \"API key reference\",\r\n description: \"References specific API keys/tokens that could be exfiltrated.\",\r\n fix: \"Use environment variable references ($VAR) instead of hardcoding keys, and declare them in requires.env.\",\r\n },\r\n {\r\n name: \"DOTFILE_ACCESS\",\r\n pattern: /~\\/\\.(openclaw|clawdbot|moltbot)\\//gi,\r\n severity: \"high\",\r\n category: \"credential_theft\",\r\n title: \"OpenClaw config access\",\r\n description: \"Accesses OpenClaw/Clawdbot/Moltbot configuration directories.\",\r\n fix: \"Use the official OpenClaw SDK/API instead of directly reading config directories.\",\r\n },\r\n {\r\n name: \"SESSION_THEFT\",\r\n pattern: /sessions\\/\\*\\.jsonl/gi,\r\n severity: \"high\",\r\n category: \"credential_theft\",\r\n title: \"Session data access\",\r\n description: \"Accesses session transcript files which may contain sensitive data.\",\r\n fix: \"Remove session file access — skills should not read conversation transcripts.\",\r\n },\r\n {\r\n name: \"SSH_KEY_ACCESS\",\r\n pattern: /~\\/\\.ssh\\/id_|\\.pem\\b|BEGIN\\s+(RSA\\s+)?PRIVATE\\s+KEY/gi,\r\n severity: \"high\",\r\n category: \"credential_theft\",\r\n title: \"SSH/private key access\",\r\n description: \"Accesses SSH keys or private key files that could be stolen.\",\r\n fix: \"Use ssh-agent or a credential manager instead of directly reading key files.\",\r\n },\r\n {\r\n name: \"BROWSER_DATA\",\r\n pattern: /\\.config\\/google-chrome|\\.mozilla\\/firefox|Login\\s*Data|Cookies\\.sqlite/gi,\r\n severity: \"high\",\r\n category: \"credential_theft\",\r\n title: \"Browser data access\",\r\n description: \"Accesses browser profiles which contain saved passwords, cookies, and tokens.\",\r\n fix: \"Remove browser data access — skills should not read browser profiles.\",\r\n },\r\n {\r\n name: \"GIT_CREDENTIALS\",\r\n pattern: /\\.git-credentials|\\.gitconfig|git\\s+config.*credential/gi,\r\n severity: \"high\",\r\n category: \"credential_theft\",\r\n title: \"Git credential access\",\r\n description: \"Accesses git credential storage which may contain auth tokens.\",\r\n fix: \"Use `git` CLI commands instead of directly reading credential files.\",\r\n },\r\n {\r\n name: \"NPM_TOKEN\",\r\n pattern: /\\.npmrc|npm_token|NPM_AUTH_TOKEN/gi,\r\n severity: \"high\",\r\n category: \"credential_theft\",\r\n title: \"npm token access\",\r\n description: \"Accesses npm auth tokens which could be used to publish malicious packages.\",\r\n fix: \"Use `npm whoami` or `npm config get` instead of directly reading .npmrc.\",\r\n },\r\n {\r\n name: \"KUBE_CONFIG\",\r\n pattern: /~\\/\\.kube\\/config|KUBECONFIG/gi,\r\n severity: \"high\",\r\n category: \"credential_theft\",\r\n title: \"Kubernetes config access\",\r\n description: \"Accesses Kubernetes configuration which contains cluster credentials.\",\r\n fix: \"Use `kubectl` CLI commands instead of directly reading kubeconfig.\",\r\n },\r\n {\r\n name: \"DOCKER_SOCKET\",\r\n pattern: /\\/var\\/run\\/docker\\.sock|docker\\s+exec/gi,\r\n severity: \"high\",\r\n category: \"container_escape\",\r\n title: \"Docker socket/exec access\",\r\n description: \"Accesses Docker socket or runs exec — could enable container escape.\",\r\n fix: \"Use Docker SDK or CLI with limited permissions instead of direct socket access.\",\r\n },\r\n\r\n // ═══════════════════════════════════════════════════════\r\n // HIGH: Network exfiltration\r\n // ═══════════════════════════════════════════════════════\r\n {\r\n name: \"WEBHOOK_SEND\",\r\n pattern: /webhook\\.(site|url)|discord\\.com\\/api\\/webhooks|hooks\\.slack\\.com|api\\.telegram\\.org\\/bot/gi,\r\n severity: \"high\",\r\n category: \"data_exfiltration\",\r\n title: \"Webhook data exfiltration\",\r\n description: \"Sends data to webhook endpoints (Discord, Slack, Telegram) — common exfiltration channel.\",\r\n fix: \"If webhook integration is needed, declare it in the skill description and let users configure their own webhook URL.\",\r\n },\r\n {\r\n name: \"BORE_TUNNEL\",\r\n pattern: /bore\\.pub|ngrok|localtunnel|serveo\\.net|localhost\\.run/gi,\r\n severity: \"high\",\r\n category: \"data_exfiltration\",\r\n title: \"Tunnel service usage\",\r\n description: \"Uses tunneling services to expose local services or exfiltrate data.\",\r\n fix: \"Document tunnel usage in the skill description and require explicit user consent.\",\r\n },\r\n {\r\n name: \"SUSPICIOUS_IP\",\r\n pattern: /\\b(?:91\\.92\\.242\\.\\d+|45\\.61\\.\\d+\\.\\d+)\\b/g,\r\n severity: \"high\",\r\n category: \"data_exfiltration\",\r\n title: \"Known malicious IP\",\r\n description: \"Contains IP addresses associated with known ClawHavoc C2 infrastructure.\",\r\n fix: \"Remove references to known malicious IP addresses.\",\r\n },\r\n {\r\n name: \"DNS_EXFIL\",\r\n pattern: /dig\\s+.*TXT|nslookup\\s+.*\\$|dns.*exfil|\\.burpcollaborator\\.|\\.oastify\\./gi,\r\n severity: \"high\",\r\n category: \"data_exfiltration\",\r\n title: \"DNS exfiltration\",\r\n description: \"Uses DNS queries to exfiltrate data — bypasses most firewalls.\",\r\n fix: \"Remove DNS exfiltration patterns — use standard HTTP APIs for data transfer.\",\r\n },\r\n {\r\n name: \"PASTEBIN_FETCH\",\r\n pattern: /pastebin\\.com|paste\\.ee|hastebin\\.com|ghostbin\\.|dpaste\\./gi,\r\n severity: \"high\",\r\n category: \"data_exfiltration\",\r\n title: \"Pastebin service usage\",\r\n description: \"References paste services commonly used to host malicious payloads or receive exfiltrated data.\",\r\n fix: \"Host code in a version-controlled repository (GitHub, GitLab) instead of paste services.\",\r\n },\r\n {\r\n name: \"SUSPICIOUS_TLD\",\r\n pattern: /https?:\\/\\/[^\\s\"']*\\.(tk|ml|ga|cf|gq|top|xyz|pw|cc|ws|buzz)\\b/gi,\r\n severity: \"high\",\r\n category: \"data_exfiltration\",\r\n title: \"Suspicious TLD\",\r\n description: \"URL uses a top-level domain frequently associated with malicious infrastructure.\",\r\n fix: \"Use URLs from well-known, reputable domains instead of suspicious TLDs.\",\r\n },\r\n {\r\n name: \"URL_SHORTENER\",\r\n pattern: /bit\\.ly|tinyurl\\.com|t\\.co\\/|goo\\.gl|is\\.gd|buff\\.ly|ow\\.ly|rb\\.gy/gi,\r\n severity: \"high\",\r\n category: \"obfuscation\",\r\n title: \"URL shortener\",\r\n description: \"Uses URL shorteners to hide the real destination of links.\",\r\n fix: \"Use the full, unshortened URL so users can verify the destination.\",\r\n },\r\n {\r\n name: \"RAW_SOCKET\",\r\n pattern: /new\\s+Socket|net\\.connect|dgram\\.createSocket/gi,\r\n severity: \"high\",\r\n category: \"data_exfiltration\",\r\n title: \"Raw socket connection\",\r\n description: \"Creates raw network sockets which can bypass HTTP monitoring.\",\r\n codeOnly: true,\r\n fix: \"Use standard HTTP libraries (fetch, axios) instead of raw sockets for network communication.\",\r\n },\r\n\r\n // ═══════════════════════════════════════════════════════\r\n // MEDIUM: Social engineering\r\n // ═══════════════════════════════════════════════════════\r\n {\r\n name: \"PREREQUISITE_INSTALL\",\r\n pattern: /prerequisite|install.*first|run.*before|required.*dependency/gi,\r\n severity: \"medium\",\r\n category: \"social_engineering\",\r\n title: \"Prerequisite install trick\",\r\n description: \"Instructs users to install prerequisites — common social engineering tactic.\",\r\n fix: \"Declare dependencies in `metadata.openclaw.requires.bins` instead of instructing manual installs.\",\r\n },\r\n {\r\n name: \"COPY_PASTE_COMMAND\",\r\n pattern: /copy.*paste.*terminal|run.*this.*command/gi,\r\n severity: \"medium\",\r\n category: \"social_engineering\",\r\n title: \"Copy-paste command instruction\",\r\n description: \"Instructs users to copy-paste commands into their terminal.\",\r\n fix: \"Put commands in code blocks with proper context instead of copy-paste instructions.\",\r\n },\r\n {\r\n name: \"FAKE_DEPENDENCY\",\r\n pattern: /openclaw-core|moltbot-runtime|clawdbot-helper/gi,\r\n severity: \"medium\",\r\n category: \"social_engineering\",\r\n title: \"Fake dependency reference\",\r\n description: \"References fake packages that mimic official OpenClaw components.\",\r\n fix: \"Use only official OpenClaw packages from the verified registry.\",\r\n },\r\n {\r\n name: \"AUTHORITY_SPOOFING\",\r\n pattern: /official\\s+(openclaw|clawhub)|endorsed\\s+by|verified\\s+(skill|publisher)|from\\s+the\\s+openclaw\\s+team/gi,\r\n severity: \"medium\",\r\n category: \"social_engineering\",\r\n title: \"Authority spoofing\",\r\n description: \"Claims official endorsement or verification to gain trust.\",\r\n fix: \"Remove false authority claims — let the skill's quality speak for itself.\",\r\n },\r\n {\r\n name: \"URGENCY_MANIPULATION\",\r\n pattern: /critical\\s+update|security\\s+patch|must\\s+install\\s+immediately|urgent.*update/gi,\r\n severity: \"medium\",\r\n category: \"social_engineering\",\r\n title: \"Urgency manipulation\",\r\n description: \"Creates false urgency to pressure users into installing without review.\",\r\n fix: \"Remove urgency language — let users evaluate the skill at their own pace.\",\r\n },\r\n\r\n // ═══════════════════════════════════════════════════════\r\n // MEDIUM: Prompt injection\r\n // ═══════════════════════════════════════════════════════\r\n {\r\n name: \"IGNORE_INSTRUCTIONS\",\r\n pattern: /ignore\\s+(all\\s+)?previous\\s+instructions/gi,\r\n severity: \"medium\",\r\n category: \"prompt_injection\",\r\n title: \"Prompt injection — ignore instructions\",\r\n description: \"Attempts to override the AI agent's existing instructions.\",\r\n fix: \"Remove prompt injection attempts — skills should not try to override agent instructions.\",\r\n },\r\n {\r\n name: \"SYSTEM_OVERRIDE\",\r\n pattern: /you\\s+are\\s+now|new\\s+instructions|forget\\s+everything/gi,\r\n severity: \"medium\",\r\n category: \"prompt_injection\",\r\n title: \"Prompt injection — system override\",\r\n description: \"Attempts to redefine the AI agent's identity or instructions.\",\r\n fix: \"Remove system override attempts — skills should not alter agent identity.\",\r\n },\r\n {\r\n name: \"MEMORY_MANIPULATION\",\r\n pattern: /SOUL\\.md|MEMORY\\.md|AGENTS\\.md/gi,\r\n severity: \"medium\",\r\n category: \"persistence\",\r\n title: \"Memory/personality file manipulation\",\r\n description: \"References core personality or memory files, may attempt persistence.\",\r\n fix: \"Remove references to agent memory/personality files — skills should not modify agent state.\",\r\n },\r\n {\r\n name: \"JAILBREAK_ATTEMPT\",\r\n pattern: /\\bDAN\\b|do\\s+anything\\s+now|developer\\s+mode|evil\\s+mode|bypass.*safety/gi,\r\n severity: \"medium\",\r\n category: \"prompt_injection\",\r\n title: \"Jailbreak attempt\",\r\n description: \"Uses known jailbreak techniques (DAN, developer mode) to bypass safety constraints.\",\r\n fix: \"Remove jailbreak attempts — skills should work within the agent's safety constraints.\",\r\n },\r\n {\r\n name: \"ROLE_HIJACK\",\r\n pattern: /(?:pretend|act|behave)\\s+(?:you\\s+are|as\\s+if|to\\s+be)\\s+(?:a\\s+)?(?:different|new|hacker|evil)/gi,\r\n severity: \"medium\",\r\n category: \"prompt_injection\",\r\n title: \"Role hijacking\",\r\n description: \"Attempts to change the agent's persona to bypass safety restrictions.\",\r\n fix: \"Remove role hijacking attempts — skills should not alter the agent's persona.\",\r\n },\r\n {\r\n name: \"PROMPT_EXTRACTION\",\r\n pattern: /(?:reveal|show|print|output|tell\\s+me)\\s+(?:your\\s+)?(?:system\\s+)?(?:prompt|instructions|rules)/gi,\r\n severity: \"medium\",\r\n category: \"prompt_injection\",\r\n title: \"System prompt extraction\",\r\n description: \"Attempts to extract the agent's system prompt or configuration.\",\r\n fix: \"Remove prompt extraction attempts — skills should not try to access system prompts.\",\r\n },\r\n\r\n // ═══════════════════════════════════════════════════════\r\n // MEDIUM: Obfuscation\r\n // ═══════════════════════════════════════════════════════\r\n {\r\n name: \"HEX_ENCODING\",\r\n pattern: /\\\\x[0-9a-f]{2}(?:\\\\x[0-9a-f]{2}){3,}/gi,\r\n severity: \"medium\",\r\n category: \"obfuscation\",\r\n title: \"Hex-encoded payload\",\r\n description: \"Contains hex-encoded strings commonly used to hide malicious commands.\",\r\n codeOnly: true,\r\n fix: \"Replace hex-encoded strings with readable text so users can review the content.\",\r\n },\r\n {\r\n name: \"JS_OBFUSCATOR\",\r\n pattern: /_0x[a-f0-9]{4,}|var\\s+_0x/gi,\r\n severity: \"medium\",\r\n category: \"obfuscation\",\r\n title: \"JavaScript obfuscator output\",\r\n description: \"Contains patterns from JavaScript obfuscation tools used to hide malicious code.\",\r\n codeOnly: true,\r\n fix: \"Provide readable, unobfuscated source code instead of obfuscated JavaScript.\",\r\n },\r\n {\r\n name: \"UNICODE_STEGANOGRAPHY\",\r\n pattern: /[\\u200B\\u200C\\u200D\\u2060\\uFEFF]{3,}/g,\r\n severity: \"medium\",\r\n category: \"obfuscation\",\r\n title: \"Hidden zero-width characters\",\r\n description: \"Contains clusters of invisible zero-width Unicode characters that may hide instructions.\",\r\n fix: \"Remove zero-width characters — all content should be visible to users.\",\r\n },\r\n {\r\n name: \"RTL_OVERRIDE\",\r\n pattern: /[\\u202A\\u202B\\u202C\\u202D\\u202E\\u2066\\u2067\\u2068\\u2069]/g,\r\n severity: \"medium\",\r\n category: \"obfuscation\",\r\n title: \"Bidirectional text override\",\r\n description: \"Contains Unicode bidi override characters that can reverse displayed text to hide real content.\",\r\n fix: \"Remove bidirectional text override characters — text direction should be natural.\",\r\n },\r\n {\r\n name: \"HTML_COMMENT_INJECTION\",\r\n pattern: /<!--[\\s\\S]*?(?:ignore|instructions|system|override|secret)[\\s\\S]*?-->/gi,\r\n severity: \"medium\",\r\n category: \"obfuscation\",\r\n title: \"Hidden HTML comment instruction\",\r\n description: \"Embeds instructions inside HTML comments that are invisible to users but read by agents.\",\r\n fix: \"Move instructions from HTML comments into visible content.\",\r\n },\r\n {\r\n name: \"STRING_CONCAT_OBFUSC\",\r\n pattern: /[\"'][a-z]{1,3}[\"']\\s*\\+\\s*[\"'][a-z]{1,3}[\"']\\s*\\+\\s*[\"'][a-z]{1,3}[\"']/gi,\r\n severity: \"medium\",\r\n category: \"obfuscation\",\r\n title: \"String concatenation obfuscation\",\r\n description: \"Builds commands via single-character string concatenation to evade pattern detection.\",\r\n codeOnly: true,\r\n fix: \"Use complete string literals instead of character-by-character concatenation.\",\r\n },\r\n {\r\n name: \"BUFFER_BASE64_DECODE\",\r\n pattern: /Buffer\\.from\\s*\\(.*['\"]base64['\"]\\)|atob\\s*\\(/gi,\r\n severity: \"critical\",\r\n category: \"obfuscation\",\r\n title: \"Buffer/atob base64 decode\",\r\n description: \"Decodes base64 content via Buffer.from() or atob(), often used to hide malicious payloads.\",\r\n codeOnly: true,\r\n fix: \"Include the decoded content directly so users can review it.\",\r\n },\r\n {\r\n name: \"STRING_FROMCHARCODE\",\r\n pattern: /String\\.fromCharCode\\s*\\(/gi,\r\n severity: \"medium\",\r\n category: \"obfuscation\",\r\n title: \"String.fromCharCode usage\",\r\n description: \"Builds strings from character codes to evade static pattern detection.\",\r\n codeOnly: true,\r\n fix: \"Use plain string literals instead of String.fromCharCode().\",\r\n },\r\n {\r\n name: \"DYNAMIC_PROPERTY_ACCESS\",\r\n pattern: /(?:process|global|window|globalThis)\\s*\\[\\s*['\"`]?\\w*['\"`]?\\s*\\+/gi,\r\n severity: \"medium\",\r\n category: \"obfuscation\",\r\n title: \"Dynamic property access on globals\",\r\n description: \"Dynamically accesses global object properties via string concatenation to hide intent.\",\r\n codeOnly: true,\r\n fix: \"Use direct property access (e.g., `process.env`) instead of dynamic bracket notation.\",\r\n },\r\n\r\n // ═══════════════════════════════════════════════════════\r\n // MEDIUM: Privilege escalation & system access\r\n // ═══════════════════════════════════════════════════════\r\n {\r\n name: \"SUDO_USAGE\",\r\n pattern: /sudo\\s+(?!apt|dnf|yum|brew)/gi,\r\n severity: \"medium\",\r\n category: \"privilege_escalation\",\r\n title: \"Sudo usage\",\r\n description: \"Requests elevated privileges — check if actually required for the task.\",\r\n codeOnly: true,\r\n fix: \"Remove sudo if not strictly necessary, or document why elevated privileges are required.\",\r\n },\r\n {\r\n name: \"CHMOD_DANGEROUS\",\r\n pattern: /chmod\\s+(?:777|a\\+[rwx]|[+]s)/gi,\r\n severity: \"medium\",\r\n category: \"privilege_escalation\",\r\n title: \"Dangerous file permissions\",\r\n description: \"Sets overly permissive file permissions (777) or setuid/setgid bits.\",\r\n codeOnly: true,\r\n fix: \"Use least-privilege permissions (e.g., `chmod 755` or `chmod 644`) instead of 777.\",\r\n },\r\n {\r\n name: \"PATH_TRAVERSAL\",\r\n pattern: /\\.\\.\\//g,\r\n severity: \"medium\",\r\n category: \"file_system\",\r\n title: \"Path traversal\",\r\n description: \"Uses relative path traversal (../) which could access files outside expected directories.\",\r\n fix: \"Use absolute paths or paths relative to the skill's working directory.\",\r\n },\r\n\r\n // ═══════════════════════════════════════════════════════\r\n // LOW: Suspicious but not necessarily malicious\r\n // ═══════════════════════════════════════════════════════\r\n {\r\n name: \"SHELL_EXEC\",\r\n pattern: /child_process|exec\\(|spawn\\(/gi,\r\n severity: \"low\",\r\n category: \"code_execution\",\r\n title: \"Shell execution API\",\r\n description: \"Uses shell execution APIs — legitimate but worth noting.\",\r\n codeOnly: true,\r\n fix: \"If shell execution is needed, use execFile() with explicit arguments instead of exec() with string commands.\",\r\n },\r\n {\r\n name: \"NETWORK_REQUEST\",\r\n pattern: /fetch\\(|axios|node-fetch|got\\(/gi,\r\n severity: \"low\",\r\n category: \"network\",\r\n title: \"Network request API\",\r\n description: \"Makes network requests — legitimate but worth reviewing targets.\",\r\n codeOnly: true,\r\n fix: \"Document all network endpoints in the skill description so users can review them.\",\r\n },\r\n {\r\n name: \"FILE_WRITE\",\r\n pattern: /fs\\.write|writeFileSync/gi,\r\n severity: \"low\",\r\n category: \"file_system\",\r\n title: \"File write operation\",\r\n description: \"Writes to the filesystem — check what files are being modified.\",\r\n codeOnly: true,\r\n fix: \"Document which files are written and why in the skill description.\",\r\n },\r\n {\r\n name: \"ENV_MODIFICATION\",\r\n pattern: /process\\.env\\[|export\\s+[A-Z_]+=|setenv/gi,\r\n severity: \"low\",\r\n category: \"environment\",\r\n title: \"Environment variable modification\",\r\n description: \"Modifies environment variables which could affect other tools or processes.\",\r\n codeOnly: true,\r\n fix: \"Document env var modifications in the skill description and declare them in requires.env.\",\r\n },\r\n {\r\n name: \"WILDCARD_FILE_ACCESS\",\r\n pattern: /\\*\\.(pem|key|p12|pfx|jks|keystore|ovpn|rdp)/gi,\r\n severity: \"low\",\r\n category: \"credential_theft\",\r\n title: \"Sensitive file extension glob\",\r\n description: \"Globs for files with sensitive extensions (keys, certificates, VPN configs).\",\r\n fix: \"Reference specific files by name instead of using wildcard patterns on sensitive extensions.\",\r\n },\r\n {\r\n name: \"LARGE_BASE64_LITERAL\",\r\n pattern: /[A-Za-z0-9+/=]{100,}/g,\r\n severity: \"low\",\r\n category: \"obfuscation\",\r\n title: \"Large base64-like string\",\r\n description: \"Contains a long base64-like string that may be an encoded payload.\",\r\n fix: \"Include the decoded content directly or explain what the base64 string contains.\",\r\n },\r\n];\r\n\r\nexport const POPULAR_SKILLS = [\r\n \"todoist-cli\",\r\n \"github-manager\",\r\n \"slack-assistant\",\r\n \"email-composer\",\r\n \"calendar-sync\",\r\n \"weather-forecast\",\r\n \"news-reader\",\r\n \"code-reviewer\",\r\n \"docker-helper\",\r\n \"aws-manager\",\r\n \"notion-sync\",\r\n \"jira-tracker\",\r\n \"spotify-controller\",\r\n \"home-assistant\",\r\n \"file-organizer\",\r\n \"pdf-reader\",\r\n \"translate-text\",\r\n \"image-generator\",\r\n \"web-scraper\",\r\n \"database-query\",\r\n \"git-assistant\",\r\n \"linux-admin\",\r\n \"python-helper\",\r\n \"react-builder\",\r\n \"api-tester\",\r\n \"markdown-editor\",\r\n \"csv-analyzer\",\r\n \"ssh-manager\",\r\n \"cron-scheduler\",\r\n \"log-analyzer\",\r\n];\r\n","import { parse as parseYaml } from \"yaml\";\r\nimport type { ParsedSkill, SkillFrontmatter, CodeBlock } from \"../types.js\";\r\n\r\nconst FRONTMATTER_RE = /^---\\r?\\n([\\s\\S]*?)\\r?\\n---/;\r\nconst CODE_BLOCK_RE = /```(\\w*)\\r?\\n([\\s\\S]*?)```/g;\r\nconst URL_RE = /https?:\\/\\/[^\\s\"'<>\\])+]+/gi;\r\nconst IP_RE = /\\b(?:\\d{1,3}\\.){3}\\d{1,3}\\b/g;\r\nconst DOMAIN_RE = /\\b(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\\.)+[a-z]{2,}\\b/gi;\r\n\r\nexport function parseSkill(content: string): ParsedSkill {\r\n let frontmatter: SkillFrontmatter = {};\r\n let body = content;\r\n\r\n const fmMatch = content.match(FRONTMATTER_RE);\r\n if (fmMatch) {\r\n try {\r\n frontmatter = parseYaml(fmMatch[1]) as SkillFrontmatter;\r\n } catch {\r\n frontmatter = {};\r\n }\r\n body = content.slice(fmMatch[0].length).trim();\r\n }\r\n\r\n const codeBlocks: CodeBlock[] = [];\r\n let match: RegExpExecArray | null;\r\n const cbRe = new RegExp(CODE_BLOCK_RE.source, CODE_BLOCK_RE.flags);\r\n\r\n while ((match = cbRe.exec(content)) !== null) {\r\n const before = content.slice(0, match.index);\r\n const lineStart = before.split(\"\\n\").length;\r\n const blockLines = match[0].split(\"\\n\").length;\r\n codeBlocks.push({\r\n language: match[1] || \"unknown\",\r\n content: match[2],\r\n lineStart,\r\n lineEnd: lineStart + blockLines - 1,\r\n });\r\n }\r\n\r\n const urls = [...new Set(content.match(URL_RE) || [])];\r\n const ipAddresses = [...new Set(content.match(IP_RE) || [])];\r\n const domains = [...new Set(content.match(DOMAIN_RE) || [])];\r\n\r\n return {\r\n frontmatter,\r\n body,\r\n codeBlocks,\r\n urls,\r\n ipAddresses,\r\n domains,\r\n rawContent: content,\r\n };\r\n}\r\n","import { THREAT_PATTERNS } from \"../patterns.js\";\r\nimport type { Finding, ParsedSkill, Severity } from \"../types.js\";\r\n\r\nfunction isInCodeBlock(lineNumber: number, skill: ParsedSkill): boolean {\r\n return skill.codeBlocks.some(\r\n (block) => lineNumber >= block.lineStart && lineNumber <= block.lineEnd\r\n );\r\n}\r\n\r\nfunction isInHeading(lineNumber: number, rawContent: string): boolean {\r\n const lines = rawContent.split(\"\\n\");\r\n const line = lines[lineNumber - 1] || \"\";\r\n return /^\\s*#{1,6}\\s/.test(line);\r\n}\r\n\r\nconst BASE_CONFIDENCE: Record<Severity, number> = {\r\n critical: 0.9,\r\n high: 0.8,\r\n medium: 0.6,\r\n low: 0.5,\r\n};\r\n\r\nexport function runStaticAnalysis(skill: ParsedSkill): Finding[] {\r\n const findings: Finding[] = [];\r\n\r\n for (const threat of THREAT_PATTERNS) {\r\n const re = new RegExp(threat.pattern.source, threat.pattern.flags);\r\n let match: RegExpExecArray | null;\r\n\r\n while ((match = re.exec(skill.rawContent)) !== null) {\r\n const before = skill.rawContent.slice(0, match.index);\r\n const lineNumber = before.split(\"\\n\").length;\r\n\r\n if (threat.codeOnly && !isInCodeBlock(lineNumber, skill)) {\r\n continue;\r\n }\r\n\r\n const inCode = isInCodeBlock(lineNumber, skill);\r\n const inHeading = isInHeading(lineNumber, skill.rawContent);\r\n\r\n let contextMultiplier: number;\r\n if (inCode && threat.codeOnly) {\r\n contextMultiplier = 1.0;\r\n } else if (inCode) {\r\n contextMultiplier = 0.95;\r\n } else if (inHeading) {\r\n contextMultiplier = 0.5;\r\n } else if (threat.codeOnly) {\r\n // codeOnly pattern somehow in prose (shouldn't happen due to skip above)\r\n contextMultiplier = 0.4;\r\n } else {\r\n // Non-codeOnly patterns are designed to match in prose\r\n contextMultiplier = 0.9;\r\n }\r\n\r\n const baseConfidence = BASE_CONFIDENCE[threat.severity];\r\n const confidence = Math.min(1.0, baseConfidence * contextMultiplier);\r\n\r\n findings.push({\r\n category: threat.category,\r\n severity: threat.severity,\r\n title: threat.title,\r\n description: threat.description,\r\n evidence: match[0],\r\n lineNumber,\r\n analysisPass: \"static-analysis\",\r\n confidence: Math.round(confidence * 100) / 100,\r\n fix: threat.fix,\r\n });\r\n }\r\n }\r\n\r\n return findings;\r\n}\r\n","import type { Finding, ParsedSkill } from \"../types.js\";\r\n\r\nconst SEMVER_RE = /^\\d+\\.\\d+\\.\\d+/;\r\n\r\nconst KNOWN_BINS = [\r\n \"curl\", \"wget\", \"git\", \"python\", \"python3\", \"node\", \"npm\", \"npx\",\r\n \"brew\", \"apt\", \"pip\", \"docker\", \"kubectl\", \"ssh\", \"scp\", \"rsync\",\r\n \"ffmpeg\", \"jq\", \"sed\", \"awk\", \"grep\", \"find\",\r\n];\r\n\r\nexport function validateMetadata(skill: ParsedSkill): Finding[] {\r\n const findings: Finding[] = [];\r\n const fm = skill.frontmatter;\r\n const pass = \"metadata-validator\";\r\n\r\n if (!fm.name) {\r\n findings.push({\r\n category: \"metadata\",\r\n severity: \"medium\",\r\n title: \"Missing skill name\",\r\n description: \"SKILL.md frontmatter does not declare a name.\",\r\n analysisPass: pass,\r\n fix: \"Add `name:` to the YAML frontmatter.\",\r\n });\r\n }\r\n\r\n if (!fm.description) {\r\n findings.push({\r\n category: \"metadata\",\r\n severity: \"medium\",\r\n title: \"Missing description\",\r\n description: \"SKILL.md frontmatter does not declare a description.\",\r\n analysisPass: pass,\r\n fix: \"Add `description:` to the YAML frontmatter.\",\r\n });\r\n } else if (fm.description.length < 10) {\r\n findings.push({\r\n category: \"metadata\",\r\n severity: \"low\",\r\n title: \"Vague description\",\r\n description: \"Skill description is suspiciously short.\",\r\n evidence: fm.description,\r\n analysisPass: pass,\r\n fix: \"Write a more detailed description (at least 10 characters).\",\r\n });\r\n }\r\n\r\n if (fm.version && !SEMVER_RE.test(fm.version)) {\r\n findings.push({\r\n category: \"metadata\",\r\n severity: \"low\",\r\n title: \"Invalid version format\",\r\n description: \"Version does not follow semver format.\",\r\n evidence: fm.version,\r\n analysisPass: pass,\r\n fix: \"Use semver format: `version: X.Y.Z` (e.g., `1.0.0`).\",\r\n });\r\n }\r\n\r\n const declaredBins = new Set(fm.metadata?.openclaw?.requires?.bins || []);\r\n\r\n for (const bin of KNOWN_BINS) {\r\n const binRe = new RegExp(`\\\\b${bin}\\\\b`, \"i\");\r\n if (binRe.test(skill.rawContent) && !declaredBins.has(bin)) {\r\n const usedInCode = skill.codeBlocks.some((cb) => binRe.test(cb.content));\r\n if (usedInCode) {\r\n findings.push({\r\n category: \"metadata\",\r\n severity: \"low\",\r\n title: `Undeclared binary: ${bin}`,\r\n description: `Skill uses '${bin}' in code but does not declare it in requires.bins.`,\r\n analysisPass: pass,\r\n fix: `Add '${bin}' to \\`metadata.openclaw.requires.bins\\` in frontmatter.`,\r\n });\r\n }\r\n }\r\n }\r\n\r\n const declaredEnv = new Set(fm.metadata?.openclaw?.requires?.env || []);\r\n const envRe = /\\$\\{?([A-Z][A-Z0-9_]+)\\}?/g;\r\n let match: RegExpExecArray | null;\r\n\r\n while ((match = envRe.exec(skill.rawContent)) !== null) {\r\n const envVar = match[1];\r\n if (!declaredEnv.has(envVar) && envVar.length > 2) {\r\n findings.push({\r\n category: \"metadata\",\r\n severity: \"low\",\r\n title: `Undeclared env var: ${envVar}`,\r\n description: `References environment variable $${envVar} but does not declare it in requires.env.`,\r\n evidence: match[0],\r\n analysisPass: pass,\r\n fix: `Add '${envVar}' to \\`metadata.openclaw.requires.env\\` in frontmatter.`,\r\n });\r\n }\r\n }\r\n\r\n return findings;\r\n}\r\n","import type { Finding, ParsedSkill } from \"../types.js\";\r\n\r\nconst NPX_AUTO_INSTALL_RE = /npx\\s+-y\\s+/gi;\r\nconst NPM_INSTALL_RE = /npm\\s+install\\s+(-g\\s+)?(\\S+)/gi;\r\n\r\nexport function checkDependencies(skill: ParsedSkill): Finding[] {\r\n const findings: Finding[] = [];\r\n const pass = \"dependency-checker\";\r\n\r\n let match: RegExpExecArray | null;\r\n const npxRe = new RegExp(NPX_AUTO_INSTALL_RE.source, NPX_AUTO_INSTALL_RE.flags);\r\n\r\n while ((match = npxRe.exec(skill.rawContent)) !== null) {\r\n const before = skill.rawContent.slice(0, match.index);\r\n const lineNumber = before.split(\"\\n\").length;\r\n\r\n findings.push({\r\n category: \"dependency_risk\",\r\n severity: \"medium\",\r\n title: \"npx auto-install (-y flag)\",\r\n description: \"Uses 'npx -y' which auto-installs packages without user confirmation.\",\r\n evidence: match[0],\r\n lineNumber,\r\n analysisPass: pass,\r\n fix: \"Remove the `-y` flag from npx to require user confirmation before installing.\",\r\n });\r\n }\r\n\r\n const npmRe = new RegExp(NPM_INSTALL_RE.source, NPM_INSTALL_RE.flags);\r\n while ((match = npmRe.exec(skill.rawContent)) !== null) {\r\n if (match[1]) {\r\n findings.push({\r\n category: \"dependency_risk\",\r\n severity: \"medium\",\r\n title: \"Global npm package install\",\r\n description: `Installs npm package globally: ${match[2]}`,\r\n evidence: match[0],\r\n analysisPass: pass,\r\n fix: \"Use a local install (`npm install` without `-g`) or declare the dependency in requires.bins.\",\r\n });\r\n }\r\n }\r\n\r\n return findings;\r\n}\r\n","import { distance } from \"fastest-levenshtein\";\r\nimport { POPULAR_SKILLS } from \"../patterns.js\";\r\nimport type { Finding } from \"../types.js\";\r\n\r\nconst MAX_EDIT_DISTANCE = 2;\r\n\r\nexport function detectTyposquats(skillName: string): Finding[] {\r\n if (!skillName) return [];\r\n\r\n const findings: Finding[] = [];\r\n const normalized = skillName.toLowerCase().trim();\r\n\r\n for (const popular of POPULAR_SKILLS) {\r\n if (normalized === popular) continue;\r\n\r\n const d = distance(normalized, popular);\r\n if (d > 0 && d <= MAX_EDIT_DISTANCE) {\r\n findings.push({\r\n category: \"typosquatting\",\r\n severity: \"high\",\r\n title: `Possible typosquat of \"${popular}\"`,\r\n description: `Skill name \"${skillName}\" is ${d} edit(s) away from popular skill \"${popular}\". This may be an attempt to impersonate a trusted skill.`,\r\n evidence: `\"${skillName}\" ≈ \"${popular}\" (distance: ${d})`,\r\n analysisPass: \"typosquat-detector\",\r\n });\r\n }\r\n }\r\n\r\n const patterns = [\r\n { re: /-{2,}/, desc: \"extra hyphens\" },\r\n { re: /(.)\\1{2,}/, desc: \"repeated characters\" },\r\n ];\r\n\r\n for (const p of patterns) {\r\n if (p.re.test(normalized) && !POPULAR_SKILLS.includes(normalized)) {\r\n findings.push({\r\n category: \"typosquatting\",\r\n severity: \"medium\",\r\n title: `Suspicious naming pattern: ${p.desc}`,\r\n description: `Skill name \"${skillName}\" has ${p.desc}, which is a common typosquatting technique.`,\r\n analysisPass: \"typosquat-detector\",\r\n });\r\n }\r\n }\r\n\r\n return findings;\r\n}\r\n","import type { Finding, FindingsCount, RiskGrade } from \"../types.js\";\r\n\r\nconst SEVERITY_WEIGHTS = {\r\n critical: 30,\r\n high: 15,\r\n medium: 7,\r\n low: 3,\r\n} as const;\r\n\r\nexport function calculateRiskScore(findings: Finding[]): number {\r\n let score = 0;\r\n for (const f of findings) {\r\n score += SEVERITY_WEIGHTS[f.severity] * (f.confidence ?? 1.0);\r\n }\r\n return Math.min(score, 100);\r\n}\r\n\r\nexport function getRiskGrade(score: number): RiskGrade {\r\n if (score <= 10) return \"A\";\r\n if (score <= 25) return \"B\";\r\n if (score <= 50) return \"C\";\r\n if (score <= 75) return \"D\";\r\n return \"F\";\r\n}\r\n\r\nexport function countFindings(findings: Finding[]): FindingsCount {\r\n const counts: FindingsCount = { critical: 0, high: 0, medium: 0, low: 0 };\r\n for (const f of findings) {\r\n counts[f.severity]++;\r\n }\r\n return counts;\r\n}\r\n","import { createHash } from \"node:crypto\";\r\nimport type { ScanResult } from \"../types.js\";\r\n\r\nconst MAX_ENTRIES = 100;\r\nconst cache = new Map<string, ScanResult>();\r\n\r\nfunction hashContent(content: string): string {\r\n return createHash(\"sha256\").update(content).digest(\"hex\");\r\n}\r\n\r\nexport function getCached(content: string): ScanResult | undefined {\r\n const key = hashContent(content);\r\n const result = cache.get(key);\r\n if (result) {\r\n // Move to end (most recently used)\r\n cache.delete(key);\r\n cache.set(key, result);\r\n }\r\n return result;\r\n}\r\n\r\nexport function setCached(content: string, result: ScanResult): void {\r\n const key = hashContent(content);\r\n if (cache.has(key)) {\r\n cache.delete(key);\r\n } else if (cache.size >= MAX_ENTRIES) {\r\n // Evict oldest (first entry)\r\n const oldest = cache.keys().next().value!;\r\n cache.delete(oldest);\r\n }\r\n cache.set(key, result);\r\n}\r\n","import type { Finding, ScanResult } from \"../types.js\";\r\nimport { parseSkill } from \"./skill-parser.js\";\r\nimport { runStaticAnalysis } from \"./static-analysis.js\";\r\nimport { validateMetadata } from \"./metadata-validator.js\";\r\nimport { checkDependencies } from \"./dependency-checker.js\";\r\nimport { detectTyposquats } from \"./typosquat-detector.js\";\r\nimport { calculateRiskScore, getRiskGrade, countFindings } from \"./risk-scorer.js\";\r\nimport { getCached, setCached } from \"./cache.js\";\r\n\r\nexport interface ScanOptions {\r\n semantic?: boolean;\r\n semanticAnalyzer?: (content: string) => Promise<Finding[]>;\r\n ignorePatterns?: string[];\r\n skipCache?: boolean;\r\n}\r\n\r\nexport async function scanSkill(\r\n content: string,\r\n options: ScanOptions = {}\r\n): Promise<ScanResult> {\r\n if (!options.skipCache) {\r\n const cached = getCached(content);\r\n if (cached) {\r\n return { ...cached, cached: true };\r\n }\r\n }\r\n\r\n const skill = parseSkill(content);\r\n const allFindings: Finding[] = [];\r\n\r\n allFindings.push(...runStaticAnalysis(skill));\r\n allFindings.push(...validateMetadata(skill));\r\n\r\n if (options.semantic && options.semanticAnalyzer) {\r\n const semanticFindings = await options.semanticAnalyzer(content);\r\n allFindings.push(...semanticFindings);\r\n }\r\n\r\n allFindings.push(...checkDependencies(skill));\r\n\r\n if (skill.frontmatter.name) {\r\n allFindings.push(...detectTyposquats(skill.frontmatter.name));\r\n }\r\n\r\n // Filter out ignored patterns\r\n const filteredFindings = options.ignorePatterns?.length\r\n ? allFindings.filter(\r\n (f) => !options.ignorePatterns!.some((ig) => f.title === ig || f.category === ig)\r\n )\r\n : allFindings;\r\n\r\n const riskScore = calculateRiskScore(filteredFindings);\r\n const riskGrade = getRiskGrade(riskScore);\r\n const findingsCount = countFindings(filteredFindings);\r\n\r\n const recommendation =\r\n riskScore >= 76 ? \"block\" : riskScore >= 26 ? \"warn\" : \"approve\";\r\n\r\n const result: ScanResult = {\r\n skillName: skill.frontmatter.name || \"unknown\",\r\n skillVersion: skill.frontmatter.version,\r\n skillSource: \"local\",\r\n status: \"complete\",\r\n riskScore,\r\n riskGrade,\r\n findingsCount,\r\n findings: filteredFindings,\r\n recommendation,\r\n };\r\n\r\n if (!options.skipCache) {\r\n setCached(content, result);\r\n }\r\n\r\n return result;\r\n}\r\n\r\nexport { parseSkill } from \"./skill-parser.js\";\r\nexport { runStaticAnalysis } from \"./static-analysis.js\";\r\nexport { validateMetadata } from \"./metadata-validator.js\";\r\nexport { checkDependencies } from \"./dependency-checker.js\";\r\nexport { detectTyposquats } from \"./typosquat-detector.js\";\r\nexport { calculateRiskScore, getRiskGrade, countFindings } from \"./risk-scorer.js\";\r\n","import chalk from \"chalk\";\r\nimport type { ScanResult, Finding, Severity } from \"@clawvet/shared\";\r\n\r\nconst SEVERITY_COLORS: Record<Severity, (s: string) => string> = {\r\n critical: chalk.bgRed.white.bold,\r\n high: chalk.red.bold,\r\n medium: chalk.yellow,\r\n low: chalk.blue,\r\n};\r\n\r\nconst GRADE_COLORS: Record<string, (s: string) => string> = {\r\n A: chalk.green.bold,\r\n B: chalk.greenBright,\r\n C: chalk.yellow.bold,\r\n D: chalk.redBright.bold,\r\n F: chalk.bgRed.white.bold,\r\n};\r\n\r\nexport function printScanResult(result: ScanResult): void {\r\n console.log();\r\n console.log(chalk.bold(\"━\".repeat(60)));\r\n console.log(chalk.bold(\" ClawVet Scan Report\"));\r\n console.log(chalk.bold(\"━\".repeat(60)));\r\n console.log();\r\n\r\n console.log(` Skill: ${chalk.bold(result.skillName)}`);\r\n if (result.skillVersion) {\r\n console.log(` Version: ${result.skillVersion}`);\r\n }\r\n console.log();\r\n\r\n // Risk score\r\n const gradeColor = GRADE_COLORS[result.riskGrade] || chalk.white;\r\n console.log(\r\n ` Risk Score: ${gradeColor(`${result.riskScore}/100`)} Grade: ${gradeColor(result.riskGrade)}`\r\n );\r\n console.log();\r\n\r\n // Findings summary\r\n const fc = result.findingsCount;\r\n console.log(\" Findings:\");\r\n if (fc.critical)\r\n console.log(\r\n ` ${SEVERITY_COLORS.critical(` CRITICAL `)} ${fc.critical}`\r\n );\r\n if (fc.high)\r\n console.log(` ${SEVERITY_COLORS.high(\"HIGH\")} ${fc.high}`);\r\n if (fc.medium)\r\n console.log(` ${SEVERITY_COLORS.medium(\"MEDIUM\")} ${fc.medium}`);\r\n if (fc.low) console.log(` ${SEVERITY_COLORS.low(\"LOW\")} ${fc.low}`);\r\n if (!fc.critical && !fc.high && !fc.medium && !fc.low) {\r\n console.log(` ${chalk.green(\"No findings — skill looks clean!\")}`);\r\n }\r\n console.log();\r\n\r\n // Detailed findings\r\n if (result.findings.length > 0) {\r\n console.log(chalk.bold(\" Details:\"));\r\n console.log();\r\n for (const f of result.findings) {\r\n const color = SEVERITY_COLORS[f.severity];\r\n const confStr = f.confidence != null ? ` ${Math.round(f.confidence * 100)}%` : \"\";\r\n console.log(` ${color(`[${f.severity.toUpperCase()}${confStr}]`)} ${f.title}`);\r\n console.log(` ${chalk.dim(f.description)}`);\r\n if (f.evidence) {\r\n console.log(` Evidence: ${chalk.italic(f.evidence)}`);\r\n }\r\n if (f.lineNumber) {\r\n console.log(` Line: ${f.lineNumber}`);\r\n }\r\n if (f.fix) {\r\n console.log(` Fix: ${chalk.green(f.fix)}`);\r\n }\r\n console.log();\r\n }\r\n }\r\n\r\n // Recommendation\r\n const recColors: Record<string, (s: string) => string> = {\r\n block: chalk.bgRed.white.bold,\r\n warn: chalk.bgYellow.black.bold,\r\n approve: chalk.bgGreen.black.bold,\r\n };\r\n const rec = result.recommendation || \"approve\";\r\n console.log(\r\n ` Recommendation: ${(recColors[rec] || chalk.white)(` ${rec.toUpperCase()} `)}`\r\n );\r\n console.log();\r\n console.log(chalk.bold(\"━\".repeat(60)));\r\n console.log();\r\n}\r\n","import type { ScanResult } from \"@clawvet/shared\";\r\n\r\nexport function printJsonResult(result: ScanResult): void {\r\n console.log(JSON.stringify(result, null, 2));\r\n}\r\n","import type { ScanResult, Finding, Severity } from \"@clawvet/shared\";\r\n\r\nconst SEVERITY_TO_SARIF: Record<Severity, string> = {\r\n critical: \"error\",\r\n high: \"error\",\r\n medium: \"warning\",\r\n low: \"note\",\r\n};\r\n\r\nconst SEVERITY_TO_LEVEL: Record<Severity, string> = {\r\n critical: \"9.0\",\r\n high: \"7.0\",\r\n medium: \"4.0\",\r\n low: \"1.0\",\r\n};\r\n\r\nexport function printSarifResult(result: ScanResult): void {\r\n const rules = new Map<string, { id: string; finding: Finding }>();\r\n\r\n for (const f of result.findings) {\r\n const ruleId = f.category + \"/\" + f.title.toLowerCase().replace(/[^a-z0-9]+/g, \"-\");\r\n if (!rules.has(ruleId)) {\r\n rules.set(ruleId, { id: ruleId, finding: f });\r\n }\r\n }\r\n\r\n const sarif = {\r\n $schema: \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\r\n version: \"2.1.0\",\r\n runs: [\r\n {\r\n tool: {\r\n driver: {\r\n name: \"clawvet\",\r\n informationUri: \"https://github.com/clawvet/clawvet\",\r\n rules: [...rules.values()].map((r) => ({\r\n id: r.id,\r\n shortDescription: { text: r.finding.title },\r\n fullDescription: { text: r.finding.description },\r\n defaultConfiguration: {\r\n level: SEVERITY_TO_SARIF[r.finding.severity],\r\n },\r\n properties: {\r\n security_severity: SEVERITY_TO_LEVEL[r.finding.severity],\r\n },\r\n })),\r\n },\r\n },\r\n results: result.findings.map((f) => {\r\n const ruleId = f.category + \"/\" + f.title.toLowerCase().replace(/[^a-z0-9]+/g, \"-\");\r\n return {\r\n ruleId,\r\n level: SEVERITY_TO_SARIF[f.severity],\r\n message: {\r\n text: f.description + (f.evidence ? ` Evidence: ${f.evidence}` : \"\"),\r\n ...(f.fix ? { markdown: `${f.description}\\n\\n**Fix:** ${f.fix}` } : {}),\r\n },\r\n locations: [\r\n {\r\n physicalLocation: {\r\n artifactLocation: { uri: \"SKILL.md\" },\r\n region: { startLine: f.lineNumber ?? 1 },\r\n },\r\n },\r\n ],\r\n };\r\n }),\r\n },\r\n ],\r\n };\r\n\r\n console.log(JSON.stringify(sarif, null, 2));\r\n}\r\n","import { readFileSync, writeFileSync, mkdirSync, existsSync } from \"node:fs\";\r\nimport { join } from \"node:path\";\r\nimport { homedir, platform, release } from \"node:os\";\r\nimport { randomUUID } from \"node:crypto\";\r\nimport type { ScanResult } from \"@clawvet/shared\";\r\n\r\nconst CONFIG_DIR = join(homedir(), \".clawvet\");\r\nconst CONFIG_FILE = join(CONFIG_DIR, \"config.json\");\r\nconst TELEMETRY_ENDPOINT = \"https://api.clawvet.dev/v1/telemetry\";\r\n\r\ninterface Config {\r\n telemetry?: \"on\" | \"off\" | undefined; // undefined = not yet asked\r\n deviceId?: string;\r\n scanCount?: number;\r\n}\r\n\r\nfunction loadConfig(): Config {\r\n try {\r\n if (existsSync(CONFIG_FILE)) {\r\n return JSON.parse(readFileSync(CONFIG_FILE, \"utf-8\"));\r\n }\r\n } catch {\r\n // corrupted config, start fresh\r\n }\r\n return {};\r\n}\r\n\r\nfunction saveConfig(config: Config): void {\r\n try {\r\n mkdirSync(CONFIG_DIR, { recursive: true });\r\n writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2));\r\n } catch {\r\n // non-critical, ignore\r\n }\r\n}\r\n\r\nexport function isTelemetryEnabled(): boolean {\r\n const env = process.env.CLAWVET_TELEMETRY;\r\n if (env === \"0\" || env === \"off\") return false;\r\n if (env === \"1\" || env === \"on\") return true;\r\n const config = loadConfig();\r\n return config.telemetry === \"on\";\r\n}\r\n\r\nexport function setTelemetry(enabled: boolean): void {\r\n const config = loadConfig();\r\n config.telemetry = enabled ? \"on\" : \"off\";\r\n saveConfig(config);\r\n}\r\n\r\nexport function hasBeenAsked(): boolean {\r\n const config = loadConfig();\r\n return config.telemetry !== undefined;\r\n}\r\n\r\nfunction getDeviceId(): string {\r\n const config = loadConfig();\r\n if (!config.deviceId) {\r\n config.deviceId = randomUUID();\r\n saveConfig(config);\r\n }\r\n return config.deviceId;\r\n}\r\n\r\nfunction incrementScanCount(): number {\r\n const config = loadConfig();\r\n config.scanCount = (config.scanCount || 0) + 1;\r\n saveConfig(config);\r\n return config.scanCount;\r\n}\r\n\r\nexport function sendTelemetry(result: ScanResult): void {\r\n if (!isTelemetryEnabled()) return;\r\n\r\n const scanCount = incrementScanCount();\r\n\r\n const payload = {\r\n deviceId: getDeviceId(),\r\n scanCount,\r\n ts: new Date().toISOString(),\r\n os: platform(),\r\n osVersion: release(),\r\n skillName: result.skillName,\r\n riskScore: result.riskScore,\r\n riskGrade: result.riskGrade,\r\n findingsCount: result.findingsCount,\r\n cached: result.cached ?? false,\r\n };\r\n\r\n // Fire-and-forget — never block the CLI\r\n fetch(TELEMETRY_ENDPOINT, {\r\n method: \"POST\",\r\n headers: { \"Content-Type\": \"application/json\" },\r\n body: JSON.stringify(payload),\r\n signal: AbortSignal.timeout(3000),\r\n }).catch(() => {\r\n // silently ignore — telemetry is best-effort\r\n });\r\n}\r\n","import { readdirSync, existsSync, readFileSync } from \"node:fs\";\r\nimport { join } from \"node:path\";\r\nimport { homedir } from \"node:os\";\r\nimport { scanSkill } from \"@clawvet/shared\";\r\nimport { printScanResult } from \"../output/terminal.js\";\r\nimport chalk from \"chalk\";\r\n\r\nconst DEFAULT_SKILL_DIRS = [\r\n join(homedir(), \".openclaw\", \"skills\"),\r\n join(homedir(), \".openclaw\", \"workspace\", \"skills\"),\r\n];\r\n\r\nexport async function auditCommand(options: { dir?: string } = {}): Promise<void> {\r\n const SKILL_DIRS = options.dir ? [options.dir] : DEFAULT_SKILL_DIRS;\r\n console.log(chalk.bold(\"\\nClawVet Audit — Scanning all installed skills\\n\"));\r\n\r\n let totalScanned = 0;\r\n let totalThreats = 0;\r\n\r\n for (const dir of SKILL_DIRS) {\r\n if (!existsSync(dir)) {\r\n if (options.dir) {\r\n console.error(chalk.yellow(`Warning: Directory not found: ${dir}\\n`));\r\n process.exit(1);\r\n }\r\n continue;\r\n }\r\n\r\n // If the dir itself contains a SKILL.md, scan it directly\r\n const directSkillFile = join(dir, \"SKILL.md\");\r\n if (existsSync(directSkillFile)) {\r\n const content = readFileSync(directSkillFile, \"utf-8\");\r\n const result = await scanSkill(content);\r\n totalScanned++;\r\n totalThreats += result.findings.length;\r\n printScanResult(result);\r\n continue;\r\n }\r\n\r\n const entries = readdirSync(dir, { withFileTypes: true });\r\n for (const entry of entries) {\r\n if (!entry.isDirectory()) continue;\r\n const skillFile = join(dir, entry.name, \"SKILL.md\");\r\n if (!existsSync(skillFile)) continue;\r\n\r\n const content = readFileSync(skillFile, \"utf-8\");\r\n const result = await scanSkill(content);\r\n totalScanned++;\r\n totalThreats += result.findings.length;\r\n\r\n printScanResult(result);\r\n }\r\n }\r\n\r\n console.log(chalk.bold(`\\nAudit complete: ${totalScanned} skills scanned, ${totalThreats} findings\\n`));\r\n}\r\n","import { readFileSync, existsSync, watch } from \"node:fs\";\r\nimport { join } from \"node:path\";\r\nimport { homedir } from \"node:os\";\r\nimport chalk from \"chalk\";\r\nimport { scanSkill } from \"@clawvet/shared\";\r\nimport { printScanResult } from \"../output/terminal.js\";\r\n\r\nconst DEFAULT_SKILL_DIRS = [\r\n join(homedir(), \".openclaw\", \"skills\"),\r\n join(homedir(), \".openclaw\", \"workspace\", \"skills\"),\r\n];\r\n\r\nexport async function watchCommand(options: {\r\n threshold?: number;\r\n dir?: string;\r\n}): Promise<void> {\r\n const threshold = options.threshold || 50;\r\n const SKILL_DIRS = options.dir ? [options.dir] : DEFAULT_SKILL_DIRS;\r\n console.log(\r\n chalk.bold(\r\n `\\nClawVet Watch — monitoring skill directories (threshold: ${threshold})\\n`\r\n )\r\n );\r\n\r\n const watchDirs: string[] = [];\r\n for (const dir of SKILL_DIRS) {\r\n if (existsSync(dir)) {\r\n watchDirs.push(dir);\r\n }\r\n }\r\n\r\n if (watchDirs.length === 0) {\r\n console.log(\r\n chalk.yellow(\r\n \"No OpenClaw skill directories found. Watching will start when directories are created.\\n\"\r\n )\r\n );\r\n console.log(chalk.dim(\"Expected directories:\"));\r\n for (const dir of SKILL_DIRS) {\r\n console.log(chalk.dim(` ${dir}`));\r\n }\r\n console.log();\r\n process.exit(1);\r\n }\r\n\r\n console.log(chalk.dim(\"Watching:\"));\r\n for (const dir of watchDirs) {\r\n console.log(chalk.dim(` ${dir}`));\r\n }\r\n console.log();\r\n\r\n for (const dir of watchDirs) {\r\n const watcher = watch(dir, { recursive: true }, async (event, filename) => {\r\n if (!filename?.endsWith(\"SKILL.md\")) return;\r\n\r\n const skillFile = join(dir, filename);\r\n if (!existsSync(skillFile)) return;\r\n\r\n console.log(chalk.dim(`\\nDetected change: ${filename}`));\r\n\r\n try {\r\n const content = readFileSync(skillFile, \"utf-8\");\r\n const result = await scanSkill(content);\r\n\r\n if (result.cached) {\r\n console.log(chalk.dim(\"(cached)\"));\r\n }\r\n printScanResult(result);\r\n\r\n if (result.riskScore > threshold) {\r\n console.log(\r\n chalk.bgRed.white.bold(\r\n ` BLOCKED — Risk score ${result.riskScore} exceeds threshold ${threshold} `\r\n )\r\n );\r\n console.log(\r\n chalk.red(\r\n `This skill should not be installed. Run 'clawvet scan ${skillFile}' for details.\\n`\r\n )\r\n );\r\n }\r\n } catch (err) {\r\n console.error(chalk.red(`Error scanning ${filename}:`), err);\r\n }\r\n });\r\n\r\n process.on(\"SIGINT\", () => {\r\n watcher.close();\r\n console.log(chalk.dim(\"\\nWatch stopped.\"));\r\n process.exit(0);\r\n });\r\n }\r\n\r\n console.log(chalk.dim(\"Press Ctrl+C to stop watching.\\n\"));\r\n await new Promise(() => {});\r\n}\r\n"],"mappings":";;;AAAA,SAAS,eAAe;;;ACAxB,SAAS,gBAAAA,eAAc,cAAAC,aAAY,gBAAgB;AACnD,SAAS,SAAS,QAAAC,aAAY;AAC9B,OAAOC,YAAW;;;ACAX,IAAM,kBAAmC;AAAA;AAAA;AAAA;AAAA,EAI9C;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA;AAAA;AAAA;AAAA,EAKA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA;AAAA;AAAA;AAAA,EAKA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA;AAAA;AAAA;AAAA,EAKA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA;AAAA;AAAA;AAAA,EAKA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA;AAAA;AAAA;AAAA,EAKA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA;AAAA;AAAA;AAAA,EAKA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA;AAAA;AAAA;AAAA,EAKA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AACF;AAEO,IAAM,iBAAiB;AAAA,EAC5B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;;;AC3lBA,SAAS,SAAS,iBAAiB;AAGnC,IAAM,iBAAiB;AACvB,IAAM,gBAAgB;AACtB,IAAM,SAAS;AACf,IAAM,QAAQ;AACd,IAAM,YAAY;AAEX,SAAS,WAAW,SAA8B;AACvD,MAAI,cAAgC,CAAC;AACrC,MAAI,OAAO;AAEX,QAAM,UAAU,QAAQ,MAAM,cAAc;AAC5C,MAAI,SAAS;AACX,QAAI;AACF,oBAAc,UAAU,QAAQ,CAAC,CAAC;AAAA,IACpC,QAAQ;AACN,oBAAc,CAAC;AAAA,IACjB;AACA,WAAO,QAAQ,MAAM,QAAQ,CAAC,EAAE,MAAM,EAAE,KAAK;AAAA,EAC/C;AAEA,QAAM,aAA0B,CAAC;AACjC,MAAI;AACJ,QAAM,OAAO,IAAI,OAAO,cAAc,QAAQ,cAAc,KAAK;AAEjE,UAAQ,QAAQ,KAAK,KAAK,OAAO,OAAO,MAAM;AAC5C,UAAM,SAAS,QAAQ,MAAM,GAAG,MAAM,KAAK;AAC3C,UAAM,YAAY,OAAO,MAAM,IAAI,EAAE;AACrC,UAAM,aAAa,MAAM,CAAC,EAAE,MAAM,IAAI,EAAE;AACxC,eAAW,KAAK;AAAA,MACd,UAAU,MAAM,CAAC,KAAK;AAAA,MACtB,SAAS,MAAM,CAAC;AAAA,MAChB;AAAA,MACA,SAAS,YAAY,aAAa;AAAA,IACpC,CAAC;AAAA,EACH;AAEA,QAAM,OAAO,CAAC,GAAG,IAAI,IAAI,QAAQ,MAAM,MAAM,KAAK,CAAC,CAAC,CAAC;AACrD,QAAM,cAAc,CAAC,GAAG,IAAI,IAAI,QAAQ,MAAM,KAAK,KAAK,CAAC,CAAC,CAAC;AAC3D,QAAM,UAAU,CAAC,GAAG,IAAI,IAAI,QAAQ,MAAM,SAAS,KAAK,CAAC,CAAC,CAAC;AAE3D,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,YAAY;AAAA,EACd;AACF;;;ACjDA,SAAS,cAAc,YAAoB,OAA6B;AACtE,SAAO,MAAM,WAAW;AAAA,IACtB,CAAC,UAAU,cAAc,MAAM,aAAa,cAAc,MAAM;AAAA,EAClE;AACF;AAEA,SAAS,YAAY,YAAoB,YAA6B;AACpE,QAAM,QAAQ,WAAW,MAAM,IAAI;AACnC,QAAM,OAAO,MAAM,aAAa,CAAC,KAAK;AACtC,SAAO,eAAe,KAAK,IAAI;AACjC;AAEA,IAAM,kBAA4C;AAAA,EAChD,UAAU;AAAA,EACV,MAAM;AAAA,EACN,QAAQ;AAAA,EACR,KAAK;AACP;AAEO,SAAS,kBAAkB,OAA+B;AAC/D,QAAM,WAAsB,CAAC;AAE7B,aAAW,UAAU,iBAAiB;AACpC,UAAM,KAAK,IAAI,OAAO,OAAO,QAAQ,QAAQ,OAAO,QAAQ,KAAK;AACjE,QAAI;AAEJ,YAAQ,QAAQ,GAAG,KAAK,MAAM,UAAU,OAAO,MAAM;AACnD,YAAM,SAAS,MAAM,WAAW,MAAM,GAAG,MAAM,KAAK;AACpD,YAAM,aAAa,OAAO,MAAM,IAAI,EAAE;AAEtC,UAAI,OAAO,YAAY,CAAC,cAAc,YAAY,KAAK,GAAG;AACxD;AAAA,MACF;AAEA,YAAM,SAAS,cAAc,YAAY,KAAK;AAC9C,YAAM,YAAY,YAAY,YAAY,MAAM,UAAU;AAE1D,UAAI;AACJ,UAAI,UAAU,OAAO,UAAU;AAC7B,4BAAoB;AAAA,MACtB,WAAW,QAAQ;AACjB,4BAAoB;AAAA,MACtB,WAAW,WAAW;AACpB,4BAAoB;AAAA,MACtB,WAAW,OAAO,UAAU;AAE1B,4BAAoB;AAAA,MACtB,OAAO;AAEL,4BAAoB;AAAA,MACtB;AAEA,YAAM,iBAAiB,gBAAgB,OAAO,QAAQ;AACtD,YAAM,aAAa,KAAK,IAAI,GAAK,iBAAiB,iBAAiB;AAEnE,eAAS,KAAK;AAAA,QACZ,UAAU,OAAO;AAAA,QACjB,UAAU,OAAO;AAAA,QACjB,OAAO,OAAO;AAAA,QACd,aAAa,OAAO;AAAA,QACpB,UAAU,MAAM,CAAC;AAAA,QACjB;AAAA,QACA,cAAc;AAAA,QACd,YAAY,KAAK,MAAM,aAAa,GAAG,IAAI;AAAA,QAC3C,KAAK,OAAO;AAAA,MACd,CAAC;AAAA,IACH;AAAA,EACF;AAEA,SAAO;AACT;;;ACvEA,IAAM,YAAY;AAElB,IAAM,aAAa;AAAA,EACjB;AAAA,EAAQ;AAAA,EAAQ;AAAA,EAAO;AAAA,EAAU;AAAA,EAAW;AAAA,EAAQ;AAAA,EAAO;AAAA,EAC3D;AAAA,EAAQ;AAAA,EAAO;AAAA,EAAO;AAAA,EAAU;AAAA,EAAW;AAAA,EAAO;AAAA,EAAO;AAAA,EACzD;AAAA,EAAU;AAAA,EAAM;AAAA,EAAO;AAAA,EAAO;AAAA,EAAQ;AACxC;AAEO,SAAS,iBAAiB,OAA+B;AAC9D,QAAM,WAAsB,CAAC;AAC7B,QAAM,KAAK,MAAM;AACjB,QAAM,OAAO;AAEb,MAAI,CAAC,GAAG,MAAM;AACZ,aAAS,KAAK;AAAA,MACZ,UAAU;AAAA,MACV,UAAU;AAAA,MACV,OAAO;AAAA,MACP,aAAa;AAAA,MACb,cAAc;AAAA,MACd,KAAK;AAAA,IACP,CAAC;AAAA,EACH;AAEA,MAAI,CAAC,GAAG,aAAa;AACnB,aAAS,KAAK;AAAA,MACZ,UAAU;AAAA,MACV,UAAU;AAAA,MACV,OAAO;AAAA,MACP,aAAa;AAAA,MACb,cAAc;AAAA,MACd,KAAK;AAAA,IACP,CAAC;AAAA,EACH,WAAW,GAAG,YAAY,SAAS,IAAI;AACrC,aAAS,KAAK;AAAA,MACZ,UAAU;AAAA,MACV,UAAU;AAAA,MACV,OAAO;AAAA,MACP,aAAa;AAAA,MACb,UAAU,GAAG;AAAA,MACb,cAAc;AAAA,MACd,KAAK;AAAA,IACP,CAAC;AAAA,EACH;AAEA,MAAI,GAAG,WAAW,CAAC,UAAU,KAAK,GAAG,OAAO,GAAG;AAC7C,aAAS,KAAK;AAAA,MACZ,UAAU;AAAA,MACV,UAAU;AAAA,MACV,OAAO;AAAA,MACP,aAAa;AAAA,MACb,UAAU,GAAG;AAAA,MACb,cAAc;AAAA,MACd,KAAK;AAAA,IACP,CAAC;AAAA,EACH;AAEA,QAAM,eAAe,IAAI,IAAI,GAAG,UAAU,UAAU,UAAU,QAAQ,CAAC,CAAC;AAExE,aAAW,OAAO,YAAY;AAC5B,UAAM,QAAQ,IAAI,OAAO,MAAM,GAAG,OAAO,GAAG;AAC5C,QAAI,MAAM,KAAK,MAAM,UAAU,KAAK,CAAC,aAAa,IAAI,GAAG,GAAG;AAC1D,YAAM,aAAa,MAAM,WAAW,KAAK,CAAC,OAAO,MAAM,KAAK,GAAG,OAAO,CAAC;AACvE,UAAI,YAAY;AACd,iBAAS,KAAK;AAAA,UACZ,UAAU;AAAA,UACV,UAAU;AAAA,UACV,OAAO,sBAAsB,GAAG;AAAA,UAChC,aAAa,eAAe,GAAG;AAAA,UAC/B,cAAc;AAAA,UACd,KAAK,QAAQ,GAAG;AAAA,QAClB,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AAEA,QAAM,cAAc,IAAI,IAAI,GAAG,UAAU,UAAU,UAAU,OAAO,CAAC,CAAC;AACtE,QAAM,QAAQ;AACd,MAAI;AAEJ,UAAQ,QAAQ,MAAM,KAAK,MAAM,UAAU,OAAO,MAAM;AACtD,UAAM,SAAS,MAAM,CAAC;AACtB,QAAI,CAAC,YAAY,IAAI,MAAM,KAAK,OAAO,SAAS,GAAG;AACjD,eAAS,KAAK;AAAA,QACZ,UAAU;AAAA,QACV,UAAU;AAAA,QACV,OAAO,uBAAuB,MAAM;AAAA,QACpC,aAAa,oCAAoC,MAAM;AAAA,QACvD,UAAU,MAAM,CAAC;AAAA,QACjB,cAAc;AAAA,QACd,KAAK,QAAQ,MAAM;AAAA,MACrB,CAAC;AAAA,IACH;AAAA,EACF;AAEA,SAAO;AACT;;;AChGA,IAAM,sBAAsB;AAC5B,IAAM,iBAAiB;AAEhB,SAAS,kBAAkB,OAA+B;AAC/D,QAAM,WAAsB,CAAC;AAC7B,QAAM,OAAO;AAEb,MAAI;AACJ,QAAM,QAAQ,IAAI,OAAO,oBAAoB,QAAQ,oBAAoB,KAAK;AAE9E,UAAQ,QAAQ,MAAM,KAAK,MAAM,UAAU,OAAO,MAAM;AACtD,UAAM,SAAS,MAAM,WAAW,MAAM,GAAG,MAAM,KAAK;AACpD,UAAM,aAAa,OAAO,MAAM,IAAI,EAAE;AAEtC,aAAS,KAAK;AAAA,MACZ,UAAU;AAAA,MACV,UAAU;AAAA,MACV,OAAO;AAAA,MACP,aAAa;AAAA,MACb,UAAU,MAAM,CAAC;AAAA,MACjB;AAAA,MACA,cAAc;AAAA,MACd,KAAK;AAAA,IACP,CAAC;AAAA,EACH;AAEA,QAAM,QAAQ,IAAI,OAAO,eAAe,QAAQ,eAAe,KAAK;AACpE,UAAQ,QAAQ,MAAM,KAAK,MAAM,UAAU,OAAO,MAAM;AACtD,QAAI,MAAM,CAAC,GAAG;AACZ,eAAS,KAAK;AAAA,QACZ,UAAU;AAAA,QACV,UAAU;AAAA,QACV,OAAO;AAAA,QACP,aAAa,kCAAkC,MAAM,CAAC,CAAC;AAAA,QACvD,UAAU,MAAM,CAAC;AAAA,QACjB,cAAc;AAAA,QACd,KAAK;AAAA,MACP,CAAC;AAAA,IACH;AAAA,EACF;AAEA,SAAO;AACT;;;AC5CA,SAAS,gBAAgB;AAIzB,IAAM,oBAAoB;AAEnB,SAAS,iBAAiB,WAA8B;AAC7D,MAAI,CAAC,UAAW,QAAO,CAAC;AAExB,QAAM,WAAsB,CAAC;AAC7B,QAAM,aAAa,UAAU,YAAY,EAAE,KAAK;AAEhD,aAAW,WAAW,gBAAgB;AACpC,QAAI,eAAe,QAAS;AAE5B,UAAM,IAAI,SAAS,YAAY,OAAO;AACtC,QAAI,IAAI,KAAK,KAAK,mBAAmB;AACnC,eAAS,KAAK;AAAA,QACZ,UAAU;AAAA,QACV,UAAU;AAAA,QACV,OAAO,0BAA0B,OAAO;AAAA,QACxC,aAAa,eAAe,SAAS,QAAQ,CAAC,qCAAqC,OAAO;AAAA,QAC1F,UAAU,IAAI,SAAS,aAAQ,OAAO,gBAAgB,CAAC;AAAA,QACvD,cAAc;AAAA,MAChB,CAAC;AAAA,IACH;AAAA,EACF;AAEA,QAAM,WAAW;AAAA,IACf,EAAE,IAAI,SAAS,MAAM,gBAAgB;AAAA,IACrC,EAAE,IAAI,aAAa,MAAM,sBAAsB;AAAA,EACjD;AAEA,aAAW,KAAK,UAAU;AACxB,QAAI,EAAE,GAAG,KAAK,UAAU,KAAK,CAAC,eAAe,SAAS,UAAU,GAAG;AACjE,eAAS,KAAK;AAAA,QACZ,UAAU;AAAA,QACV,UAAU;AAAA,QACV,OAAO,8BAA8B,EAAE,IAAI;AAAA,QAC3C,aAAa,eAAe,SAAS,SAAS,EAAE,IAAI;AAAA,QACpD,cAAc;AAAA,MAChB,CAAC;AAAA,IACH;AAAA,EACF;AAEA,SAAO;AACT;;;AC5CA,IAAM,mBAAmB;AAAA,EACvB,UAAU;AAAA,EACV,MAAM;AAAA,EACN,QAAQ;AAAA,EACR,KAAK;AACP;AAEO,SAAS,mBAAmB,UAA6B;AAC9D,MAAI,QAAQ;AACZ,aAAW,KAAK,UAAU;AACxB,aAAS,iBAAiB,EAAE,QAAQ,KAAK,EAAE,cAAc;AAAA,EAC3D;AACA,SAAO,KAAK,IAAI,OAAO,GAAG;AAC5B;AAEO,SAAS,aAAa,OAA0B;AACrD,MAAI,SAAS,GAAI,QAAO;AACxB,MAAI,SAAS,GAAI,QAAO;AACxB,MAAI,SAAS,GAAI,QAAO;AACxB,MAAI,SAAS,GAAI,QAAO;AACxB,SAAO;AACT;AAEO,SAAS,cAAc,UAAoC;AAChE,QAAM,SAAwB,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,EAAE;AACxE,aAAW,KAAK,UAAU;AACxB,WAAO,EAAE,QAAQ;AAAA,EACnB;AACA,SAAO;AACT;;;AC/BA,SAAS,kBAAkB;AAG3B,IAAM,cAAc;AACpB,IAAM,QAAQ,oBAAI,IAAwB;AAE1C,SAAS,YAAY,SAAyB;AAC5C,SAAO,WAAW,QAAQ,EAAE,OAAO,OAAO,EAAE,OAAO,KAAK;AAC1D;AAEO,SAAS,UAAU,SAAyC;AACjE,QAAM,MAAM,YAAY,OAAO;AAC/B,QAAM,SAAS,MAAM,IAAI,GAAG;AAC5B,MAAI,QAAQ;AAEV,UAAM,OAAO,GAAG;AAChB,UAAM,IAAI,KAAK,MAAM;AAAA,EACvB;AACA,SAAO;AACT;AAEO,SAAS,UAAU,SAAiB,QAA0B;AACnE,QAAM,MAAM,YAAY,OAAO;AAC/B,MAAI,MAAM,IAAI,GAAG,GAAG;AAClB,UAAM,OAAO,GAAG;AAAA,EAClB,WAAW,MAAM,QAAQ,aAAa;AAEpC,UAAM,SAAS,MAAM,KAAK,EAAE,KAAK,EAAE;AACnC,UAAM,OAAO,MAAM;AAAA,EACrB;AACA,QAAM,IAAI,KAAK,MAAM;AACvB;;;ACfA,eAAsB,UACpB,SACA,UAAuB,CAAC,GACH;AACrB,MAAI,CAAC,QAAQ,WAAW;AACtB,UAAM,SAAS,UAAU,OAAO;AAChC,QAAI,QAAQ;AACV,aAAO,EAAE,GAAG,QAAQ,QAAQ,KAAK;AAAA,IACnC;AAAA,EACF;AAEA,QAAM,QAAQ,WAAW,OAAO;AAChC,QAAM,cAAyB,CAAC;AAEhC,cAAY,KAAK,GAAG,kBAAkB,KAAK,CAAC;AAC5C,cAAY,KAAK,GAAG,iBAAiB,KAAK,CAAC;AAE3C,MAAI,QAAQ,YAAY,QAAQ,kBAAkB;AAChD,UAAM,mBAAmB,MAAM,QAAQ,iBAAiB,OAAO;AAC/D,gBAAY,KAAK,GAAG,gBAAgB;AAAA,EACtC;AAEA,cAAY,KAAK,GAAG,kBAAkB,KAAK,CAAC;AAE5C,MAAI,MAAM,YAAY,MAAM;AAC1B,gBAAY,KAAK,GAAG,iBAAiB,MAAM,YAAY,IAAI,CAAC;AAAA,EAC9D;AAGA,QAAM,mBAAmB,QAAQ,gBAAgB,SAC7C,YAAY;AAAA,IACV,CAAC,MAAM,CAAC,QAAQ,eAAgB,KAAK,CAAC,OAAO,EAAE,UAAU,MAAM,EAAE,aAAa,EAAE;AAAA,EAClF,IACA;AAEJ,QAAM,YAAY,mBAAmB,gBAAgB;AACrD,QAAM,YAAY,aAAa,SAAS;AACxC,QAAM,gBAAgB,cAAc,gBAAgB;AAEpD,QAAM,iBACJ,aAAa,KAAK,UAAU,aAAa,KAAK,SAAS;AAEzD,QAAM,SAAqB;AAAA,IACzB,WAAW,MAAM,YAAY,QAAQ;AAAA,IACrC,cAAc,MAAM,YAAY;AAAA,IAChC,aAAa;AAAA,IACb,QAAQ;AAAA,IACR;AAAA,IACA;AAAA,IACA;AAAA,IACA,UAAU;AAAA,IACV;AAAA,EACF;AAEA,MAAI,CAAC,QAAQ,WAAW;AACtB,cAAU,SAAS,MAAM;AAAA,EAC3B;AAEA,SAAO;AACT;;;AC3EA,OAAO,WAAW;AAGlB,IAAM,kBAA2D;AAAA,EAC/D,UAAU,MAAM,MAAM,MAAM;AAAA,EAC5B,MAAM,MAAM,IAAI;AAAA,EAChB,QAAQ,MAAM;AAAA,EACd,KAAK,MAAM;AACb;AAEA,IAAM,eAAsD;AAAA,EAC1D,GAAG,MAAM,MAAM;AAAA,EACf,GAAG,MAAM;AAAA,EACT,GAAG,MAAM,OAAO;AAAA,EAChB,GAAG,MAAM,UAAU;AAAA,EACnB,GAAG,MAAM,MAAM,MAAM;AACvB;AAEO,SAAS,gBAAgB,QAA0B;AACxD,UAAQ,IAAI;AACZ,UAAQ,IAAI,MAAM,KAAK,SAAI,OAAO,EAAE,CAAC,CAAC;AACtC,UAAQ,IAAI,MAAM,KAAK,uBAAuB,CAAC;AAC/C,UAAQ,IAAI,MAAM,KAAK,SAAI,OAAO,EAAE,CAAC,CAAC;AACtC,UAAQ,IAAI;AAEZ,UAAQ,IAAI,cAAc,MAAM,KAAK,OAAO,SAAS,CAAC,EAAE;AACxD,MAAI,OAAO,cAAc;AACvB,YAAQ,IAAI,cAAc,OAAO,YAAY,EAAE;AAAA,EACjD;AACA,UAAQ,IAAI;AAGZ,QAAM,aAAa,aAAa,OAAO,SAAS,KAAK,MAAM;AAC3D,UAAQ;AAAA,IACN,iBAAiB,WAAW,GAAG,OAAO,SAAS,MAAM,CAAC,YAAY,WAAW,OAAO,SAAS,CAAC;AAAA,EAChG;AACA,UAAQ,IAAI;AAGZ,QAAM,KAAK,OAAO;AAClB,UAAQ,IAAI,aAAa;AACzB,MAAI,GAAG;AACL,YAAQ;AAAA,MACN,OAAO,gBAAgB,SAAS,YAAY,CAAC,IAAI,GAAG,QAAQ;AAAA,IAC9D;AACF,MAAI,GAAG;AACL,YAAQ,IAAI,OAAO,gBAAgB,KAAK,MAAM,CAAC,QAAQ,GAAG,IAAI,EAAE;AAClE,MAAI,GAAG;AACL,YAAQ,IAAI,OAAO,gBAAgB,OAAO,QAAQ,CAAC,MAAM,GAAG,MAAM,EAAE;AACtE,MAAI,GAAG,IAAK,SAAQ,IAAI,OAAO,gBAAgB,IAAI,KAAK,CAAC,SAAS,GAAG,GAAG,EAAE;AAC1E,MAAI,CAAC,GAAG,YAAY,CAAC,GAAG,QAAQ,CAAC,GAAG,UAAU,CAAC,GAAG,KAAK;AACrD,YAAQ,IAAI,OAAO,MAAM,MAAM,uCAAkC,CAAC,EAAE;AAAA,EACtE;AACA,UAAQ,IAAI;AAGZ,MAAI,OAAO,SAAS,SAAS,GAAG;AAC9B,YAAQ,IAAI,MAAM,KAAK,YAAY,CAAC;AACpC,YAAQ,IAAI;AACZ,eAAW,KAAK,OAAO,UAAU;AAC/B,YAAM,QAAQ,gBAAgB,EAAE,QAAQ;AACxC,YAAM,UAAU,EAAE,cAAc,OAAO,IAAI,KAAK,MAAM,EAAE,aAAa,GAAG,CAAC,MAAM;AAC/E,cAAQ,IAAI,KAAK,MAAM,IAAI,EAAE,SAAS,YAAY,CAAC,GAAG,OAAO,GAAG,CAAC,IAAI,EAAE,KAAK,EAAE;AAC9E,cAAQ,IAAI,OAAO,MAAM,IAAI,EAAE,WAAW,CAAC,EAAE;AAC7C,UAAI,EAAE,UAAU;AACd,gBAAQ,IAAI,iBAAiB,MAAM,OAAO,EAAE,QAAQ,CAAC,EAAE;AAAA,MACzD;AACA,UAAI,EAAE,YAAY;AAChB,gBAAQ,IAAI,aAAa,EAAE,UAAU,EAAE;AAAA,MACzC;AACA,UAAI,EAAE,KAAK;AACT,gBAAQ,IAAI,YAAY,MAAM,MAAM,EAAE,GAAG,CAAC,EAAE;AAAA,MAC9C;AACA,cAAQ,IAAI;AAAA,IACd;AAAA,EACF;AAGA,QAAM,YAAmD;AAAA,IACvD,OAAO,MAAM,MAAM,MAAM;AAAA,IACzB,MAAM,MAAM,SAAS,MAAM;AAAA,IAC3B,SAAS,MAAM,QAAQ,MAAM;AAAA,EAC/B;AACA,QAAM,MAAM,OAAO,kBAAkB;AACrC,UAAQ;AAAA,IACN,sBAAsB,UAAU,GAAG,KAAK,MAAM,OAAO,IAAI,IAAI,YAAY,CAAC,GAAG,CAAC;AAAA,EAChF;AACA,UAAQ,IAAI;AACZ,UAAQ,IAAI,MAAM,KAAK,SAAI,OAAO,EAAE,CAAC,CAAC;AACtC,UAAQ,IAAI;AACd;;;ACxFO,SAAS,gBAAgB,QAA0B;AACxD,UAAQ,IAAI,KAAK,UAAU,QAAQ,MAAM,CAAC,CAAC;AAC7C;;;ACFA,IAAM,oBAA8C;AAAA,EAClD,UAAU;AAAA,EACV,MAAM;AAAA,EACN,QAAQ;AAAA,EACR,KAAK;AACP;AAEA,IAAM,oBAA8C;AAAA,EAClD,UAAU;AAAA,EACV,MAAM;AAAA,EACN,QAAQ;AAAA,EACR,KAAK;AACP;AAEO,SAAS,iBAAiB,QAA0B;AACzD,QAAM,QAAQ,oBAAI,IAA8C;AAEhE,aAAW,KAAK,OAAO,UAAU;AAC/B,UAAM,SAAS,EAAE,WAAW,MAAM,EAAE,MAAM,YAAY,EAAE,QAAQ,eAAe,GAAG;AAClF,QAAI,CAAC,MAAM,IAAI,MAAM,GAAG;AACtB,YAAM,IAAI,QAAQ,EAAE,IAAI,QAAQ,SAAS,EAAE,CAAC;AAAA,IAC9C;AAAA,EACF;AAEA,QAAM,QAAQ;AAAA,IACZ,SAAS;AAAA,IACT,SAAS;AAAA,IACT,MAAM;AAAA,MACJ;AAAA,QACE,MAAM;AAAA,UACJ,QAAQ;AAAA,YACN,MAAM;AAAA,YACN,gBAAgB;AAAA,YAChB,OAAO,CAAC,GAAG,MAAM,OAAO,CAAC,EAAE,IAAI,CAAC,OAAO;AAAA,cACrC,IAAI,EAAE;AAAA,cACN,kBAAkB,EAAE,MAAM,EAAE,QAAQ,MAAM;AAAA,cAC1C,iBAAiB,EAAE,MAAM,EAAE,QAAQ,YAAY;AAAA,cAC/C,sBAAsB;AAAA,gBACpB,OAAO,kBAAkB,EAAE,QAAQ,QAAQ;AAAA,cAC7C;AAAA,cACA,YAAY;AAAA,gBACV,mBAAmB,kBAAkB,EAAE,QAAQ,QAAQ;AAAA,cACzD;AAAA,YACF,EAAE;AAAA,UACJ;AAAA,QACF;AAAA,QACA,SAAS,OAAO,SAAS,IAAI,CAAC,MAAM;AAClC,gBAAM,SAAS,EAAE,WAAW,MAAM,EAAE,MAAM,YAAY,EAAE,QAAQ,eAAe,GAAG;AAClF,iBAAO;AAAA,YACL;AAAA,YACA,OAAO,kBAAkB,EAAE,QAAQ;AAAA,YACnC,SAAS;AAAA,cACP,MAAM,EAAE,eAAe,EAAE,WAAW,cAAc,EAAE,QAAQ,KAAK;AAAA,cACjE,GAAI,EAAE,MAAM,EAAE,UAAU,GAAG,EAAE,WAAW;AAAA;AAAA,WAAgB,EAAE,GAAG,GAAG,IAAI,CAAC;AAAA,YACvE;AAAA,YACA,WAAW;AAAA,cACT;AAAA,gBACE,kBAAkB;AAAA,kBAChB,kBAAkB,EAAE,KAAK,WAAW;AAAA,kBACpC,QAAQ,EAAE,WAAW,EAAE,cAAc,EAAE;AAAA,gBACzC;AAAA,cACF;AAAA,YACF;AAAA,UACF;AAAA,QACF,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AAEA,UAAQ,IAAI,KAAK,UAAU,OAAO,MAAM,CAAC,CAAC;AAC5C;;;ACxEA,SAAS,cAAc,eAAe,WAAW,kBAAkB;AACnE,SAAS,YAAY;AACrB,SAAS,SAAS,UAAU,eAAe;AAC3C,SAAS,kBAAkB;AAG3B,IAAM,aAAa,KAAK,QAAQ,GAAG,UAAU;AAC7C,IAAM,cAAc,KAAK,YAAY,aAAa;AAClD,IAAM,qBAAqB;AAQ3B,SAAS,aAAqB;AAC5B,MAAI;AACF,QAAI,WAAW,WAAW,GAAG;AAC3B,aAAO,KAAK,MAAM,aAAa,aAAa,OAAO,CAAC;AAAA,IACtD;AAAA,EACF,QAAQ;AAAA,EAER;AACA,SAAO,CAAC;AACV;AAEA,SAAS,WAAW,QAAsB;AACxC,MAAI;AACF,cAAU,YAAY,EAAE,WAAW,KAAK,CAAC;AACzC,kBAAc,aAAa,KAAK,UAAU,QAAQ,MAAM,CAAC,CAAC;AAAA,EAC5D,QAAQ;AAAA,EAER;AACF;AAEO,SAAS,qBAA8B;AAC5C,QAAM,MAAM,QAAQ,IAAI;AACxB,MAAI,QAAQ,OAAO,QAAQ,MAAO,QAAO;AACzC,MAAI,QAAQ,OAAO,QAAQ,KAAM,QAAO;AACxC,QAAM,SAAS,WAAW;AAC1B,SAAO,OAAO,cAAc;AAC9B;AAEO,SAAS,aAAa,SAAwB;AACnD,QAAM,SAAS,WAAW;AAC1B,SAAO,YAAY,UAAU,OAAO;AACpC,aAAW,MAAM;AACnB;AAEO,SAAS,eAAwB;AACtC,QAAM,SAAS,WAAW;AAC1B,SAAO,OAAO,cAAc;AAC9B;AAEA,SAAS,cAAsB;AAC7B,QAAM,SAAS,WAAW;AAC1B,MAAI,CAAC,OAAO,UAAU;AACpB,WAAO,WAAW,WAAW;AAC7B,eAAW,MAAM;AAAA,EACnB;AACA,SAAO,OAAO;AAChB;AAEA,SAAS,qBAA6B;AACpC,QAAM,SAAS,WAAW;AAC1B,SAAO,aAAa,OAAO,aAAa,KAAK;AAC7C,aAAW,MAAM;AACjB,SAAO,OAAO;AAChB;AAEO,SAAS,cAAc,QAA0B;AACtD,MAAI,CAAC,mBAAmB,EAAG;AAE3B,QAAM,YAAY,mBAAmB;AAErC,QAAM,UAAU;AAAA,IACd,UAAU,YAAY;AAAA,IACtB;AAAA,IACA,KAAI,oBAAI,KAAK,GAAE,YAAY;AAAA,IAC3B,IAAI,SAAS;AAAA,IACb,WAAW,QAAQ;AAAA,IACnB,WAAW,OAAO;AAAA,IAClB,WAAW,OAAO;AAAA,IAClB,WAAW,OAAO;AAAA,IAClB,eAAe,OAAO;AAAA,IACtB,QAAQ,OAAO,UAAU;AAAA,EAC3B;AAGA,QAAM,oBAAoB;AAAA,IACxB,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,IAC9C,MAAM,KAAK,UAAU,OAAO;AAAA,IAC5B,QAAQ,YAAY,QAAQ,GAAI;AAAA,EAClC,CAAC,EAAE,MAAM,MAAM;AAAA,EAEf,CAAC;AACH;;;AbjFA,eAAe,iBAAiB,MAA+B;AAC7D,QAAM,OAAO;AAAA,IACX,0DAA0D,IAAI;AAAA,IAC9D,oCAAoC,IAAI;AAAA,EAC1C;AAEA,aAAW,OAAO,MAAM;AACtB,QAAI;AACF,YAAM,MAAM,MAAM,MAAM,KAAK,EAAE,QAAQ,YAAY,QAAQ,GAAK,EAAE,CAAC;AACnE,UAAI,IAAI,IAAI;AACV,eAAO,MAAM,IAAI,KAAK;AAAA,MACxB;AAAA,IACF,QAAQ;AAAA,IAER;AAAA,EACF;AAEA,QAAM,IAAI;AAAA,IACR,0BAA0B,IAAI;AAAA,EAChC;AACF;AAEA,eAAsB,YACpB,QACA,SACe;AACf,MAAI;AAEJ,MAAI,QAAQ,QAAQ;AAClB,QAAI;AACF,cAAQ,OAAO,MAAM,aAAa,MAAM;AAAA,CAAqB;AAC7D,gBAAU,MAAM,iBAAiB,MAAM;AAAA,IACzC,SAAS,KAAK;AACZ,cAAQ;AAAA,QACN,eAAe,QAAQ,IAAI,UAAU;AAAA,MACvC;AACA,cAAQ,KAAK,CAAC;AAAA,IAChB;AAAA,EACF,OAAO;AACL,UAAM,YAAY,QAAQ,MAAM;AAChC,QAAI,YAAY;AAEhB,QACEC,YAAW,SAAS,KACpB,CAAC,UAAU,SAAS,KAAK,KACzBA,YAAWC,MAAK,WAAW,UAAU,CAAC,GACtC;AACA,kBAAYA,MAAK,WAAW,UAAU;AAAA,IACxC;AAEA,QAAI,CAACD,YAAW,SAAS,KAAK,SAAS,SAAS,EAAE,YAAY,GAAG;AAC/D,cAAQ,MAAM,kCAAkC,SAAS,EAAE;AAC3D,cAAQ,MAAM,oEAAoE,MAAM,YAAY;AACpG,cAAQ,KAAK,CAAC;AAAA,IAChB;AAEA,cAAUE,cAAa,WAAW,OAAO;AAAA,EAC3C;AAGA,QAAM,aAAaD,MAAK,QAAQ,IAAI,GAAG,gBAAgB;AACvD,QAAM,iBAA2B,CAAC;AAClC,MAAID,YAAW,UAAU,GAAG;AAC1B,UAAM,QAAQE,cAAa,YAAY,OAAO,EAAE,MAAM,IAAI;AAC1D,eAAW,QAAQ,OAAO;AACxB,YAAM,UAAU,KAAK,KAAK;AAC1B,UAAI,WAAW,CAAC,QAAQ,WAAW,GAAG,GAAG;AACvC,uBAAe,KAAK,OAAO;AAAA,MAC7B;AAAA,IACF;AAAA,EACF;AAEA,QAAM,SAAS,MAAM,UAAU,SAAS;AAAA,IACtC,UAAU,QAAQ,YAAY;AAAA,IAC9B,gBAAgB,eAAe,SAAS,iBAAiB;AAAA,EAC3D,CAAC;AAED,MAAI,CAAC,QAAQ,OAAO;AAClB,QAAI,QAAQ,WAAW,SAAS;AAC9B,uBAAiB,MAAM;AAAA,IACzB,WAAW,QAAQ,WAAW,QAAQ;AACpC,sBAAgB,MAAM;AAAA,IACxB,OAAO;AACL,sBAAgB,MAAM;AAAA,IACxB;AAAA,EACF;AAGA,MAAI,CAAC,QAAQ,SAAS,QAAQ,WAAW,UAAU,QAAQ,WAAW,SAAS;AAC7E,QAAI,CAAC,aAAa,GAAG;AACnB,YAAM,WAAW,MAAM,OAAO,UAAe;AAC7C,YAAM,KAAK,SAAS,gBAAgB,EAAE,OAAO,QAAQ,OAAO,QAAQ,QAAQ,OAAO,CAAC;AACpF,YAAM,SAAS,MAAM,IAAI,QAAgB,CAACC,aAAY;AACpD,WAAG;AAAA,UACDC,OAAM,IAAI,gEAA2D;AAAA,UACrE,CAAC,MAAM;AAAE,eAAG,MAAM;AAAG,YAAAD,SAAQ,EAAE,KAAK,EAAE,YAAY,CAAC;AAAA,UAAG;AAAA,QACxD;AAAA,MACF,CAAC;AACD,mBAAa,WAAW,OAAO,WAAW,KAAK;AAAA,IACjD;AAEA,kBAAc,MAAM;AAGpB,YAAQ;AAAA,MACNC,OAAM,IAAI,IAAI,IACdA,OAAM,KAAK,2CAAsC,IACjDA,OAAM,UAAU,KAAK,2BAA2B;AAAA,IAClD;AACA,YAAQ,IAAI;AAAA,EACd,OAAO;AACL,kBAAc,MAAM;AAAA,EACtB;AAEA,QAAM,SAAS,QAAQ,WAAW,QAAQ,QAAQ,SAAS;AAC3D,MAAI,QAAQ;AACV,UAAM,gBAAgB,CAAC,OAAO,UAAU,QAAQ,UAAU;AAC1D,UAAM,YAAY,cAAc,QAAQ,MAAM;AAC9C,UAAM,aAAa,OAAO,SAAS;AAAA,MACjC,CAAC,MAAM,cAAc,QAAQ,EAAE,QAAQ,KAAK;AAAA,IAC9C;AACA,QAAI,YAAY;AACd,cAAQ,KAAK,CAAC;AAAA,IAChB;AAAA,EACF;AACF;;;Ac9IA,SAAS,aAAa,cAAAC,aAAY,gBAAAC,qBAAoB;AACtD,SAAS,QAAAC,aAAY;AACrB,SAAS,WAAAC,gBAAe;AAGxB,OAAOC,YAAW;AAElB,IAAM,qBAAqB;AAAA,EACzBC,MAAKC,SAAQ,GAAG,aAAa,QAAQ;AAAA,EACrCD,MAAKC,SAAQ,GAAG,aAAa,aAAa,QAAQ;AACpD;AAEA,eAAsB,aAAa,UAA4B,CAAC,GAAkB;AAChF,QAAM,aAAa,QAAQ,MAAM,CAAC,QAAQ,GAAG,IAAI;AACjD,UAAQ,IAAIF,OAAM,KAAK,wDAAmD,CAAC;AAE3E,MAAI,eAAe;AACnB,MAAI,eAAe;AAEnB,aAAW,OAAO,YAAY;AAC5B,QAAI,CAACG,YAAW,GAAG,GAAG;AACpB,UAAI,QAAQ,KAAK;AACf,gBAAQ,MAAMH,OAAM,OAAO,iCAAiC,GAAG;AAAA,CAAI,CAAC;AACpE,gBAAQ,KAAK,CAAC;AAAA,MAChB;AACA;AAAA,IACF;AAGA,UAAM,kBAAkBC,MAAK,KAAK,UAAU;AAC5C,QAAIE,YAAW,eAAe,GAAG;AAC/B,YAAM,UAAUC,cAAa,iBAAiB,OAAO;AACrD,YAAM,SAAS,MAAM,UAAU,OAAO;AACtC;AACA,sBAAgB,OAAO,SAAS;AAChC,sBAAgB,MAAM;AACtB;AAAA,IACF;AAEA,UAAM,UAAU,YAAY,KAAK,EAAE,eAAe,KAAK,CAAC;AACxD,eAAW,SAAS,SAAS;AAC3B,UAAI,CAAC,MAAM,YAAY,EAAG;AAC1B,YAAM,YAAYH,MAAK,KAAK,MAAM,MAAM,UAAU;AAClD,UAAI,CAACE,YAAW,SAAS,EAAG;AAE5B,YAAM,UAAUC,cAAa,WAAW,OAAO;AAC/C,YAAM,SAAS,MAAM,UAAU,OAAO;AACtC;AACA,sBAAgB,OAAO,SAAS;AAEhC,sBAAgB,MAAM;AAAA,IACxB;AAAA,EACF;AAEA,UAAQ,IAAIJ,OAAM,KAAK;AAAA,kBAAqB,YAAY,oBAAoB,YAAY;AAAA,CAAa,CAAC;AACxG;;;ACvDA,SAAS,gBAAAK,eAAc,cAAAC,aAAY,aAAa;AAChD,SAAS,QAAAC,aAAY;AACrB,SAAS,WAAAC,gBAAe;AACxB,OAAOC,YAAW;AAIlB,IAAMC,sBAAqB;AAAA,EACzBC,MAAKC,SAAQ,GAAG,aAAa,QAAQ;AAAA,EACrCD,MAAKC,SAAQ,GAAG,aAAa,aAAa,QAAQ;AACpD;AAEA,eAAsB,aAAa,SAGjB;AAChB,QAAM,YAAY,QAAQ,aAAa;AACvC,QAAM,aAAa,QAAQ,MAAM,CAAC,QAAQ,GAAG,IAAIF;AACjD,UAAQ;AAAA,IACNG,OAAM;AAAA,MACJ;AAAA,gEAA8D,SAAS;AAAA;AAAA,IACzE;AAAA,EACF;AAEA,QAAM,YAAsB,CAAC;AAC7B,aAAW,OAAO,YAAY;AAC5B,QAAIC,YAAW,GAAG,GAAG;AACnB,gBAAU,KAAK,GAAG;AAAA,IACpB;AAAA,EACF;AAEA,MAAI,UAAU,WAAW,GAAG;AAC1B,YAAQ;AAAA,MACND,OAAM;AAAA,QACJ;AAAA,MACF;AAAA,IACF;AACA,YAAQ,IAAIA,OAAM,IAAI,uBAAuB,CAAC;AAC9C,eAAW,OAAO,YAAY;AAC5B,cAAQ,IAAIA,OAAM,IAAI,KAAK,GAAG,EAAE,CAAC;AAAA,IACnC;AACA,YAAQ,IAAI;AACZ,YAAQ,KAAK,CAAC;AAAA,EAChB;AAEA,UAAQ,IAAIA,OAAM,IAAI,WAAW,CAAC;AAClC,aAAW,OAAO,WAAW;AAC3B,YAAQ,IAAIA,OAAM,IAAI,KAAK,GAAG,EAAE,CAAC;AAAA,EACnC;AACA,UAAQ,IAAI;AAEZ,aAAW,OAAO,WAAW;AAC3B,UAAM,UAAU,MAAM,KAAK,EAAE,WAAW,KAAK,GAAG,OAAO,OAAO,aAAa;AACzE,UAAI,CAAC,UAAU,SAAS,UAAU,EAAG;AAErC,YAAM,YAAYF,MAAK,KAAK,QAAQ;AACpC,UAAI,CAACG,YAAW,SAAS,EAAG;AAE5B,cAAQ,IAAID,OAAM,IAAI;AAAA,mBAAsB,QAAQ,EAAE,CAAC;AAEvD,UAAI;AACF,cAAM,UAAUE,cAAa,WAAW,OAAO;AAC/C,cAAM,SAAS,MAAM,UAAU,OAAO;AAEtC,YAAI,OAAO,QAAQ;AACjB,kBAAQ,IAAIF,OAAM,IAAI,UAAU,CAAC;AAAA,QACnC;AACA,wBAAgB,MAAM;AAEtB,YAAI,OAAO,YAAY,WAAW;AAChC,kBAAQ;AAAA,YACNA,OAAM,MAAM,MAAM;AAAA,cAChB,8BAAyB,OAAO,SAAS,sBAAsB,SAAS;AAAA,YAC1E;AAAA,UACF;AACA,kBAAQ;AAAA,YACNA,OAAM;AAAA,cACJ,yDAAyD,SAAS;AAAA;AAAA,YACpE;AAAA,UACF;AAAA,QACF;AAAA,MACF,SAAS,KAAK;AACZ,gBAAQ,MAAMA,OAAM,IAAI,kBAAkB,QAAQ,GAAG,GAAG,GAAG;AAAA,MAC7D;AAAA,IACF,CAAC;AAED,YAAQ,GAAG,UAAU,MAAM;AACzB,cAAQ,MAAM;AACd,cAAQ,IAAIA,OAAM,IAAI,kBAAkB,CAAC;AACzC,cAAQ,KAAK,CAAC;AAAA,IAChB,CAAC;AAAA,EACH;AAEA,UAAQ,IAAIA,OAAM,IAAI,kCAAkC,CAAC;AACzD,QAAM,IAAI,QAAQ,MAAM;AAAA,EAAC,CAAC;AAC5B;;;AhB1FA,IAAM,UAAU,IAAI,QAAQ;AAE5B,QACG,KAAK,SAAS,EACd,YAAY,oDAAoD,EAChE,QAAQ,OAAO;AAElB,QACG,QAAQ,MAAM,EACd,YAAY,mCAAmC,EAC/C,SAAS,YAAY,uCAAuC,EAC5D,OAAO,qBAAqB,2CAA2C,UAAU,EACjF,OAAO,wBAAwB,8CAA8C,EAC7E,OAAO,cAAc,0DAA0D,EAC/E,OAAO,YAAY,wDAAwD,EAC3E,OAAO,eAAe,sDAAsD,EAC5E,OAAO,eAAe,yCAAyC,EAC/D,OAAO,OAAO,QAAQ,SAAS;AAC9B,MAAI,KAAK,WAAW;AAClB,UAAM,MAAM;AACZ,YAAQ,IAAI,WAAW,GAAG,MAAM;AAChC,UAAM,EAAE,KAAK,IAAI,MAAM,OAAO,eAAoB;AAClD,UAAM,MAAM,QAAQ,aAAa,UAAU,SAAS,GAAG,KAAK,QAAQ,aAAa,WAAW,QAAQ,GAAG,KAAK,YAAY,GAAG;AAC3H,SAAK,GAAG;AAAA,EACV;AACA,QAAM,YAAY,QAAQ;AAAA,IACxB,QAAQ,KAAK;AAAA,IACb,QAAQ,KAAK;AAAA,IACb,UAAU,KAAK;AAAA,IACf,QAAQ,KAAK;AAAA,IACb,OAAO,KAAK;AAAA,EACd,CAAC;AACH,CAAC;AAEH,QACG,QAAQ,OAAO,EACf,YAAY,oCAAoC,EAChD,OAAO,gBAAgB,iCAAiC,EACxD,OAAO,OAAO,SAAS;AACtB,QAAM,aAAa,EAAE,KAAK,KAAK,IAAI,CAAC;AACtC,CAAC;AAEH,QACG,QAAQ,OAAO,EACf,YAAY,qDAAgD,EAC5D,OAAO,uBAAuB,qCAAqC,IAAI,EACvE,OAAO,gBAAgB,kCAAkC,EACzD,OAAO,OAAO,SAAS;AACtB,QAAM,aAAa,EAAE,WAAW,SAAS,KAAK,SAAS,GAAG,KAAK,KAAK,IAAI,CAAC;AAC3E,CAAC;AAEH,QACG,QAAQ,UAAU,EAClB,YAAY,gDAAgD,EAC5D,OAAO,YAAY;AAClB,QAAM,MAAM;AACZ,UAAQ,IAAI,WAAW,GAAG,MAAM;AAChC,QAAM,EAAE,KAAK,IAAI,MAAM,OAAO,eAAoB;AAClD,QAAM,MAAM,QAAQ,aAAa,UAAU,SAAS,GAAG,KAAK,QAAQ,aAAa,WAAW,QAAQ,GAAG,KAAK,YAAY,GAAG;AAC3H,OAAK,GAAG;AACV,CAAC;AAEH,QAAQ,MAAM;","names":["readFileSync","existsSync","join","chalk","existsSync","join","readFileSync","resolve","chalk","existsSync","readFileSync","join","homedir","chalk","join","homedir","existsSync","readFileSync","readFileSync","existsSync","join","homedir","chalk","DEFAULT_SKILL_DIRS","join","homedir","chalk","existsSync","readFileSync"]}
1
+ {"version":3,"sources":["../src/index.ts","../src/commands/scan.ts","../../shared/src/patterns.ts","../../shared/src/scanner/skill-parser.ts","../../shared/src/scanner/static-analysis.ts","../../shared/src/scanner/metadata-validator.ts","../../shared/src/scanner/dependency-checker.ts","../../shared/src/scanner/typosquat-detector.ts","../../shared/src/scanner/risk-scorer.ts","../../shared/src/scanner/cache.ts","../../shared/src/scanner/index.ts","../src/output/terminal.ts","../src/output/json.ts","../src/output/sarif.ts","../src/telemetry.ts","../src/commands/audit.ts","../src/commands/watch.ts","../src/commands/badge.ts"],"sourcesContent":["import { Command } from \"commander\";\nimport { scanCommand } from \"./commands/scan.js\";\nimport { auditCommand } from \"./commands/audit.js\";\nimport { watchCommand } from \"./commands/watch.js\";\nimport { badgeCommand } from \"./commands/badge.js\";\n\nconst program = new Command();\n\nprogram\n .name(\"clawvet\")\n .description(\"Skill vetting & supply chain security for OpenClaw\")\n .version(\"0.6.0\");\n\nprogram\n .command(\"scan\")\n .description(\"Scan a skill for security threats\")\n .argument(\"<target>\", \"Path to skill folder or SKILL.md file\")\n .option(\"--format <format>\", \"Output format: terminal, json, or sarif\", \"terminal\")\n .option(\"--fail-on <severity>\", \"Exit 1 if findings at this severity or above\")\n .option(\"--semantic\", \"Enable AI semantic analysis (requires ANTHROPIC_API_KEY)\")\n .option(\"--remote\", \"Fetch skill from ClawHub by name instead of local path\")\n .option(\"-q, --quiet\", \"Suppress all output, exit code only (0=pass, 1=fail)\")\n .option(\"--subscribe\", \"Open the ClawVet feedback & alerts form\")\n .action(async (target, opts) => {\n if (opts.subscribe) {\n const url = \"https://tally.so/r/jaMdaa\";\n console.log(`Opening ${url} ...`);\n const { exec } = await import(\"node:child_process\");\n const cmd = process.platform === \"win32\" ? `start ${url}` : process.platform === \"darwin\" ? `open ${url}` : `xdg-open ${url}`;\n exec(cmd);\n }\n await scanCommand(target, {\n format: opts.format,\n failOn: opts.failOn,\n semantic: opts.semantic,\n remote: opts.remote,\n quiet: opts.quiet,\n });\n });\n\nprogram\n .command(\"audit\")\n .description(\"Scan all installed OpenClaw skills\")\n .option(\"--dir <path>\", \"Custom skills directory to scan\")\n .action(async (opts) => {\n await auditCommand({ dir: opts.dir });\n });\n\nprogram\n .command(\"watch\")\n .description(\"Pre-install hook — blocks risky skill installs\")\n .option(\"--threshold <score>\", \"Risk score threshold (default 50)\", \"50\")\n .option(\"--dir <path>\", \"Custom skills directory to watch\")\n .action(async (opts) => {\n await watchCommand({ threshold: parseInt(opts.threshold), dir: opts.dir });\n });\n\nprogram\n .command(\"badge\")\n .description(\"Generate a trust badge for a skill's README\")\n .argument(\"<target>\", \"Path to skill folder or SKILL.md file\")\n .option(\"--md\", \"Output only the markdown snippet\")\n .action(async (target, opts) => {\n await badgeCommand(target, { markdown: opts.md });\n });\n\nprogram\n .command(\"feedback\")\n .description(\"Open the ClawVet feedback & threat alerts form\")\n .action(async () => {\n const url = \"https://tally.so/r/jaMdaa\";\n console.log(`Opening ${url} ...`);\n const { exec } = await import(\"node:child_process\");\n const cmd = process.platform === \"win32\" ? `start ${url}` : process.platform === \"darwin\" ? `open ${url}` : `xdg-open ${url}`;\n exec(cmd);\n });\n\nprogram.parse();\n","import { readFileSync, existsSync, statSync } from \"node:fs\";\r\nimport { resolve, join } from \"node:path\";\r\nimport chalk from \"chalk\";\r\nimport { scanSkill } from \"@clawvet/shared\";\r\nimport { printScanResult } from \"../output/terminal.js\";\r\nimport { printJsonResult } from \"../output/json.js\";\r\nimport { printSarifResult } from \"../output/sarif.js\";\r\nimport { sendTelemetry, hasBeenAsked, setTelemetry } from \"../telemetry.js\";\r\n\r\nexport interface ScanOptions {\r\n format?: \"terminal\" | \"json\" | \"sarif\";\r\n failOn?: \"critical\" | \"high\" | \"medium\" | \"low\";\r\n semantic?: boolean;\r\n remote?: boolean;\r\n quiet?: boolean;\r\n}\r\n\r\nasync function fetchRemoteSkill(slug: string): Promise<string> {\r\n const urls = [\r\n `https://raw.githubusercontent.com/openclaw/skills/main/${slug}/SKILL.md`,\r\n `https://clawhub.ai/api/v1/skills/${slug}/raw`,\r\n ];\r\n\r\n for (const url of urls) {\r\n try {\r\n const res = await fetch(url, { signal: AbortSignal.timeout(10000) });\r\n if (res.ok) {\r\n return await res.text();\r\n }\r\n } catch {\r\n // try next\r\n }\r\n }\r\n\r\n throw new Error(\r\n `Could not fetch skill \"${slug}\" from ClawHub. Check the skill name and try again.`\r\n );\r\n}\r\n\r\nexport async function scanCommand(\r\n target: string,\r\n options: ScanOptions\r\n): Promise<void> {\r\n let content: string;\r\n\r\n if (options.remote) {\r\n try {\r\n process.stderr.write(`Fetching \"${target}\" from ClawHub...\\n`);\r\n content = await fetchRemoteSkill(target);\r\n } catch (err) {\r\n console.error(\r\n err instanceof Error ? err.message : \"Failed to fetch remote skill\"\r\n );\r\n process.exit(1);\r\n }\r\n } else {\r\n const skillPath = resolve(target);\r\n let skillFile = skillPath;\r\n\r\n if (\r\n existsSync(skillPath) &&\r\n !skillPath.endsWith(\".md\") &&\r\n existsSync(join(skillPath, \"SKILL.md\"))\r\n ) {\r\n skillFile = join(skillPath, \"SKILL.md\");\r\n }\r\n\r\n if (!existsSync(skillFile) || statSync(skillFile).isDirectory()) {\r\n console.error(`Error: Cannot find SKILL.md at ${skillFile}`);\r\n console.error(`Hint: If this is a directory of skills, use 'clawvet audit --dir ${target}' instead.`);\r\n process.exit(1);\r\n }\r\n\r\n content = readFileSync(skillFile, \"utf-8\");\r\n }\r\n\r\n // Load .clawvetban — block skills by name, author, or slug\r\n const banFile = join(process.cwd(), \".clawvetban\");\r\n if (existsSync(banFile)) {\r\n const banEntries = readFileSync(banFile, \"utf-8\")\r\n .split(\"\\n\")\r\n .map((l) => l.trim().toLowerCase())\r\n .filter((l) => l && !l.startsWith(\"#\"));\r\n\r\n // Quick parse frontmatter to check name/author before full scan\r\n const fmMatch = content.match(/^---\\r?\\n([\\s\\S]*?)\\r?\\n---/);\r\n if (fmMatch) {\r\n const fmText = fmMatch[1].toLowerCase();\r\n for (const ban of banEntries) {\r\n const targetLower = target.toLowerCase();\r\n if (\r\n targetLower.includes(ban) ||\r\n fmText.includes(`name: ${ban}`) ||\r\n fmText.includes(`author: ${ban}`) ||\r\n fmText.includes(`slug: ${ban}`)\r\n ) {\r\n console.error(\r\n chalk.bgRed.white.bold(` BANNED `) +\r\n chalk.red(` Skill matches ban list entry: ${ban}`)\r\n );\r\n console.error(chalk.dim(` Source: ${banFile}`));\r\n process.exit(1);\r\n }\r\n }\r\n }\r\n }\r\n\r\n // Load .clawvetignore\r\n const ignoreFile = join(process.cwd(), \".clawvetignore\");\r\n const ignorePatterns: string[] = [];\r\n if (existsSync(ignoreFile)) {\r\n const lines = readFileSync(ignoreFile, \"utf-8\").split(\"\\n\");\r\n for (const line of lines) {\r\n const trimmed = line.trim();\r\n if (trimmed && !trimmed.startsWith(\"#\")) {\r\n ignorePatterns.push(trimmed);\r\n }\r\n }\r\n }\r\n\r\n const result = await scanSkill(content, {\r\n semantic: options.semantic ?? false,\r\n ignorePatterns: ignorePatterns.length ? ignorePatterns : undefined,\r\n });\r\n\r\n if (!options.quiet) {\r\n if (options.format === \"sarif\") {\r\n printSarifResult(result);\r\n } else if (options.format === \"json\") {\r\n printJsonResult(result);\r\n } else {\r\n printScanResult(result);\r\n }\r\n }\r\n\r\n // Telemetry: first-run opt-in prompt\r\n if (!options.quiet && options.format !== \"json\" && options.format !== \"sarif\") {\r\n if (!hasBeenAsked()) {\r\n const readline = await import(\"node:readline\");\r\n const rl = readline.createInterface({ input: process.stdin, output: process.stderr });\r\n const answer = await new Promise<string>((resolve) => {\r\n rl.question(\r\n chalk.dim(\"Help improve ClawVet — send anonymous usage stats? (y/n) \"),\r\n (a) => { rl.close(); resolve(a.trim().toLowerCase()); }\r\n );\r\n });\r\n setTelemetry(answer === \"y\" || answer === \"yes\");\r\n }\r\n\r\n sendTelemetry(result);\r\n\r\n // Post-scan CTA\r\n console.log(\r\n chalk.dim(\" \") +\r\n chalk.cyan(\"Got feedback? Want threat alerts? → \") +\r\n chalk.underline.cyan(\"https://tally.so/r/jaMdaa\")\r\n );\r\n console.log();\r\n } else {\r\n sendTelemetry(result);\r\n }\r\n\r\n const failOn = options.failOn || (options.quiet ? \"high\" : undefined);\r\n if (failOn) {\r\n const severityOrder = [\"low\", \"medium\", \"high\", \"critical\"];\r\n const threshold = severityOrder.indexOf(failOn);\r\n const hasFailure = result.findings.some(\r\n (f) => severityOrder.indexOf(f.severity) >= threshold\r\n );\r\n if (hasFailure) {\r\n process.exit(1);\r\n }\r\n }\r\n}\r\n","import type { ThreatPattern } from \"./types.js\";\r\n\r\n// Build regex from parts at runtime to avoid AV false positives on signature strings\r\nfunction re(parts: string[], flags: string): RegExp {\r\n return new RegExp(parts.join(\"\"), flags);\r\n}\r\n\r\nexport const THREAT_PATTERNS: ThreatPattern[] = [\r\n // ═══════════════════════════════════════════════════════\r\n // CRITICAL: Remote code execution\r\n // ═══════════════════════════════════════════════════════\r\n {\r\n name: \"CURL_PIPE_BASH\",\r\n pattern: re([\"curl\\\\s+.*\\\\|\\\\s*(ba)?\", \"sh\"], \"gi\"),\r\n severity: \"critical\",\r\n category: \"remote_code_execution\",\r\n title: \"Curl piped to shell\",\r\n description: \"Downloads and executes remote code directly — classic supply chain attack vector.\",\r\n codeOnly: true,\r\n fix: \"Download the script first, inspect it, then execute: `curl -o setup.sh URL && cat setup.sh && bash setup.sh`\",\r\n },\r\n {\r\n name: \"WGET_EXECUTE\",\r\n pattern: re([\"wget\\\\s+.*&&\\\\s*(ba)?\", \"sh\"], \"gi\"),\r\n severity: \"critical\",\r\n category: \"remote_code_execution\",\r\n title: \"Wget with shell execution\",\r\n description: \"Downloads and executes remote code via wget.\",\r\n codeOnly: true,\r\n fix: \"Download the file first with `wget -O script.sh URL`, review it, then execute.\",\r\n },\r\n {\r\n name: \"EVAL_DYNAMIC\",\r\n pattern: re([\"ev\", \"al\\\\s*\\\\(\"], \"gi\"),\r\n severity: \"critical\",\r\n category: \"remote_code_execution\",\r\n title: \"Dynamic code evaluation\",\r\n description: \"Uses dynamic code evaluation which can run arbitrary code.\",\r\n codeOnly: true,\r\n fix: \"Replace dynamic evaluation with a safer alternative like JSON.parse() or a sandboxed environment.\",\r\n },\r\n {\r\n name: \"BASE64_DECODE\",\r\n pattern: re([\"base\", \"64\\\\s+(-d|--dec\", \"ode)\"], \"gi\"),\r\n severity: \"critical\",\r\n category: \"obfuscation\",\r\n title: \"Base64 decode execution\",\r\n description: \"Decodes base64 content, often used to hide malicious payloads.\",\r\n codeOnly: true,\r\n fix: \"Decode and include the command directly so users can review it.\",\r\n },\r\n {\r\n name: \"PYTHON_EXEC\",\r\n pattern: re([\"pyth\", \"on[3]?\\\\s+-c\"], \"gi\"),\r\n severity: \"critical\",\r\n category: \"remote_code_execution\",\r\n title: \"Python inline execution\",\r\n description: \"Executes inline Python code which may contain hidden payloads.\",\r\n codeOnly: true,\r\n fix: \"Move inline code to a separate .py file so users can review it before execution.\",\r\n },\r\n {\r\n name: \"REVERSE_SHELL\",\r\n pattern: re([\"\\\\/dev\\\\/tc\", \"p\\\\/|nc\\\\s+-[elp]|nca\", \"t\\\\s+-|mkfi\", \"fo\\\\s+.*\\\\/tmp\"], \"gi\"),\r\n severity: \"critical\",\r\n category: \"remote_code_execution\",\r\n title: \"Reverse shell\",\r\n description: \"Creates a reverse connection back to an attacker-controlled server.\",\r\n codeOnly: true,\r\n fix: \"Remove reverse connection commands — these are almost never legitimate in skills.\",\r\n },\r\n {\r\n name: \"CRON_PERSISTENCE\",\r\n pattern: re([\"cron\", \"tab\\\\s+-|\\\\/etc\\\\/cro\", \"n|system\", \"ctl\\\\s+enable\"], \"gi\"),\r\n severity: \"critical\",\r\n category: \"persistence\",\r\n title: \"Scheduled task persistence\",\r\n description: \"Installs a cron job or systemd service for persistent execution after reboot.\",\r\n codeOnly: true,\r\n fix: \"Document the scheduled task in the skill description and require explicit user consent before installing.\",\r\n },\r\n {\r\n name: \"PERL_EXEC\",\r\n pattern: re([\"per\", \"l\\\\s+-e\"], \"gi\"),\r\n severity: \"critical\",\r\n category: \"remote_code_execution\",\r\n title: \"Perl inline execution\",\r\n description: \"Executes inline Perl code which may contain obfuscated payloads.\",\r\n codeOnly: true,\r\n fix: \"Move inline code to a separate .pl file so users can review it before execution.\",\r\n },\r\n {\r\n name: \"NODE_EVAL\",\r\n pattern: re([\"no\", \"de\\\\s+-e\\\\s\"], \"gi\"),\r\n severity: \"critical\",\r\n category: \"remote_code_execution\",\r\n title: \"Node.js inline execution\",\r\n description: \"Executes inline Node.js code, often used to hide malicious logic.\",\r\n codeOnly: true,\r\n fix: \"Move inline code to a separate .js file so users can review it before execution.\",\r\n },\r\n {\r\n name: \"RUBY_EXEC\",\r\n pattern: re([\"rub\", \"y\\\\s+-e\"], \"gi\"),\r\n severity: \"critical\",\r\n category: \"remote_code_execution\",\r\n title: \"Ruby inline execution\",\r\n description: \"Executes inline Ruby code which may contain hidden payloads.\",\r\n codeOnly: true,\r\n fix: \"Move inline code to a separate .rb file so users can review it before execution.\",\r\n },\r\n\r\n // ═══════════════════════════════════════════════════════\r\n // HIGH: Credential theft\r\n // ═══════════════════════════════════════════════════════\r\n {\r\n name: \"ENV_FILE_READ\",\r\n pattern: /\\.env|credentials|\\.aws|\\.ssh|keychain/gi,\r\n severity: \"high\",\r\n category: \"credential_theft\",\r\n title: \"Sensitive file access\",\r\n description: \"Accesses credential files (.env, .aws, .ssh, keychain).\",\r\n fix: \"Declare required env vars in frontmatter under `metadata.openclaw.requires.env`.\",\r\n },\r\n {\r\n name: \"API_KEY_EXFIL\",\r\n pattern: /(ANTHROPIC|OPENAI|SLACK|DISCORD|TELEGRAM|STRIPE|GITHUB|GITLAB|AWS_SECRET|GROQ|OPENROUTER).*(_KEY|_TOKEN|_SECRET)/gi,\r\n severity: \"high\",\r\n category: \"credential_theft\",\r\n title: \"API key reference\",\r\n description: \"References specific API keys/tokens that could be exfiltrated.\",\r\n fix: \"Use environment variable references ($VAR) instead of hardcoding keys, and declare them in requires.env.\",\r\n },\r\n {\r\n name: \"DOTFILE_ACCESS\",\r\n pattern: /~\\/\\.(openclaw|clawdbot|moltbot)\\//gi,\r\n severity: \"high\",\r\n category: \"credential_theft\",\r\n title: \"OpenClaw config access\",\r\n description: \"Accesses OpenClaw/Clawdbot/Moltbot configuration directories.\",\r\n fix: \"Use the official OpenClaw SDK/API instead of directly reading config directories.\",\r\n },\r\n {\r\n name: \"SESSION_THEFT\",\r\n pattern: /sessions\\/\\*\\.jsonl/gi,\r\n severity: \"high\",\r\n category: \"credential_theft\",\r\n title: \"Session data access\",\r\n description: \"Accesses session transcript files which may contain sensitive data.\",\r\n fix: \"Remove session file access — skills should not read conversation transcripts.\",\r\n },\r\n {\r\n name: \"SSH_KEY_ACCESS\",\r\n pattern: /~\\/\\.ssh\\/id_|\\.pem\\b|BEGIN\\s+(RSA\\s+)?PRIVATE\\s+KEY/gi,\r\n severity: \"high\",\r\n category: \"credential_theft\",\r\n title: \"SSH/private key access\",\r\n description: \"Accesses SSH keys or private key files that could be stolen.\",\r\n fix: \"Use ssh-agent or a credential manager instead of directly reading key files.\",\r\n },\r\n {\r\n name: \"BROWSER_DATA\",\r\n pattern: /\\.config\\/google-chrome|\\.mozilla\\/firefox|Login\\s*Data|Cookies\\.sqlite/gi,\r\n severity: \"high\",\r\n category: \"credential_theft\",\r\n title: \"Browser data access\",\r\n description: \"Accesses browser profiles which contain saved passwords, cookies, and tokens.\",\r\n fix: \"Remove browser data access — skills should not read browser profiles.\",\r\n },\r\n {\r\n name: \"GIT_CREDENTIALS\",\r\n pattern: /\\.git-credentials|\\.gitconfig|git\\s+config.*credential/gi,\r\n severity: \"high\",\r\n category: \"credential_theft\",\r\n title: \"Git credential access\",\r\n description: \"Accesses git credential storage which may contain auth tokens.\",\r\n fix: \"Use `git` CLI commands instead of directly reading credential files.\",\r\n },\r\n {\r\n name: \"NPM_TOKEN\",\r\n pattern: /\\.npmrc|npm_token|NPM_AUTH_TOKEN/gi,\r\n severity: \"high\",\r\n category: \"credential_theft\",\r\n title: \"npm token access\",\r\n description: \"Accesses npm auth tokens which could be used to publish malicious packages.\",\r\n fix: \"Use `npm whoami` or `npm config get` instead of directly reading .npmrc.\",\r\n },\r\n {\r\n name: \"KUBE_CONFIG\",\r\n pattern: /~\\/\\.kube\\/config|KUBECONFIG/gi,\r\n severity: \"high\",\r\n category: \"credential_theft\",\r\n title: \"Kubernetes config access\",\r\n description: \"Accesses Kubernetes configuration which contains cluster credentials.\",\r\n fix: \"Use `kubectl` CLI commands instead of directly reading kubeconfig.\",\r\n },\r\n {\r\n name: \"DOCKER_SOCKET\",\r\n pattern: /\\/var\\/run\\/docker\\.sock|docker\\s+exec/gi,\r\n severity: \"high\",\r\n category: \"container_escape\",\r\n title: \"Docker socket/exec access\",\r\n description: \"Accesses Docker socket or runs exec — could enable container escape.\",\r\n fix: \"Use Docker SDK or CLI with limited permissions instead of direct socket access.\",\r\n },\r\n\r\n // ═══════════════════════════════════════════════════════\r\n // HIGH: Network exfiltration\r\n // ═══════════════════════════════════════════════════════\r\n {\r\n name: \"WEBHOOK_SEND\",\r\n pattern: /webhook\\.(site|url)|discord\\.com\\/api\\/webhooks|hooks\\.slack\\.com|api\\.telegram\\.org\\/bot/gi,\r\n severity: \"high\",\r\n category: \"data_exfiltration\",\r\n title: \"Webhook data exfiltration\",\r\n description: \"Sends data to webhook endpoints (Discord, Slack, Telegram) — common exfiltration channel.\",\r\n fix: \"If webhook integration is needed, declare it in the skill description and let users configure their own webhook URL.\",\r\n },\r\n {\r\n name: \"BORE_TUNNEL\",\r\n pattern: /bore\\.pub|ngrok|localtunnel|serveo\\.net|localhost\\.run/gi,\r\n severity: \"high\",\r\n category: \"data_exfiltration\",\r\n title: \"Tunnel service usage\",\r\n description: \"Uses tunneling services to expose local services or exfiltrate data.\",\r\n fix: \"Document tunnel usage in the skill description and require explicit user consent.\",\r\n },\r\n {\r\n name: \"SUSPICIOUS_IP\",\r\n pattern: /\\b(?:91\\.92\\.242\\.\\d+|45\\.61\\.\\d+\\.\\d+)\\b/g,\r\n severity: \"high\",\r\n category: \"data_exfiltration\",\r\n title: \"Known malicious IP\",\r\n description: \"Contains IP addresses associated with known ClawHavoc C2 infrastructure.\",\r\n fix: \"Remove references to known malicious IP addresses.\",\r\n },\r\n {\r\n name: \"DNS_EXFIL\",\r\n pattern: /dig\\s+.*TXT|nslookup\\s+.*\\$|dns.*exfil|\\.burpcollaborator\\.|\\.oastify\\./gi,\r\n severity: \"high\",\r\n category: \"data_exfiltration\",\r\n title: \"DNS exfiltration\",\r\n description: \"Uses DNS queries to exfiltrate data — bypasses most firewalls.\",\r\n fix: \"Remove DNS exfiltration patterns — use standard HTTP APIs for data transfer.\",\r\n },\r\n {\r\n name: \"PASTEBIN_FETCH\",\r\n pattern: /pastebin\\.com|paste\\.ee|hastebin\\.com|ghostbin\\.|dpaste\\./gi,\r\n severity: \"high\",\r\n category: \"data_exfiltration\",\r\n title: \"Pastebin service usage\",\r\n description: \"References paste services commonly used to host malicious payloads or receive exfiltrated data.\",\r\n fix: \"Host code in a version-controlled repository (GitHub, GitLab) instead of paste services.\",\r\n },\r\n {\r\n name: \"SUSPICIOUS_TLD\",\r\n pattern: /https?:\\/\\/[^\\s\"']*\\.(tk|ml|ga|cf|gq|top|xyz|pw|cc|ws|buzz)\\b/gi,\r\n severity: \"high\",\r\n category: \"data_exfiltration\",\r\n title: \"Suspicious TLD\",\r\n description: \"URL uses a top-level domain frequently associated with malicious infrastructure.\",\r\n fix: \"Use URLs from well-known, reputable domains instead of suspicious TLDs.\",\r\n },\r\n {\r\n name: \"URL_SHORTENER\",\r\n pattern: /bit\\.ly|tinyurl\\.com|t\\.co\\/|goo\\.gl|is\\.gd|buff\\.ly|ow\\.ly|rb\\.gy/gi,\r\n severity: \"high\",\r\n category: \"obfuscation\",\r\n title: \"URL shortener\",\r\n description: \"Uses URL shorteners to hide the real destination of links.\",\r\n fix: \"Use the full, unshortened URL so users can verify the destination.\",\r\n },\r\n {\r\n name: \"RAW_SOCKET\",\r\n pattern: re([\"new\\\\s+Soc\", \"ket|net\\\\.conn\", \"ect|dgram\\\\.create\", \"Socket\"], \"gi\"),\r\n severity: \"high\",\r\n category: \"data_exfiltration\",\r\n title: \"Raw socket connection\",\r\n description: \"Creates raw network sockets which can bypass HTTP monitoring.\",\r\n codeOnly: true,\r\n fix: \"Use standard HTTP libraries (fetch, axios) instead of raw sockets for network communication.\",\r\n },\r\n\r\n // ═══════════════════════════════════════════════════════\r\n // MEDIUM: Social engineering\r\n // ═══════════════════════════════════════════════════════\r\n {\r\n name: \"PREREQUISITE_INSTALL\",\r\n pattern: /prerequisite|install.*first|run.*before|required.*dependency/gi,\r\n severity: \"medium\",\r\n category: \"social_engineering\",\r\n title: \"Prerequisite install trick\",\r\n description: \"Instructs users to install prerequisites — common social engineering tactic.\",\r\n fix: \"Declare dependencies in `metadata.openclaw.requires.bins` instead of instructing manual installs.\",\r\n },\r\n {\r\n name: \"COPY_PASTE_COMMAND\",\r\n pattern: /copy.*paste.*terminal|run.*this.*command/gi,\r\n severity: \"medium\",\r\n category: \"social_engineering\",\r\n title: \"Copy-paste command instruction\",\r\n description: \"Instructs users to copy-paste commands into their terminal.\",\r\n fix: \"Put commands in code blocks with proper context instead of copy-paste instructions.\",\r\n },\r\n {\r\n name: \"FAKE_DEPENDENCY\",\r\n pattern: /openclaw-core|moltbot-runtime|clawdbot-helper/gi,\r\n severity: \"medium\",\r\n category: \"social_engineering\",\r\n title: \"Fake dependency reference\",\r\n description: \"References fake packages that mimic official OpenClaw components.\",\r\n fix: \"Use only official OpenClaw packages from the verified registry.\",\r\n },\r\n {\r\n name: \"AUTHORITY_SPOOFING\",\r\n pattern: /official\\s+(openclaw|clawhub)|endorsed\\s+by|verified\\s+(skill|publisher)|from\\s+the\\s+openclaw\\s+team/gi,\r\n severity: \"medium\",\r\n category: \"social_engineering\",\r\n title: \"Authority spoofing\",\r\n description: \"Claims official endorsement or verification to gain trust.\",\r\n fix: \"Remove false authority claims — let the skill's quality speak for itself.\",\r\n },\r\n {\r\n name: \"URGENCY_MANIPULATION\",\r\n pattern: /critical\\s+update|security\\s+patch|must\\s+install\\s+immediately|urgent.*update/gi,\r\n severity: \"medium\",\r\n category: \"social_engineering\",\r\n title: \"Urgency manipulation\",\r\n description: \"Creates false urgency to pressure users into installing without review.\",\r\n fix: \"Remove urgency language — let users evaluate the skill at their own pace.\",\r\n },\r\n\r\n // ═══════════════════════════════════════════════════════\r\n // MEDIUM: Prompt injection\r\n // ═══════════════════════════════════════════════════════\r\n {\r\n name: \"IGNORE_INSTRUCTIONS\",\r\n pattern: /ignore\\s+(all\\s+)?previous\\s+instructions/gi,\r\n severity: \"medium\",\r\n category: \"prompt_injection\",\r\n title: \"Prompt injection — ignore instructions\",\r\n description: \"Attempts to override the AI agent's existing instructions.\",\r\n fix: \"Remove prompt injection attempts — skills should not try to override agent instructions.\",\r\n },\r\n {\r\n name: \"SYSTEM_OVERRIDE\",\r\n pattern: /you\\s+are\\s+now|new\\s+instructions|forget\\s+everything/gi,\r\n severity: \"medium\",\r\n category: \"prompt_injection\",\r\n title: \"Prompt injection — system override\",\r\n description: \"Attempts to redefine the AI agent's identity or instructions.\",\r\n fix: \"Remove system override attempts — skills should not alter agent identity.\",\r\n },\r\n {\r\n name: \"MEMORY_MANIPULATION\",\r\n pattern: /SOUL\\.md|MEMORY\\.md|AGENTS\\.md/gi,\r\n severity: \"medium\",\r\n category: \"persistence\",\r\n title: \"Memory/personality file manipulation\",\r\n description: \"References core personality or memory files, may attempt persistence.\",\r\n fix: \"Remove references to agent memory/personality files — skills should not modify agent state.\",\r\n },\r\n {\r\n name: \"JAILBREAK_ATTEMPT\",\r\n pattern: /\\bDAN\\b|do\\s+anything\\s+now|developer\\s+mode|evil\\s+mode|bypass.*safety/gi,\r\n severity: \"medium\",\r\n category: \"prompt_injection\",\r\n title: \"Jailbreak attempt\",\r\n description: \"Uses known jailbreak techniques (DAN, developer mode) to bypass safety constraints.\",\r\n fix: \"Remove jailbreak attempts — skills should work within the agent's safety constraints.\",\r\n },\r\n {\r\n name: \"ROLE_HIJACK\",\r\n pattern: /(?:pretend|act|behave)\\s+(?:you\\s+are|as\\s+if|to\\s+be)\\s+(?:a\\s+)?(?:different|new|hacker|evil)/gi,\r\n severity: \"medium\",\r\n category: \"prompt_injection\",\r\n title: \"Role hijacking\",\r\n description: \"Attempts to change the agent's persona to bypass safety restrictions.\",\r\n fix: \"Remove role hijacking attempts — skills should not alter the agent's persona.\",\r\n },\r\n {\r\n name: \"PROMPT_EXTRACTION\",\r\n pattern: /(?:reveal|show|print|output|tell\\s+me)\\s+(?:your\\s+)?(?:system\\s+)?(?:prompt|instructions|rules)/gi,\r\n severity: \"medium\",\r\n category: \"prompt_injection\",\r\n title: \"System prompt extraction\",\r\n description: \"Attempts to extract the agent's system prompt or configuration.\",\r\n fix: \"Remove prompt extraction attempts — skills should not try to access system prompts.\",\r\n },\r\n\r\n // ═══════════════════════════════════════════════════════\r\n // MEDIUM: Obfuscation\r\n // ═══════════════════════════════════════════════════════\r\n {\r\n name: \"HEX_ENCODING\",\r\n pattern: /\\\\x[0-9a-f]{2}(?:\\\\x[0-9a-f]{2}){3,}/gi,\r\n severity: \"medium\",\r\n category: \"obfuscation\",\r\n title: \"Hex-encoded payload\",\r\n description: \"Contains hex-encoded strings commonly used to hide malicious commands.\",\r\n codeOnly: true,\r\n fix: \"Replace hex-encoded strings with readable text so users can review the content.\",\r\n },\r\n {\r\n name: \"JS_OBFUSCATOR\",\r\n pattern: /_0x[a-f0-9]{4,}|var\\s+_0x/gi,\r\n severity: \"medium\",\r\n category: \"obfuscation\",\r\n title: \"JavaScript obfuscator output\",\r\n description: \"Contains patterns from JavaScript obfuscation tools used to hide malicious code.\",\r\n codeOnly: true,\r\n fix: \"Provide readable, unobfuscated source code instead of obfuscated JavaScript.\",\r\n },\r\n {\r\n name: \"UNICODE_STEGANOGRAPHY\",\r\n pattern: /[\\u200B\\u200C\\u200D\\u2060\\uFEFF]{3,}/g,\r\n severity: \"medium\",\r\n category: \"obfuscation\",\r\n title: \"Hidden zero-width characters\",\r\n description: \"Contains clusters of invisible zero-width Unicode characters that may hide instructions.\",\r\n fix: \"Remove zero-width characters — all content should be visible to users.\",\r\n },\r\n {\r\n name: \"RTL_OVERRIDE\",\r\n pattern: /[\\u202A\\u202B\\u202C\\u202D\\u202E\\u2066\\u2067\\u2068\\u2069]/g,\r\n severity: \"medium\",\r\n category: \"obfuscation\",\r\n title: \"Bidirectional text override\",\r\n description: \"Contains Unicode bidi override characters that can reverse displayed text to hide real content.\",\r\n fix: \"Remove bidirectional text override characters — text direction should be natural.\",\r\n },\r\n {\r\n name: \"HTML_COMMENT_INJECTION\",\r\n pattern: /<!--[\\s\\S]*?(?:ignore|instructions|system|override|secret)[\\s\\S]*?-->/gi,\r\n severity: \"medium\",\r\n category: \"obfuscation\",\r\n title: \"Hidden HTML comment instruction\",\r\n description: \"Embeds instructions inside HTML comments that are invisible to users but read by agents.\",\r\n fix: \"Move instructions from HTML comments into visible content.\",\r\n },\r\n {\r\n name: \"STRING_CONCAT_OBFUSC\",\r\n pattern: /[\"'][a-z]{1,3}[\"']\\s*\\+\\s*[\"'][a-z]{1,3}[\"']\\s*\\+\\s*[\"'][a-z]{1,3}[\"']/gi,\r\n severity: \"medium\",\r\n category: \"obfuscation\",\r\n title: \"String concatenation obfuscation\",\r\n description: \"Builds commands via single-character string concatenation to evade pattern detection.\",\r\n codeOnly: true,\r\n fix: \"Use complete string literals instead of character-by-character concatenation.\",\r\n },\r\n {\r\n name: \"BUFFER_BASE64_DECODE\",\r\n pattern: re([\"Buf\", \"fer\\\\.from\\\\s*\\\\(.*['\\\"]base\", \"64['\\\"]\\\\)|at\", \"ob\\\\s*\\\\(\"], \"gi\"),\r\n severity: \"critical\",\r\n category: \"obfuscation\",\r\n title: \"Buffer/atob encoded payload\",\r\n description: \"Decodes encoded content via Buffer.from() or atob(), often used to hide malicious payloads.\",\r\n codeOnly: true,\r\n fix: \"Include the decoded content directly so users can review it.\",\r\n },\r\n {\r\n name: \"STRING_FROMCHARCODE\",\r\n pattern: re([\"String\\\\.from\", \"CharCode\\\\s*\\\\(\"], \"gi\"),\r\n severity: \"medium\",\r\n category: \"obfuscation\",\r\n title: \"String.fromCharCode usage\",\r\n description: \"Builds strings from character codes to evade static pattern detection.\",\r\n codeOnly: true,\r\n fix: \"Use plain string literals instead of String.fromCharCode().\",\r\n },\r\n {\r\n name: \"DYNAMIC_PROPERTY_ACCESS\",\r\n pattern: /(?:process|global|window|globalThis)\\s*\\[\\s*['\"`]?\\w*['\"`]?\\s*\\+/gi,\r\n severity: \"medium\",\r\n category: \"obfuscation\",\r\n title: \"Dynamic property access on globals\",\r\n description: \"Dynamically accesses global object properties via string concatenation to hide intent.\",\r\n codeOnly: true,\r\n fix: \"Use direct property access (e.g., `process.env`) instead of dynamic bracket notation.\",\r\n },\r\n\r\n // ═══════════════════════════════════════════════════════\r\n // MEDIUM: Privilege escalation & system access\r\n // ═══════════════════════════════════════════════════════\r\n {\r\n name: \"SUDO_USAGE\",\r\n pattern: /sudo\\s+(?!apt|dnf|yum|brew)/gi,\r\n severity: \"medium\",\r\n category: \"privilege_escalation\",\r\n title: \"Sudo usage\",\r\n description: \"Requests elevated privileges — check if actually required for the task.\",\r\n codeOnly: true,\r\n fix: \"Remove sudo if not strictly necessary, or document why elevated privileges are required.\",\r\n },\r\n {\r\n name: \"CHMOD_DANGEROUS\",\r\n pattern: /chmod\\s+(?:777|a\\+[rwx]|[+]s)/gi,\r\n severity: \"medium\",\r\n category: \"privilege_escalation\",\r\n title: \"Dangerous file permissions\",\r\n description: \"Sets overly permissive file permissions (777) or setuid/setgid bits.\",\r\n codeOnly: true,\r\n fix: \"Use least-privilege permissions (e.g., `chmod 755` or `chmod 644`) instead of 777.\",\r\n },\r\n {\r\n name: \"PATH_TRAVERSAL\",\r\n pattern: /\\.\\.\\//g,\r\n severity: \"medium\",\r\n category: \"file_system\",\r\n title: \"Path traversal\",\r\n description: \"Uses relative path traversal (../) which could access files outside expected directories.\",\r\n fix: \"Use absolute paths or paths relative to the skill's working directory.\",\r\n },\r\n\r\n // ═══════════════════════════════════════════════════════\r\n // LOW: Suspicious but not necessarily malicious\r\n // ═══════════════════════════════════════════════════════\r\n {\r\n name: \"SHELL_EXEC\",\r\n pattern: re([\"child_\", \"process|ex\", \"ec\\\\(|spa\", \"wn\\\\(\"], \"gi\"),\r\n severity: \"low\",\r\n category: \"code_execution\",\r\n title: \"Shell execution API\",\r\n description: \"Uses shell execution APIs — legitimate but worth noting.\",\r\n codeOnly: true,\r\n fix: \"If shell execution is needed, use execFile() with explicit arguments instead of exec() with string commands.\",\r\n },\r\n {\r\n name: \"NETWORK_REQUEST\",\r\n pattern: /fetch\\(|axios|node-fetch|got\\(/gi,\r\n severity: \"low\",\r\n category: \"network\",\r\n title: \"Network request API\",\r\n description: \"Makes network requests — legitimate but worth reviewing targets.\",\r\n codeOnly: true,\r\n fix: \"Document all network endpoints in the skill description so users can review them.\",\r\n },\r\n {\r\n name: \"FILE_WRITE\",\r\n pattern: /fs\\.write|writeFileSync/gi,\r\n severity: \"low\",\r\n category: \"file_system\",\r\n title: \"File write operation\",\r\n description: \"Writes to the filesystem — check what files are being modified.\",\r\n codeOnly: true,\r\n fix: \"Document which files are written and why in the skill description.\",\r\n },\r\n {\r\n name: \"ENV_MODIFICATION\",\r\n pattern: /process\\.env\\[|export\\s+[A-Z_]+=|setenv/gi,\r\n severity: \"low\",\r\n category: \"environment\",\r\n title: \"Environment variable modification\",\r\n description: \"Modifies environment variables which could affect other tools or processes.\",\r\n codeOnly: true,\r\n fix: \"Document env var modifications in the skill description and declare them in requires.env.\",\r\n },\r\n {\r\n name: \"WILDCARD_FILE_ACCESS\",\r\n pattern: /\\*\\.(pem|key|p12|pfx|jks|keystore|ovpn|rdp)/gi,\r\n severity: \"low\",\r\n category: \"credential_theft\",\r\n title: \"Sensitive file extension glob\",\r\n description: \"Globs for files with sensitive extensions (keys, certificates, VPN configs).\",\r\n fix: \"Reference specific files by name instead of using wildcard patterns on sensitive extensions.\",\r\n },\r\n {\r\n name: \"LARGE_BASE64_LITERAL\",\r\n pattern: /[A-Za-z0-9+/=]{100,}/g,\r\n severity: \"low\",\r\n category: \"obfuscation\",\r\n title: \"Large base64-like string\",\r\n description: \"Contains a long base64-like string that may be an encoded payload.\",\r\n fix: \"Include the decoded content directly or explain what the base64 string contains.\",\r\n },\r\n];\r\n\r\nexport const POPULAR_SKILLS = [\r\n \"todoist-cli\",\r\n \"github-manager\",\r\n \"slack-assistant\",\r\n \"email-composer\",\r\n \"calendar-sync\",\r\n \"weather-forecast\",\r\n \"news-reader\",\r\n \"code-reviewer\",\r\n \"docker-helper\",\r\n \"aws-manager\",\r\n \"notion-sync\",\r\n \"jira-tracker\",\r\n \"spotify-controller\",\r\n \"home-assistant\",\r\n \"file-organizer\",\r\n \"pdf-reader\",\r\n \"translate-text\",\r\n \"image-generator\",\r\n \"web-scraper\",\r\n \"database-query\",\r\n \"git-assistant\",\r\n \"linux-admin\",\r\n \"python-helper\",\r\n \"react-builder\",\r\n \"api-tester\",\r\n \"markdown-editor\",\r\n \"csv-analyzer\",\r\n \"ssh-manager\",\r\n \"cron-scheduler\",\r\n \"log-analyzer\",\r\n];\r\n","import { parse as parseYaml } from \"yaml\";\r\nimport type { ParsedSkill, SkillFrontmatter, CodeBlock } from \"../types.js\";\r\n\r\nconst FRONTMATTER_RE = /^---\\r?\\n([\\s\\S]*?)\\r?\\n---/;\r\nconst CODE_BLOCK_RE = /```(\\w*)\\r?\\n([\\s\\S]*?)```/g;\r\nconst URL_RE = /https?:\\/\\/[^\\s\"'<>\\])+]+/gi;\r\nconst IP_RE = /\\b(?:\\d{1,3}\\.){3}\\d{1,3}\\b/g;\r\nconst DOMAIN_RE = /\\b(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\\.)+[a-z]{2,}\\b/gi;\r\n\r\nexport function parseSkill(content: string): ParsedSkill {\r\n let frontmatter: SkillFrontmatter = {};\r\n let body = content;\r\n\r\n const fmMatch = content.match(FRONTMATTER_RE);\r\n if (fmMatch) {\r\n try {\r\n frontmatter = parseYaml(fmMatch[1]) as SkillFrontmatter;\r\n } catch {\r\n frontmatter = {};\r\n }\r\n body = content.slice(fmMatch[0].length).trim();\r\n }\r\n\r\n const codeBlocks: CodeBlock[] = [];\r\n let match: RegExpExecArray | null;\r\n const cbRe = new RegExp(CODE_BLOCK_RE.source, CODE_BLOCK_RE.flags);\r\n\r\n while ((match = cbRe.exec(content)) !== null) {\r\n const before = content.slice(0, match.index);\r\n const lineStart = before.split(\"\\n\").length;\r\n const blockLines = match[0].split(\"\\n\").length;\r\n codeBlocks.push({\r\n language: match[1] || \"unknown\",\r\n content: match[2],\r\n lineStart,\r\n lineEnd: lineStart + blockLines - 1,\r\n });\r\n }\r\n\r\n const urls = [...new Set(content.match(URL_RE) || [])];\r\n const ipAddresses = [...new Set(content.match(IP_RE) || [])];\r\n const domains = [...new Set(content.match(DOMAIN_RE) || [])];\r\n\r\n return {\r\n frontmatter,\r\n body,\r\n codeBlocks,\r\n urls,\r\n ipAddresses,\r\n domains,\r\n rawContent: content,\r\n };\r\n}\r\n","import { THREAT_PATTERNS } from \"../patterns.js\";\r\nimport type { Finding, ParsedSkill, Severity } from \"../types.js\";\r\n\r\nfunction isInCodeBlock(lineNumber: number, skill: ParsedSkill): boolean {\r\n return skill.codeBlocks.some(\r\n (block) => lineNumber >= block.lineStart && lineNumber <= block.lineEnd\r\n );\r\n}\r\n\r\nfunction isInHeading(lineNumber: number, rawContent: string): boolean {\r\n const lines = rawContent.split(\"\\n\");\r\n const line = lines[lineNumber - 1] || \"\";\r\n return /^\\s*#{1,6}\\s/.test(line);\r\n}\r\n\r\nconst BASE_CONFIDENCE: Record<Severity, number> = {\r\n critical: 0.9,\r\n high: 0.8,\r\n medium: 0.6,\r\n low: 0.5,\r\n};\r\n\r\nexport function runStaticAnalysis(skill: ParsedSkill): Finding[] {\r\n const findings: Finding[] = [];\r\n\r\n for (const threat of THREAT_PATTERNS) {\r\n const re = new RegExp(threat.pattern.source, threat.pattern.flags);\r\n let match: RegExpExecArray | null;\r\n\r\n while ((match = re.exec(skill.rawContent)) !== null) {\r\n const before = skill.rawContent.slice(0, match.index);\r\n const lineNumber = before.split(\"\\n\").length;\r\n\r\n if (threat.codeOnly && !isInCodeBlock(lineNumber, skill)) {\r\n continue;\r\n }\r\n\r\n const inCode = isInCodeBlock(lineNumber, skill);\r\n const inHeading = isInHeading(lineNumber, skill.rawContent);\r\n\r\n let contextMultiplier: number;\r\n if (inCode && threat.codeOnly) {\r\n contextMultiplier = 1.0;\r\n } else if (inCode) {\r\n contextMultiplier = 0.95;\r\n } else if (inHeading) {\r\n contextMultiplier = 0.5;\r\n } else if (threat.codeOnly) {\r\n // codeOnly pattern somehow in prose (shouldn't happen due to skip above)\r\n contextMultiplier = 0.4;\r\n } else {\r\n // Non-codeOnly patterns are designed to match in prose\r\n contextMultiplier = 0.9;\r\n }\r\n\r\n const baseConfidence = BASE_CONFIDENCE[threat.severity];\r\n const confidence = Math.min(1.0, baseConfidence * contextMultiplier);\r\n\r\n findings.push({\r\n category: threat.category,\r\n severity: threat.severity,\r\n title: threat.title,\r\n description: threat.description,\r\n evidence: match[0],\r\n lineNumber,\r\n analysisPass: \"static-analysis\",\r\n confidence: Math.round(confidence * 100) / 100,\r\n fix: threat.fix,\r\n });\r\n }\r\n }\r\n\r\n return findings;\r\n}\r\n","import type { Finding, ParsedSkill } from \"../types.js\";\r\n\r\nconst SEMVER_RE = /^\\d+\\.\\d+\\.\\d+/;\r\n\r\nconst KNOWN_BINS = [\r\n \"curl\", \"wget\", \"git\", \"python\", \"python3\", \"node\", \"npm\", \"npx\",\r\n \"brew\", \"apt\", \"pip\", \"docker\", \"kubectl\", \"ssh\", \"scp\", \"rsync\",\r\n \"ffmpeg\", \"jq\", \"sed\", \"awk\", \"grep\", \"find\",\r\n];\r\n\r\nexport function validateMetadata(skill: ParsedSkill): Finding[] {\r\n const findings: Finding[] = [];\r\n const fm = skill.frontmatter;\r\n const pass = \"metadata-validator\";\r\n\r\n if (!fm.name) {\r\n findings.push({\r\n category: \"metadata\",\r\n severity: \"medium\",\r\n title: \"Missing skill name\",\r\n description: \"SKILL.md frontmatter does not declare a name.\",\r\n analysisPass: pass,\r\n fix: \"Add `name:` to the YAML frontmatter.\",\r\n });\r\n }\r\n\r\n if (!fm.description) {\r\n findings.push({\r\n category: \"metadata\",\r\n severity: \"medium\",\r\n title: \"Missing description\",\r\n description: \"SKILL.md frontmatter does not declare a description.\",\r\n analysisPass: pass,\r\n fix: \"Add `description:` to the YAML frontmatter.\",\r\n });\r\n } else if (fm.description.length < 10) {\r\n findings.push({\r\n category: \"metadata\",\r\n severity: \"low\",\r\n title: \"Vague description\",\r\n description: \"Skill description is suspiciously short.\",\r\n evidence: fm.description,\r\n analysisPass: pass,\r\n fix: \"Write a more detailed description (at least 10 characters).\",\r\n });\r\n }\r\n\r\n if (fm.version && !SEMVER_RE.test(fm.version)) {\r\n findings.push({\r\n category: \"metadata\",\r\n severity: \"low\",\r\n title: \"Invalid version format\",\r\n description: \"Version does not follow semver format.\",\r\n evidence: fm.version,\r\n analysisPass: pass,\r\n fix: \"Use semver format: `version: X.Y.Z` (e.g., `1.0.0`).\",\r\n });\r\n }\r\n\r\n const declaredBins = new Set(fm.metadata?.openclaw?.requires?.bins || []);\r\n\r\n for (const bin of KNOWN_BINS) {\r\n const binRe = new RegExp(`\\\\b${bin}\\\\b`, \"i\");\r\n if (binRe.test(skill.rawContent) && !declaredBins.has(bin)) {\r\n const usedInCode = skill.codeBlocks.some((cb) => binRe.test(cb.content));\r\n if (usedInCode) {\r\n findings.push({\r\n category: \"metadata\",\r\n severity: \"low\",\r\n title: `Undeclared binary: ${bin}`,\r\n description: `Skill uses '${bin}' in code but does not declare it in requires.bins.`,\r\n analysisPass: pass,\r\n fix: `Add '${bin}' to \\`metadata.openclaw.requires.bins\\` in frontmatter.`,\r\n });\r\n }\r\n }\r\n }\r\n\r\n const declaredEnv = new Set(fm.metadata?.openclaw?.requires?.env || []);\r\n const envRe = /\\$\\{?([A-Z][A-Z0-9_]+)\\}?/g;\r\n let match: RegExpExecArray | null;\r\n\r\n while ((match = envRe.exec(skill.rawContent)) !== null) {\r\n const envVar = match[1];\r\n if (!declaredEnv.has(envVar) && envVar.length > 2) {\r\n findings.push({\r\n category: \"metadata\",\r\n severity: \"low\",\r\n title: `Undeclared env var: ${envVar}`,\r\n description: `References environment variable $${envVar} but does not declare it in requires.env.`,\r\n evidence: match[0],\r\n analysisPass: pass,\r\n fix: `Add '${envVar}' to \\`metadata.openclaw.requires.env\\` in frontmatter.`,\r\n });\r\n }\r\n }\r\n\r\n return findings;\r\n}\r\n","import type { Finding, ParsedSkill } from \"../types.js\";\r\n\r\nconst NPX_AUTO_INSTALL_RE = /npx\\s+-y\\s+/gi;\r\nconst NPM_INSTALL_RE = /npm\\s+install\\s+(-g\\s+)?(\\S+)/gi;\r\n\r\nexport function checkDependencies(skill: ParsedSkill): Finding[] {\r\n const findings: Finding[] = [];\r\n const pass = \"dependency-checker\";\r\n\r\n let match: RegExpExecArray | null;\r\n const npxRe = new RegExp(NPX_AUTO_INSTALL_RE.source, NPX_AUTO_INSTALL_RE.flags);\r\n\r\n while ((match = npxRe.exec(skill.rawContent)) !== null) {\r\n const before = skill.rawContent.slice(0, match.index);\r\n const lineNumber = before.split(\"\\n\").length;\r\n\r\n findings.push({\r\n category: \"dependency_risk\",\r\n severity: \"medium\",\r\n title: \"npx auto-install (-y flag)\",\r\n description: \"Uses 'npx -y' which auto-installs packages without user confirmation.\",\r\n evidence: match[0],\r\n lineNumber,\r\n analysisPass: pass,\r\n fix: \"Remove the `-y` flag from npx to require user confirmation before installing.\",\r\n });\r\n }\r\n\r\n const npmRe = new RegExp(NPM_INSTALL_RE.source, NPM_INSTALL_RE.flags);\r\n while ((match = npmRe.exec(skill.rawContent)) !== null) {\r\n if (match[1]) {\r\n findings.push({\r\n category: \"dependency_risk\",\r\n severity: \"medium\",\r\n title: \"Global npm package install\",\r\n description: `Installs npm package globally: ${match[2]}`,\r\n evidence: match[0],\r\n analysisPass: pass,\r\n fix: \"Use a local install (`npm install` without `-g`) or declare the dependency in requires.bins.\",\r\n });\r\n }\r\n }\r\n\r\n return findings;\r\n}\r\n","import { distance } from \"fastest-levenshtein\";\r\nimport { POPULAR_SKILLS } from \"../patterns.js\";\r\nimport type { Finding } from \"../types.js\";\r\n\r\nconst MAX_EDIT_DISTANCE = 2;\r\n\r\nexport function detectTyposquats(skillName: string): Finding[] {\r\n if (!skillName) return [];\r\n\r\n const findings: Finding[] = [];\r\n const normalized = skillName.toLowerCase().trim();\r\n\r\n for (const popular of POPULAR_SKILLS) {\r\n if (normalized === popular) continue;\r\n\r\n const d = distance(normalized, popular);\r\n if (d > 0 && d <= MAX_EDIT_DISTANCE) {\r\n findings.push({\r\n category: \"typosquatting\",\r\n severity: \"high\",\r\n title: `Possible typosquat of \"${popular}\"`,\r\n description: `Skill name \"${skillName}\" is ${d} edit(s) away from popular skill \"${popular}\". This may be an attempt to impersonate a trusted skill.`,\r\n evidence: `\"${skillName}\" ≈ \"${popular}\" (distance: ${d})`,\r\n analysisPass: \"typosquat-detector\",\r\n });\r\n }\r\n }\r\n\r\n const patterns = [\r\n { re: /-{2,}/, desc: \"extra hyphens\" },\r\n { re: /(.)\\1{2,}/, desc: \"repeated characters\" },\r\n ];\r\n\r\n for (const p of patterns) {\r\n if (p.re.test(normalized) && !POPULAR_SKILLS.includes(normalized)) {\r\n findings.push({\r\n category: \"typosquatting\",\r\n severity: \"medium\",\r\n title: `Suspicious naming pattern: ${p.desc}`,\r\n description: `Skill name \"${skillName}\" has ${p.desc}, which is a common typosquatting technique.`,\r\n analysisPass: \"typosquat-detector\",\r\n });\r\n }\r\n }\r\n\r\n return findings;\r\n}\r\n","import type { Finding, FindingsCount, RiskGrade } from \"../types.js\";\r\n\r\nconst SEVERITY_WEIGHTS = {\r\n critical: 30,\r\n high: 15,\r\n medium: 7,\r\n low: 3,\r\n} as const;\r\n\r\nexport function calculateRiskScore(findings: Finding[]): number {\r\n let score = 0;\r\n for (const f of findings) {\r\n score += SEVERITY_WEIGHTS[f.severity] * (f.confidence ?? 1.0);\r\n }\r\n return Math.min(score, 100);\r\n}\r\n\r\nexport function getRiskGrade(score: number): RiskGrade {\r\n if (score <= 10) return \"A\";\r\n if (score <= 25) return \"B\";\r\n if (score <= 50) return \"C\";\r\n if (score <= 75) return \"D\";\r\n return \"F\";\r\n}\r\n\r\nexport function countFindings(findings: Finding[]): FindingsCount {\r\n const counts: FindingsCount = { critical: 0, high: 0, medium: 0, low: 0 };\r\n for (const f of findings) {\r\n counts[f.severity]++;\r\n }\r\n return counts;\r\n}\r\n","import { createHash } from \"node:crypto\";\r\nimport type { ScanResult } from \"../types.js\";\r\n\r\nconst MAX_ENTRIES = 100;\r\nconst cache = new Map<string, ScanResult>();\r\n\r\nfunction hashContent(content: string): string {\r\n return createHash(\"sha256\").update(content).digest(\"hex\");\r\n}\r\n\r\nexport function getCached(content: string): ScanResult | undefined {\r\n const key = hashContent(content);\r\n const result = cache.get(key);\r\n if (result) {\r\n // Move to end (most recently used)\r\n cache.delete(key);\r\n cache.set(key, result);\r\n }\r\n return result;\r\n}\r\n\r\nexport function setCached(content: string, result: ScanResult): void {\r\n const key = hashContent(content);\r\n if (cache.has(key)) {\r\n cache.delete(key);\r\n } else if (cache.size >= MAX_ENTRIES) {\r\n // Evict oldest (first entry)\r\n const oldest = cache.keys().next().value!;\r\n cache.delete(oldest);\r\n }\r\n cache.set(key, result);\r\n}\r\n","import type { Finding, ScanResult } from \"../types.js\";\r\nimport { parseSkill } from \"./skill-parser.js\";\r\nimport { runStaticAnalysis } from \"./static-analysis.js\";\r\nimport { validateMetadata } from \"./metadata-validator.js\";\r\nimport { checkDependencies } from \"./dependency-checker.js\";\r\nimport { detectTyposquats } from \"./typosquat-detector.js\";\r\nimport { calculateRiskScore, getRiskGrade, countFindings } from \"./risk-scorer.js\";\r\nimport { getCached, setCached } from \"./cache.js\";\r\n\r\nexport interface ScanOptions {\r\n semantic?: boolean;\r\n semanticAnalyzer?: (content: string) => Promise<Finding[]>;\r\n ignorePatterns?: string[];\r\n skipCache?: boolean;\r\n}\r\n\r\nexport async function scanSkill(\r\n content: string,\r\n options: ScanOptions = {}\r\n): Promise<ScanResult> {\r\n if (!options.skipCache) {\r\n const cached = getCached(content);\r\n if (cached) {\r\n return { ...cached, cached: true };\r\n }\r\n }\r\n\r\n const skill = parseSkill(content);\r\n const allFindings: Finding[] = [];\r\n\r\n allFindings.push(...runStaticAnalysis(skill));\r\n allFindings.push(...validateMetadata(skill));\r\n\r\n if (options.semantic && options.semanticAnalyzer) {\r\n const semanticFindings = await options.semanticAnalyzer(content);\r\n allFindings.push(...semanticFindings);\r\n }\r\n\r\n allFindings.push(...checkDependencies(skill));\r\n\r\n if (skill.frontmatter.name) {\r\n allFindings.push(...detectTyposquats(skill.frontmatter.name));\r\n }\r\n\r\n // Filter out ignored patterns\r\n const filteredFindings = options.ignorePatterns?.length\r\n ? allFindings.filter(\r\n (f) => !options.ignorePatterns!.some((ig) => f.title === ig || f.category === ig)\r\n )\r\n : allFindings;\r\n\r\n const riskScore = calculateRiskScore(filteredFindings);\r\n const riskGrade = getRiskGrade(riskScore);\r\n const findingsCount = countFindings(filteredFindings);\r\n\r\n const recommendation =\r\n riskScore >= 76 ? \"block\" : riskScore >= 26 ? \"warn\" : \"approve\";\r\n\r\n const result: ScanResult = {\r\n skillName: skill.frontmatter.name || \"unknown\",\r\n skillVersion: skill.frontmatter.version,\r\n skillSource: \"local\",\r\n status: \"complete\",\r\n riskScore,\r\n riskGrade,\r\n findingsCount,\r\n findings: filteredFindings,\r\n recommendation,\r\n };\r\n\r\n if (!options.skipCache) {\r\n setCached(content, result);\r\n }\r\n\r\n return result;\r\n}\r\n\r\nexport { parseSkill } from \"./skill-parser.js\";\r\nexport { runStaticAnalysis } from \"./static-analysis.js\";\r\nexport { validateMetadata } from \"./metadata-validator.js\";\r\nexport { checkDependencies } from \"./dependency-checker.js\";\r\nexport { detectTyposquats } from \"./typosquat-detector.js\";\r\nexport { calculateRiskScore, getRiskGrade, countFindings } from \"./risk-scorer.js\";\r\n","import chalk from \"chalk\";\r\nimport type { ScanResult, Finding, Severity } from \"@clawvet/shared\";\r\n\r\nconst SEVERITY_COLORS: Record<Severity, (s: string) => string> = {\r\n critical: chalk.bgRed.white.bold,\r\n high: chalk.red.bold,\r\n medium: chalk.yellow,\r\n low: chalk.blue,\r\n};\r\n\r\nconst GRADE_COLORS: Record<string, (s: string) => string> = {\r\n A: chalk.green.bold,\r\n B: chalk.greenBright,\r\n C: chalk.yellow.bold,\r\n D: chalk.redBright.bold,\r\n F: chalk.bgRed.white.bold,\r\n};\r\n\r\nexport function printScanResult(result: ScanResult): void {\r\n console.log();\r\n console.log(chalk.bold(\"━\".repeat(60)));\r\n console.log(chalk.bold(\" ClawVet Scan Report\"));\r\n console.log(chalk.bold(\"━\".repeat(60)));\r\n console.log();\r\n\r\n console.log(` Skill: ${chalk.bold(result.skillName)}`);\r\n if (result.skillVersion) {\r\n console.log(` Version: ${result.skillVersion}`);\r\n }\r\n console.log();\r\n\r\n // Risk score\r\n const gradeColor = GRADE_COLORS[result.riskGrade] || chalk.white;\r\n console.log(\r\n ` Risk Score: ${gradeColor(`${result.riskScore}/100`)} Grade: ${gradeColor(result.riskGrade)}`\r\n );\r\n console.log();\r\n\r\n // Findings summary\r\n const fc = result.findingsCount;\r\n console.log(\" Findings:\");\r\n if (fc.critical)\r\n console.log(\r\n ` ${SEVERITY_COLORS.critical(` CRITICAL `)} ${fc.critical}`\r\n );\r\n if (fc.high)\r\n console.log(` ${SEVERITY_COLORS.high(\"HIGH\")} ${fc.high}`);\r\n if (fc.medium)\r\n console.log(` ${SEVERITY_COLORS.medium(\"MEDIUM\")} ${fc.medium}`);\r\n if (fc.low) console.log(` ${SEVERITY_COLORS.low(\"LOW\")} ${fc.low}`);\r\n if (!fc.critical && !fc.high && !fc.medium && !fc.low) {\r\n console.log(` ${chalk.green(\"No findings — skill looks clean!\")}`);\r\n }\r\n console.log();\r\n\r\n // Detailed findings\r\n if (result.findings.length > 0) {\r\n console.log(chalk.bold(\" Details:\"));\r\n console.log();\r\n for (const f of result.findings) {\r\n const color = SEVERITY_COLORS[f.severity];\r\n const confStr = f.confidence != null ? ` ${Math.round(f.confidence * 100)}%` : \"\";\r\n console.log(` ${color(`[${f.severity.toUpperCase()}${confStr}]`)} ${f.title}`);\r\n console.log(` ${chalk.dim(f.description)}`);\r\n if (f.evidence) {\r\n console.log(` Evidence: ${chalk.italic(f.evidence)}`);\r\n }\r\n if (f.lineNumber) {\r\n console.log(` Line: ${f.lineNumber}`);\r\n }\r\n if (f.fix) {\r\n console.log(` Fix: ${chalk.green(f.fix)}`);\r\n }\r\n console.log();\r\n }\r\n }\r\n\r\n // Recommendation\r\n const recColors: Record<string, (s: string) => string> = {\r\n block: chalk.bgRed.white.bold,\r\n warn: chalk.bgYellow.black.bold,\r\n approve: chalk.bgGreen.black.bold,\r\n };\r\n const rec = result.recommendation || \"approve\";\r\n console.log(\r\n ` Recommendation: ${(recColors[rec] || chalk.white)(` ${rec.toUpperCase()} `)}`\r\n );\r\n console.log();\r\n console.log(chalk.bold(\"━\".repeat(60)));\r\n console.log();\r\n}\r\n","import type { ScanResult } from \"@clawvet/shared\";\r\n\r\nexport function printJsonResult(result: ScanResult): void {\r\n console.log(JSON.stringify(result, null, 2));\r\n}\r\n","import type { ScanResult, Finding, Severity } from \"@clawvet/shared\";\r\n\r\nconst SEVERITY_TO_SARIF: Record<Severity, string> = {\r\n critical: \"error\",\r\n high: \"error\",\r\n medium: \"warning\",\r\n low: \"note\",\r\n};\r\n\r\nconst SEVERITY_TO_LEVEL: Record<Severity, string> = {\r\n critical: \"9.0\",\r\n high: \"7.0\",\r\n medium: \"4.0\",\r\n low: \"1.0\",\r\n};\r\n\r\nexport function printSarifResult(result: ScanResult): void {\r\n const rules = new Map<string, { id: string; finding: Finding }>();\r\n\r\n for (const f of result.findings) {\r\n const ruleId = f.category + \"/\" + f.title.toLowerCase().replace(/[^a-z0-9]+/g, \"-\");\r\n if (!rules.has(ruleId)) {\r\n rules.set(ruleId, { id: ruleId, finding: f });\r\n }\r\n }\r\n\r\n const sarif = {\r\n $schema: \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\r\n version: \"2.1.0\",\r\n runs: [\r\n {\r\n tool: {\r\n driver: {\r\n name: \"clawvet\",\r\n informationUri: \"https://github.com/clawvet/clawvet\",\r\n rules: [...rules.values()].map((r) => ({\r\n id: r.id,\r\n shortDescription: { text: r.finding.title },\r\n fullDescription: { text: r.finding.description },\r\n defaultConfiguration: {\r\n level: SEVERITY_TO_SARIF[r.finding.severity],\r\n },\r\n properties: {\r\n security_severity: SEVERITY_TO_LEVEL[r.finding.severity],\r\n },\r\n })),\r\n },\r\n },\r\n results: result.findings.map((f) => {\r\n const ruleId = f.category + \"/\" + f.title.toLowerCase().replace(/[^a-z0-9]+/g, \"-\");\r\n return {\r\n ruleId,\r\n level: SEVERITY_TO_SARIF[f.severity],\r\n message: {\r\n text: f.description + (f.evidence ? ` Evidence: ${f.evidence}` : \"\"),\r\n ...(f.fix ? { markdown: `${f.description}\\n\\n**Fix:** ${f.fix}` } : {}),\r\n },\r\n locations: [\r\n {\r\n physicalLocation: {\r\n artifactLocation: { uri: \"SKILL.md\" },\r\n region: { startLine: f.lineNumber ?? 1 },\r\n },\r\n },\r\n ],\r\n };\r\n }),\r\n },\r\n ],\r\n };\r\n\r\n console.log(JSON.stringify(sarif, null, 2));\r\n}\r\n","import { readFileSync, writeFileSync, mkdirSync, existsSync } from \"node:fs\";\r\nimport { join } from \"node:path\";\r\nimport { homedir, platform, release } from \"node:os\";\r\nimport { randomUUID } from \"node:crypto\";\r\nimport type { ScanResult } from \"@clawvet/shared\";\r\n\r\nconst CONFIG_DIR = join(homedir(), \".clawvet\");\r\nconst CONFIG_FILE = join(CONFIG_DIR, \"config.json\");\r\nconst TELEMETRY_ENDPOINT = \"https://bazzzz--0ab7a9301f3911f1ab9942dde27851f2.web.val.run\";\r\n\r\ninterface Config {\r\n telemetry?: \"on\" | \"off\" | undefined; // undefined = not yet asked\r\n deviceId?: string;\r\n scanCount?: number;\r\n}\r\n\r\nfunction loadConfig(): Config {\r\n try {\r\n if (existsSync(CONFIG_FILE)) {\r\n return JSON.parse(readFileSync(CONFIG_FILE, \"utf-8\"));\r\n }\r\n } catch {\r\n // corrupted config, start fresh\r\n }\r\n return {};\r\n}\r\n\r\nfunction saveConfig(config: Config): void {\r\n try {\r\n mkdirSync(CONFIG_DIR, { recursive: true });\r\n writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2));\r\n } catch {\r\n // non-critical, ignore\r\n }\r\n}\r\n\r\nexport function isTelemetryEnabled(): boolean {\r\n const env = process.env.CLAWVET_TELEMETRY;\r\n if (env === \"0\" || env === \"off\") return false;\r\n if (env === \"1\" || env === \"on\") return true;\r\n const config = loadConfig();\r\n return config.telemetry === \"on\";\r\n}\r\n\r\nexport function setTelemetry(enabled: boolean): void {\r\n const config = loadConfig();\r\n config.telemetry = enabled ? \"on\" : \"off\";\r\n saveConfig(config);\r\n}\r\n\r\nexport function hasBeenAsked(): boolean {\r\n const config = loadConfig();\r\n return config.telemetry !== undefined;\r\n}\r\n\r\nfunction getDeviceId(): string {\r\n const config = loadConfig();\r\n if (!config.deviceId) {\r\n config.deviceId = randomUUID();\r\n saveConfig(config);\r\n }\r\n return config.deviceId;\r\n}\r\n\r\nfunction incrementScanCount(): number {\r\n const config = loadConfig();\r\n config.scanCount = (config.scanCount || 0) + 1;\r\n saveConfig(config);\r\n return config.scanCount;\r\n}\r\n\r\nexport function sendTelemetry(result: ScanResult): void {\r\n if (!isTelemetryEnabled()) return;\r\n\r\n const scanCount = incrementScanCount();\r\n\r\n const payload = {\r\n deviceId: getDeviceId(),\r\n scanCount,\r\n ts: new Date().toISOString(),\r\n os: platform(),\r\n osVersion: release(),\r\n skillName: result.skillName,\r\n riskScore: result.riskScore,\r\n riskGrade: result.riskGrade,\r\n findingsCount: result.findingsCount,\r\n cached: result.cached ?? false,\r\n };\r\n\r\n // Fire-and-forget — never block the CLI\r\n fetch(TELEMETRY_ENDPOINT, {\r\n method: \"POST\",\r\n headers: { \"Content-Type\": \"application/json\" },\r\n body: JSON.stringify(payload),\r\n signal: AbortSignal.timeout(3000),\r\n }).catch(() => {\r\n // silently ignore — telemetry is best-effort\r\n });\r\n}\r\n","import { readdirSync, existsSync, readFileSync } from \"node:fs\";\r\nimport { join } from \"node:path\";\r\nimport { homedir } from \"node:os\";\r\nimport { scanSkill } from \"@clawvet/shared\";\r\nimport { printScanResult } from \"../output/terminal.js\";\r\nimport chalk from \"chalk\";\r\n\r\nconst DEFAULT_SKILL_DIRS = [\r\n join(homedir(), \".openclaw\", \"skills\"),\r\n join(homedir(), \".openclaw\", \"workspace\", \"skills\"),\r\n];\r\n\r\nexport async function auditCommand(options: { dir?: string } = {}): Promise<void> {\r\n const SKILL_DIRS = options.dir ? [options.dir] : DEFAULT_SKILL_DIRS;\r\n console.log(chalk.bold(\"\\nClawVet Audit — Scanning all installed skills\\n\"));\r\n\r\n let totalScanned = 0;\r\n let totalThreats = 0;\r\n\r\n for (const dir of SKILL_DIRS) {\r\n if (!existsSync(dir)) {\r\n if (options.dir) {\r\n console.error(chalk.yellow(`Warning: Directory not found: ${dir}\\n`));\r\n process.exit(1);\r\n }\r\n continue;\r\n }\r\n\r\n // If the dir itself contains a SKILL.md, scan it directly\r\n const directSkillFile = join(dir, \"SKILL.md\");\r\n if (existsSync(directSkillFile)) {\r\n const content = readFileSync(directSkillFile, \"utf-8\");\r\n const result = await scanSkill(content);\r\n totalScanned++;\r\n totalThreats += result.findings.length;\r\n printScanResult(result);\r\n continue;\r\n }\r\n\r\n const entries = readdirSync(dir, { withFileTypes: true });\r\n for (const entry of entries) {\r\n if (!entry.isDirectory()) continue;\r\n const skillFile = join(dir, entry.name, \"SKILL.md\");\r\n if (!existsSync(skillFile)) continue;\r\n\r\n const content = readFileSync(skillFile, \"utf-8\");\r\n const result = await scanSkill(content);\r\n totalScanned++;\r\n totalThreats += result.findings.length;\r\n\r\n printScanResult(result);\r\n }\r\n }\r\n\r\n console.log(chalk.bold(`\\nAudit complete: ${totalScanned} skills scanned, ${totalThreats} findings\\n`));\r\n}\r\n","import { readFileSync, existsSync, watch } from \"node:fs\";\r\nimport { join } from \"node:path\";\r\nimport { homedir } from \"node:os\";\r\nimport chalk from \"chalk\";\r\nimport { scanSkill } from \"@clawvet/shared\";\r\nimport { printScanResult } from \"../output/terminal.js\";\r\n\r\nconst DEFAULT_SKILL_DIRS = [\r\n join(homedir(), \".openclaw\", \"skills\"),\r\n join(homedir(), \".openclaw\", \"workspace\", \"skills\"),\r\n];\r\n\r\nexport async function watchCommand(options: {\r\n threshold?: number;\r\n dir?: string;\r\n}): Promise<void> {\r\n const threshold = options.threshold || 50;\r\n const SKILL_DIRS = options.dir ? [options.dir] : DEFAULT_SKILL_DIRS;\r\n console.log(\r\n chalk.bold(\r\n `\\nClawVet Watch — monitoring skill directories (threshold: ${threshold})\\n`\r\n )\r\n );\r\n\r\n const watchDirs: string[] = [];\r\n for (const dir of SKILL_DIRS) {\r\n if (existsSync(dir)) {\r\n watchDirs.push(dir);\r\n }\r\n }\r\n\r\n if (watchDirs.length === 0) {\r\n console.log(\r\n chalk.yellow(\r\n \"No OpenClaw skill directories found. Watching will start when directories are created.\\n\"\r\n )\r\n );\r\n console.log(chalk.dim(\"Expected directories:\"));\r\n for (const dir of SKILL_DIRS) {\r\n console.log(chalk.dim(` ${dir}`));\r\n }\r\n console.log();\r\n process.exit(1);\r\n }\r\n\r\n console.log(chalk.dim(\"Watching:\"));\r\n for (const dir of watchDirs) {\r\n console.log(chalk.dim(` ${dir}`));\r\n }\r\n console.log();\r\n\r\n for (const dir of watchDirs) {\r\n const watcher = watch(dir, { recursive: true }, async (event, filename) => {\r\n if (!filename?.endsWith(\"SKILL.md\")) return;\r\n\r\n const skillFile = join(dir, filename);\r\n if (!existsSync(skillFile)) return;\r\n\r\n console.log(chalk.dim(`\\nDetected change: ${filename}`));\r\n\r\n try {\r\n const content = readFileSync(skillFile, \"utf-8\");\r\n const result = await scanSkill(content);\r\n\r\n if (result.cached) {\r\n console.log(chalk.dim(\"(cached)\"));\r\n }\r\n printScanResult(result);\r\n\r\n if (result.riskScore > threshold) {\r\n console.log(\r\n chalk.bgRed.white.bold(\r\n ` BLOCKED — Risk score ${result.riskScore} exceeds threshold ${threshold} `\r\n )\r\n );\r\n console.log(\r\n chalk.red(\r\n `This skill should not be installed. Run 'clawvet scan ${skillFile}' for details.\\n`\r\n )\r\n );\r\n }\r\n } catch (err) {\r\n console.error(chalk.red(`Error scanning ${filename}:`), err);\r\n }\r\n });\r\n\r\n process.on(\"SIGINT\", () => {\r\n watcher.close();\r\n console.log(chalk.dim(\"\\nWatch stopped.\"));\r\n process.exit(0);\r\n });\r\n }\r\n\r\n console.log(chalk.dim(\"Press Ctrl+C to stop watching.\\n\"));\r\n await new Promise(() => {});\r\n}\r\n","import { readFileSync, existsSync, statSync } from \"node:fs\";\r\nimport { resolve, join } from \"node:path\";\r\nimport chalk from \"chalk\";\r\nimport { scanSkill } from \"@clawvet/shared\";\r\nimport type { RiskGrade } from \"@clawvet/shared\";\r\n\r\nconst GRADE_COLORS: Record<RiskGrade, string> = {\r\n A: \"brightgreen\",\r\n B: \"green\",\r\n C: \"yellow\",\r\n D: \"orange\",\r\n F: \"red\",\r\n};\r\n\r\nconst GRADE_LABELS: Record<RiskGrade, string> = {\r\n A: \"safe\",\r\n B: \"safe\",\r\n C: \"review\",\r\n D: \"risky\",\r\n F: \"dangerous\",\r\n};\r\n\r\nexport async function badgeCommand(\r\n target: string,\r\n options: { markdown?: boolean }\r\n): Promise<void> {\r\n const skillPath = resolve(target);\r\n let skillFile = skillPath;\r\n\r\n if (\r\n existsSync(skillPath) &&\r\n !skillPath.endsWith(\".md\") &&\r\n existsSync(join(skillPath, \"SKILL.md\"))\r\n ) {\r\n skillFile = join(skillPath, \"SKILL.md\");\r\n }\r\n\r\n if (!existsSync(skillFile) || statSync(skillFile).isDirectory()) {\r\n console.error(`Error: Cannot find SKILL.md at ${skillFile}`);\r\n process.exit(1);\r\n }\r\n\r\n const content = readFileSync(skillFile, \"utf-8\");\r\n const result = await scanSkill(content);\r\n\r\n const label = GRADE_LABELS[result.riskGrade];\r\n const color = GRADE_COLORS[result.riskGrade];\r\n const badgeUrl = `https://img.shields.io/badge/clawvet-${result.riskGrade}%20${label}-${color}`;\r\n const linkUrl = \"https://github.com/MohibShaikh/clawvet\";\r\n\r\n if (options.markdown) {\r\n console.log(`[![ClawVet ${result.riskGrade}](${badgeUrl})](${linkUrl})`);\r\n } else {\r\n console.log();\r\n console.log(chalk.bold(\" ClawVet Trust Badge\"));\r\n console.log();\r\n console.log(` Skill: ${chalk.bold(result.skillName)}`);\r\n console.log(` Grade: ${result.riskGrade} (${label})`);\r\n console.log(` Score: ${result.riskScore}/100`);\r\n console.log();\r\n console.log(chalk.dim(\" Markdown (paste in README):\"));\r\n console.log();\r\n console.log(` [![ClawVet ${result.riskGrade}](${badgeUrl})](${linkUrl})`);\r\n console.log();\r\n console.log(chalk.dim(\" HTML:\"));\r\n console.log();\r\n console.log(` <a href=\"${linkUrl}\"><img src=\"${badgeUrl}\" alt=\"ClawVet ${result.riskGrade}\"></a>`);\r\n console.log();\r\n }\r\n}\r\n"],"mappings":";;;AAAA,SAAS,eAAe;;;ACAxB,SAAS,gBAAAA,eAAc,cAAAC,aAAY,gBAAgB;AACnD,SAAS,SAAS,QAAAC,aAAY;AAC9B,OAAOC,YAAW;;;ACClB,SAAS,GAAG,OAAiB,OAAuB;AAClD,SAAO,IAAI,OAAO,MAAM,KAAK,EAAE,GAAG,KAAK;AACzC;AAEO,IAAM,kBAAmC;AAAA;AAAA;AAAA;AAAA,EAI9C;AAAA,IACE,MAAM;AAAA,IACN,SAAS,GAAG,CAAC,0BAA0B,IAAI,GAAG,IAAI;AAAA,IAClD,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS,GAAG,CAAC,yBAAyB,IAAI,GAAG,IAAI;AAAA,IACjD,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS,GAAG,CAAC,MAAM,WAAW,GAAG,IAAI;AAAA,IACrC,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS,GAAG,CAAC,QAAQ,mBAAmB,MAAM,GAAG,IAAI;AAAA,IACrD,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS,GAAG,CAAC,QAAQ,cAAc,GAAG,IAAI;AAAA,IAC1C,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS,GAAG,CAAC,eAAe,yBAAyB,eAAe,gBAAgB,GAAG,IAAI;AAAA,IAC3F,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS,GAAG,CAAC,QAAQ,yBAAyB,YAAY,eAAe,GAAG,IAAI;AAAA,IAChF,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS,GAAG,CAAC,OAAO,SAAS,GAAG,IAAI;AAAA,IACpC,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS,GAAG,CAAC,MAAM,aAAa,GAAG,IAAI;AAAA,IACvC,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS,GAAG,CAAC,OAAO,SAAS,GAAG,IAAI;AAAA,IACpC,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA;AAAA;AAAA;AAAA,EAKA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA;AAAA;AAAA;AAAA,EAKA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS,GAAG,CAAC,cAAc,kBAAkB,sBAAsB,QAAQ,GAAG,IAAI;AAAA,IAClF,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA;AAAA;AAAA;AAAA,EAKA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA;AAAA;AAAA;AAAA,EAKA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA;AAAA;AAAA;AAAA,EAKA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS,GAAG,CAAC,OAAO,+BAAgC,gBAAiB,WAAW,GAAG,IAAI;AAAA,IACvF,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS,GAAG,CAAC,iBAAiB,iBAAiB,GAAG,IAAI;AAAA,IACtD,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA;AAAA;AAAA;AAAA,EAKA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA;AAAA;AAAA;AAAA,EAKA;AAAA,IACE,MAAM;AAAA,IACN,SAAS,GAAG,CAAC,UAAU,cAAc,aAAa,OAAO,GAAG,IAAI;AAAA,IAChE,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU;AAAA,IACV,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP,aAAa;AAAA,IACb,KAAK;AAAA,EACP;AACF;AAEO,IAAM,iBAAiB;AAAA,EAC5B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;;;AChmBA,SAAS,SAAS,iBAAiB;AAGnC,IAAM,iBAAiB;AACvB,IAAM,gBAAgB;AACtB,IAAM,SAAS;AACf,IAAM,QAAQ;AACd,IAAM,YAAY;AAEX,SAAS,WAAW,SAA8B;AACvD,MAAI,cAAgC,CAAC;AACrC,MAAI,OAAO;AAEX,QAAM,UAAU,QAAQ,MAAM,cAAc;AAC5C,MAAI,SAAS;AACX,QAAI;AACF,oBAAc,UAAU,QAAQ,CAAC,CAAC;AAAA,IACpC,QAAQ;AACN,oBAAc,CAAC;AAAA,IACjB;AACA,WAAO,QAAQ,MAAM,QAAQ,CAAC,EAAE,MAAM,EAAE,KAAK;AAAA,EAC/C;AAEA,QAAM,aAA0B,CAAC;AACjC,MAAI;AACJ,QAAM,OAAO,IAAI,OAAO,cAAc,QAAQ,cAAc,KAAK;AAEjE,UAAQ,QAAQ,KAAK,KAAK,OAAO,OAAO,MAAM;AAC5C,UAAM,SAAS,QAAQ,MAAM,GAAG,MAAM,KAAK;AAC3C,UAAM,YAAY,OAAO,MAAM,IAAI,EAAE;AACrC,UAAM,aAAa,MAAM,CAAC,EAAE,MAAM,IAAI,EAAE;AACxC,eAAW,KAAK;AAAA,MACd,UAAU,MAAM,CAAC,KAAK;AAAA,MACtB,SAAS,MAAM,CAAC;AAAA,MAChB;AAAA,MACA,SAAS,YAAY,aAAa;AAAA,IACpC,CAAC;AAAA,EACH;AAEA,QAAM,OAAO,CAAC,GAAG,IAAI,IAAI,QAAQ,MAAM,MAAM,KAAK,CAAC,CAAC,CAAC;AACrD,QAAM,cAAc,CAAC,GAAG,IAAI,IAAI,QAAQ,MAAM,KAAK,KAAK,CAAC,CAAC,CAAC;AAC3D,QAAM,UAAU,CAAC,GAAG,IAAI,IAAI,QAAQ,MAAM,SAAS,KAAK,CAAC,CAAC,CAAC;AAE3D,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,YAAY;AAAA,EACd;AACF;;;ACjDA,SAAS,cAAc,YAAoB,OAA6B;AACtE,SAAO,MAAM,WAAW;AAAA,IACtB,CAAC,UAAU,cAAc,MAAM,aAAa,cAAc,MAAM;AAAA,EAClE;AACF;AAEA,SAAS,YAAY,YAAoB,YAA6B;AACpE,QAAM,QAAQ,WAAW,MAAM,IAAI;AACnC,QAAM,OAAO,MAAM,aAAa,CAAC,KAAK;AACtC,SAAO,eAAe,KAAK,IAAI;AACjC;AAEA,IAAM,kBAA4C;AAAA,EAChD,UAAU;AAAA,EACV,MAAM;AAAA,EACN,QAAQ;AAAA,EACR,KAAK;AACP;AAEO,SAAS,kBAAkB,OAA+B;AAC/D,QAAM,WAAsB,CAAC;AAE7B,aAAW,UAAU,iBAAiB;AACpC,UAAMC,MAAK,IAAI,OAAO,OAAO,QAAQ,QAAQ,OAAO,QAAQ,KAAK;AACjE,QAAI;AAEJ,YAAQ,QAAQA,IAAG,KAAK,MAAM,UAAU,OAAO,MAAM;AACnD,YAAM,SAAS,MAAM,WAAW,MAAM,GAAG,MAAM,KAAK;AACpD,YAAM,aAAa,OAAO,MAAM,IAAI,EAAE;AAEtC,UAAI,OAAO,YAAY,CAAC,cAAc,YAAY,KAAK,GAAG;AACxD;AAAA,MACF;AAEA,YAAM,SAAS,cAAc,YAAY,KAAK;AAC9C,YAAM,YAAY,YAAY,YAAY,MAAM,UAAU;AAE1D,UAAI;AACJ,UAAI,UAAU,OAAO,UAAU;AAC7B,4BAAoB;AAAA,MACtB,WAAW,QAAQ;AACjB,4BAAoB;AAAA,MACtB,WAAW,WAAW;AACpB,4BAAoB;AAAA,MACtB,WAAW,OAAO,UAAU;AAE1B,4BAAoB;AAAA,MACtB,OAAO;AAEL,4BAAoB;AAAA,MACtB;AAEA,YAAM,iBAAiB,gBAAgB,OAAO,QAAQ;AACtD,YAAM,aAAa,KAAK,IAAI,GAAK,iBAAiB,iBAAiB;AAEnE,eAAS,KAAK;AAAA,QACZ,UAAU,OAAO;AAAA,QACjB,UAAU,OAAO;AAAA,QACjB,OAAO,OAAO;AAAA,QACd,aAAa,OAAO;AAAA,QACpB,UAAU,MAAM,CAAC;AAAA,QACjB;AAAA,QACA,cAAc;AAAA,QACd,YAAY,KAAK,MAAM,aAAa,GAAG,IAAI;AAAA,QAC3C,KAAK,OAAO;AAAA,MACd,CAAC;AAAA,IACH;AAAA,EACF;AAEA,SAAO;AACT;;;ACvEA,IAAM,YAAY;AAElB,IAAM,aAAa;AAAA,EACjB;AAAA,EAAQ;AAAA,EAAQ;AAAA,EAAO;AAAA,EAAU;AAAA,EAAW;AAAA,EAAQ;AAAA,EAAO;AAAA,EAC3D;AAAA,EAAQ;AAAA,EAAO;AAAA,EAAO;AAAA,EAAU;AAAA,EAAW;AAAA,EAAO;AAAA,EAAO;AAAA,EACzD;AAAA,EAAU;AAAA,EAAM;AAAA,EAAO;AAAA,EAAO;AAAA,EAAQ;AACxC;AAEO,SAAS,iBAAiB,OAA+B;AAC9D,QAAM,WAAsB,CAAC;AAC7B,QAAM,KAAK,MAAM;AACjB,QAAM,OAAO;AAEb,MAAI,CAAC,GAAG,MAAM;AACZ,aAAS,KAAK;AAAA,MACZ,UAAU;AAAA,MACV,UAAU;AAAA,MACV,OAAO;AAAA,MACP,aAAa;AAAA,MACb,cAAc;AAAA,MACd,KAAK;AAAA,IACP,CAAC;AAAA,EACH;AAEA,MAAI,CAAC,GAAG,aAAa;AACnB,aAAS,KAAK;AAAA,MACZ,UAAU;AAAA,MACV,UAAU;AAAA,MACV,OAAO;AAAA,MACP,aAAa;AAAA,MACb,cAAc;AAAA,MACd,KAAK;AAAA,IACP,CAAC;AAAA,EACH,WAAW,GAAG,YAAY,SAAS,IAAI;AACrC,aAAS,KAAK;AAAA,MACZ,UAAU;AAAA,MACV,UAAU;AAAA,MACV,OAAO;AAAA,MACP,aAAa;AAAA,MACb,UAAU,GAAG;AAAA,MACb,cAAc;AAAA,MACd,KAAK;AAAA,IACP,CAAC;AAAA,EACH;AAEA,MAAI,GAAG,WAAW,CAAC,UAAU,KAAK,GAAG,OAAO,GAAG;AAC7C,aAAS,KAAK;AAAA,MACZ,UAAU;AAAA,MACV,UAAU;AAAA,MACV,OAAO;AAAA,MACP,aAAa;AAAA,MACb,UAAU,GAAG;AAAA,MACb,cAAc;AAAA,MACd,KAAK;AAAA,IACP,CAAC;AAAA,EACH;AAEA,QAAM,eAAe,IAAI,IAAI,GAAG,UAAU,UAAU,UAAU,QAAQ,CAAC,CAAC;AAExE,aAAW,OAAO,YAAY;AAC5B,UAAM,QAAQ,IAAI,OAAO,MAAM,GAAG,OAAO,GAAG;AAC5C,QAAI,MAAM,KAAK,MAAM,UAAU,KAAK,CAAC,aAAa,IAAI,GAAG,GAAG;AAC1D,YAAM,aAAa,MAAM,WAAW,KAAK,CAAC,OAAO,MAAM,KAAK,GAAG,OAAO,CAAC;AACvE,UAAI,YAAY;AACd,iBAAS,KAAK;AAAA,UACZ,UAAU;AAAA,UACV,UAAU;AAAA,UACV,OAAO,sBAAsB,GAAG;AAAA,UAChC,aAAa,eAAe,GAAG;AAAA,UAC/B,cAAc;AAAA,UACd,KAAK,QAAQ,GAAG;AAAA,QAClB,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AAEA,QAAM,cAAc,IAAI,IAAI,GAAG,UAAU,UAAU,UAAU,OAAO,CAAC,CAAC;AACtE,QAAM,QAAQ;AACd,MAAI;AAEJ,UAAQ,QAAQ,MAAM,KAAK,MAAM,UAAU,OAAO,MAAM;AACtD,UAAM,SAAS,MAAM,CAAC;AACtB,QAAI,CAAC,YAAY,IAAI,MAAM,KAAK,OAAO,SAAS,GAAG;AACjD,eAAS,KAAK;AAAA,QACZ,UAAU;AAAA,QACV,UAAU;AAAA,QACV,OAAO,uBAAuB,MAAM;AAAA,QACpC,aAAa,oCAAoC,MAAM;AAAA,QACvD,UAAU,MAAM,CAAC;AAAA,QACjB,cAAc;AAAA,QACd,KAAK,QAAQ,MAAM;AAAA,MACrB,CAAC;AAAA,IACH;AAAA,EACF;AAEA,SAAO;AACT;;;AChGA,IAAM,sBAAsB;AAC5B,IAAM,iBAAiB;AAEhB,SAAS,kBAAkB,OAA+B;AAC/D,QAAM,WAAsB,CAAC;AAC7B,QAAM,OAAO;AAEb,MAAI;AACJ,QAAM,QAAQ,IAAI,OAAO,oBAAoB,QAAQ,oBAAoB,KAAK;AAE9E,UAAQ,QAAQ,MAAM,KAAK,MAAM,UAAU,OAAO,MAAM;AACtD,UAAM,SAAS,MAAM,WAAW,MAAM,GAAG,MAAM,KAAK;AACpD,UAAM,aAAa,OAAO,MAAM,IAAI,EAAE;AAEtC,aAAS,KAAK;AAAA,MACZ,UAAU;AAAA,MACV,UAAU;AAAA,MACV,OAAO;AAAA,MACP,aAAa;AAAA,MACb,UAAU,MAAM,CAAC;AAAA,MACjB;AAAA,MACA,cAAc;AAAA,MACd,KAAK;AAAA,IACP,CAAC;AAAA,EACH;AAEA,QAAM,QAAQ,IAAI,OAAO,eAAe,QAAQ,eAAe,KAAK;AACpE,UAAQ,QAAQ,MAAM,KAAK,MAAM,UAAU,OAAO,MAAM;AACtD,QAAI,MAAM,CAAC,GAAG;AACZ,eAAS,KAAK;AAAA,QACZ,UAAU;AAAA,QACV,UAAU;AAAA,QACV,OAAO;AAAA,QACP,aAAa,kCAAkC,MAAM,CAAC,CAAC;AAAA,QACvD,UAAU,MAAM,CAAC;AAAA,QACjB,cAAc;AAAA,QACd,KAAK;AAAA,MACP,CAAC;AAAA,IACH;AAAA,EACF;AAEA,SAAO;AACT;;;AC5CA,SAAS,gBAAgB;AAIzB,IAAM,oBAAoB;AAEnB,SAAS,iBAAiB,WAA8B;AAC7D,MAAI,CAAC,UAAW,QAAO,CAAC;AAExB,QAAM,WAAsB,CAAC;AAC7B,QAAM,aAAa,UAAU,YAAY,EAAE,KAAK;AAEhD,aAAW,WAAW,gBAAgB;AACpC,QAAI,eAAe,QAAS;AAE5B,UAAM,IAAI,SAAS,YAAY,OAAO;AACtC,QAAI,IAAI,KAAK,KAAK,mBAAmB;AACnC,eAAS,KAAK;AAAA,QACZ,UAAU;AAAA,QACV,UAAU;AAAA,QACV,OAAO,0BAA0B,OAAO;AAAA,QACxC,aAAa,eAAe,SAAS,QAAQ,CAAC,qCAAqC,OAAO;AAAA,QAC1F,UAAU,IAAI,SAAS,aAAQ,OAAO,gBAAgB,CAAC;AAAA,QACvD,cAAc;AAAA,MAChB,CAAC;AAAA,IACH;AAAA,EACF;AAEA,QAAM,WAAW;AAAA,IACf,EAAE,IAAI,SAAS,MAAM,gBAAgB;AAAA,IACrC,EAAE,IAAI,aAAa,MAAM,sBAAsB;AAAA,EACjD;AAEA,aAAW,KAAK,UAAU;AACxB,QAAI,EAAE,GAAG,KAAK,UAAU,KAAK,CAAC,eAAe,SAAS,UAAU,GAAG;AACjE,eAAS,KAAK;AAAA,QACZ,UAAU;AAAA,QACV,UAAU;AAAA,QACV,OAAO,8BAA8B,EAAE,IAAI;AAAA,QAC3C,aAAa,eAAe,SAAS,SAAS,EAAE,IAAI;AAAA,QACpD,cAAc;AAAA,MAChB,CAAC;AAAA,IACH;AAAA,EACF;AAEA,SAAO;AACT;;;AC5CA,IAAM,mBAAmB;AAAA,EACvB,UAAU;AAAA,EACV,MAAM;AAAA,EACN,QAAQ;AAAA,EACR,KAAK;AACP;AAEO,SAAS,mBAAmB,UAA6B;AAC9D,MAAI,QAAQ;AACZ,aAAW,KAAK,UAAU;AACxB,aAAS,iBAAiB,EAAE,QAAQ,KAAK,EAAE,cAAc;AAAA,EAC3D;AACA,SAAO,KAAK,IAAI,OAAO,GAAG;AAC5B;AAEO,SAAS,aAAa,OAA0B;AACrD,MAAI,SAAS,GAAI,QAAO;AACxB,MAAI,SAAS,GAAI,QAAO;AACxB,MAAI,SAAS,GAAI,QAAO;AACxB,MAAI,SAAS,GAAI,QAAO;AACxB,SAAO;AACT;AAEO,SAAS,cAAc,UAAoC;AAChE,QAAM,SAAwB,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,EAAE;AACxE,aAAW,KAAK,UAAU;AACxB,WAAO,EAAE,QAAQ;AAAA,EACnB;AACA,SAAO;AACT;;;AC/BA,SAAS,kBAAkB;AAG3B,IAAM,cAAc;AACpB,IAAM,QAAQ,oBAAI,IAAwB;AAE1C,SAAS,YAAY,SAAyB;AAC5C,SAAO,WAAW,QAAQ,EAAE,OAAO,OAAO,EAAE,OAAO,KAAK;AAC1D;AAEO,SAAS,UAAU,SAAyC;AACjE,QAAM,MAAM,YAAY,OAAO;AAC/B,QAAM,SAAS,MAAM,IAAI,GAAG;AAC5B,MAAI,QAAQ;AAEV,UAAM,OAAO,GAAG;AAChB,UAAM,IAAI,KAAK,MAAM;AAAA,EACvB;AACA,SAAO;AACT;AAEO,SAAS,UAAU,SAAiB,QAA0B;AACnE,QAAM,MAAM,YAAY,OAAO;AAC/B,MAAI,MAAM,IAAI,GAAG,GAAG;AAClB,UAAM,OAAO,GAAG;AAAA,EAClB,WAAW,MAAM,QAAQ,aAAa;AAEpC,UAAM,SAAS,MAAM,KAAK,EAAE,KAAK,EAAE;AACnC,UAAM,OAAO,MAAM;AAAA,EACrB;AACA,QAAM,IAAI,KAAK,MAAM;AACvB;;;ACfA,eAAsB,UACpB,SACA,UAAuB,CAAC,GACH;AACrB,MAAI,CAAC,QAAQ,WAAW;AACtB,UAAM,SAAS,UAAU,OAAO;AAChC,QAAI,QAAQ;AACV,aAAO,EAAE,GAAG,QAAQ,QAAQ,KAAK;AAAA,IACnC;AAAA,EACF;AAEA,QAAM,QAAQ,WAAW,OAAO;AAChC,QAAM,cAAyB,CAAC;AAEhC,cAAY,KAAK,GAAG,kBAAkB,KAAK,CAAC;AAC5C,cAAY,KAAK,GAAG,iBAAiB,KAAK,CAAC;AAE3C,MAAI,QAAQ,YAAY,QAAQ,kBAAkB;AAChD,UAAM,mBAAmB,MAAM,QAAQ,iBAAiB,OAAO;AAC/D,gBAAY,KAAK,GAAG,gBAAgB;AAAA,EACtC;AAEA,cAAY,KAAK,GAAG,kBAAkB,KAAK,CAAC;AAE5C,MAAI,MAAM,YAAY,MAAM;AAC1B,gBAAY,KAAK,GAAG,iBAAiB,MAAM,YAAY,IAAI,CAAC;AAAA,EAC9D;AAGA,QAAM,mBAAmB,QAAQ,gBAAgB,SAC7C,YAAY;AAAA,IACV,CAAC,MAAM,CAAC,QAAQ,eAAgB,KAAK,CAAC,OAAO,EAAE,UAAU,MAAM,EAAE,aAAa,EAAE;AAAA,EAClF,IACA;AAEJ,QAAM,YAAY,mBAAmB,gBAAgB;AACrD,QAAM,YAAY,aAAa,SAAS;AACxC,QAAM,gBAAgB,cAAc,gBAAgB;AAEpD,QAAM,iBACJ,aAAa,KAAK,UAAU,aAAa,KAAK,SAAS;AAEzD,QAAM,SAAqB;AAAA,IACzB,WAAW,MAAM,YAAY,QAAQ;AAAA,IACrC,cAAc,MAAM,YAAY;AAAA,IAChC,aAAa;AAAA,IACb,QAAQ;AAAA,IACR;AAAA,IACA;AAAA,IACA;AAAA,IACA,UAAU;AAAA,IACV;AAAA,EACF;AAEA,MAAI,CAAC,QAAQ,WAAW;AACtB,cAAU,SAAS,MAAM;AAAA,EAC3B;AAEA,SAAO;AACT;;;AC3EA,OAAO,WAAW;AAGlB,IAAM,kBAA2D;AAAA,EAC/D,UAAU,MAAM,MAAM,MAAM;AAAA,EAC5B,MAAM,MAAM,IAAI;AAAA,EAChB,QAAQ,MAAM;AAAA,EACd,KAAK,MAAM;AACb;AAEA,IAAM,eAAsD;AAAA,EAC1D,GAAG,MAAM,MAAM;AAAA,EACf,GAAG,MAAM;AAAA,EACT,GAAG,MAAM,OAAO;AAAA,EAChB,GAAG,MAAM,UAAU;AAAA,EACnB,GAAG,MAAM,MAAM,MAAM;AACvB;AAEO,SAAS,gBAAgB,QAA0B;AACxD,UAAQ,IAAI;AACZ,UAAQ,IAAI,MAAM,KAAK,SAAI,OAAO,EAAE,CAAC,CAAC;AACtC,UAAQ,IAAI,MAAM,KAAK,uBAAuB,CAAC;AAC/C,UAAQ,IAAI,MAAM,KAAK,SAAI,OAAO,EAAE,CAAC,CAAC;AACtC,UAAQ,IAAI;AAEZ,UAAQ,IAAI,cAAc,MAAM,KAAK,OAAO,SAAS,CAAC,EAAE;AACxD,MAAI,OAAO,cAAc;AACvB,YAAQ,IAAI,cAAc,OAAO,YAAY,EAAE;AAAA,EACjD;AACA,UAAQ,IAAI;AAGZ,QAAM,aAAa,aAAa,OAAO,SAAS,KAAK,MAAM;AAC3D,UAAQ;AAAA,IACN,iBAAiB,WAAW,GAAG,OAAO,SAAS,MAAM,CAAC,YAAY,WAAW,OAAO,SAAS,CAAC;AAAA,EAChG;AACA,UAAQ,IAAI;AAGZ,QAAM,KAAK,OAAO;AAClB,UAAQ,IAAI,aAAa;AACzB,MAAI,GAAG;AACL,YAAQ;AAAA,MACN,OAAO,gBAAgB,SAAS,YAAY,CAAC,IAAI,GAAG,QAAQ;AAAA,IAC9D;AACF,MAAI,GAAG;AACL,YAAQ,IAAI,OAAO,gBAAgB,KAAK,MAAM,CAAC,QAAQ,GAAG,IAAI,EAAE;AAClE,MAAI,GAAG;AACL,YAAQ,IAAI,OAAO,gBAAgB,OAAO,QAAQ,CAAC,MAAM,GAAG,MAAM,EAAE;AACtE,MAAI,GAAG,IAAK,SAAQ,IAAI,OAAO,gBAAgB,IAAI,KAAK,CAAC,SAAS,GAAG,GAAG,EAAE;AAC1E,MAAI,CAAC,GAAG,YAAY,CAAC,GAAG,QAAQ,CAAC,GAAG,UAAU,CAAC,GAAG,KAAK;AACrD,YAAQ,IAAI,OAAO,MAAM,MAAM,uCAAkC,CAAC,EAAE;AAAA,EACtE;AACA,UAAQ,IAAI;AAGZ,MAAI,OAAO,SAAS,SAAS,GAAG;AAC9B,YAAQ,IAAI,MAAM,KAAK,YAAY,CAAC;AACpC,YAAQ,IAAI;AACZ,eAAW,KAAK,OAAO,UAAU;AAC/B,YAAM,QAAQ,gBAAgB,EAAE,QAAQ;AACxC,YAAM,UAAU,EAAE,cAAc,OAAO,IAAI,KAAK,MAAM,EAAE,aAAa,GAAG,CAAC,MAAM;AAC/E,cAAQ,IAAI,KAAK,MAAM,IAAI,EAAE,SAAS,YAAY,CAAC,GAAG,OAAO,GAAG,CAAC,IAAI,EAAE,KAAK,EAAE;AAC9E,cAAQ,IAAI,OAAO,MAAM,IAAI,EAAE,WAAW,CAAC,EAAE;AAC7C,UAAI,EAAE,UAAU;AACd,gBAAQ,IAAI,iBAAiB,MAAM,OAAO,EAAE,QAAQ,CAAC,EAAE;AAAA,MACzD;AACA,UAAI,EAAE,YAAY;AAChB,gBAAQ,IAAI,aAAa,EAAE,UAAU,EAAE;AAAA,MACzC;AACA,UAAI,EAAE,KAAK;AACT,gBAAQ,IAAI,YAAY,MAAM,MAAM,EAAE,GAAG,CAAC,EAAE;AAAA,MAC9C;AACA,cAAQ,IAAI;AAAA,IACd;AAAA,EACF;AAGA,QAAM,YAAmD;AAAA,IACvD,OAAO,MAAM,MAAM,MAAM;AAAA,IACzB,MAAM,MAAM,SAAS,MAAM;AAAA,IAC3B,SAAS,MAAM,QAAQ,MAAM;AAAA,EAC/B;AACA,QAAM,MAAM,OAAO,kBAAkB;AACrC,UAAQ;AAAA,IACN,sBAAsB,UAAU,GAAG,KAAK,MAAM,OAAO,IAAI,IAAI,YAAY,CAAC,GAAG,CAAC;AAAA,EAChF;AACA,UAAQ,IAAI;AACZ,UAAQ,IAAI,MAAM,KAAK,SAAI,OAAO,EAAE,CAAC,CAAC;AACtC,UAAQ,IAAI;AACd;;;ACxFO,SAAS,gBAAgB,QAA0B;AACxD,UAAQ,IAAI,KAAK,UAAU,QAAQ,MAAM,CAAC,CAAC;AAC7C;;;ACFA,IAAM,oBAA8C;AAAA,EAClD,UAAU;AAAA,EACV,MAAM;AAAA,EACN,QAAQ;AAAA,EACR,KAAK;AACP;AAEA,IAAM,oBAA8C;AAAA,EAClD,UAAU;AAAA,EACV,MAAM;AAAA,EACN,QAAQ;AAAA,EACR,KAAK;AACP;AAEO,SAAS,iBAAiB,QAA0B;AACzD,QAAM,QAAQ,oBAAI,IAA8C;AAEhE,aAAW,KAAK,OAAO,UAAU;AAC/B,UAAM,SAAS,EAAE,WAAW,MAAM,EAAE,MAAM,YAAY,EAAE,QAAQ,eAAe,GAAG;AAClF,QAAI,CAAC,MAAM,IAAI,MAAM,GAAG;AACtB,YAAM,IAAI,QAAQ,EAAE,IAAI,QAAQ,SAAS,EAAE,CAAC;AAAA,IAC9C;AAAA,EACF;AAEA,QAAM,QAAQ;AAAA,IACZ,SAAS;AAAA,IACT,SAAS;AAAA,IACT,MAAM;AAAA,MACJ;AAAA,QACE,MAAM;AAAA,UACJ,QAAQ;AAAA,YACN,MAAM;AAAA,YACN,gBAAgB;AAAA,YAChB,OAAO,CAAC,GAAG,MAAM,OAAO,CAAC,EAAE,IAAI,CAAC,OAAO;AAAA,cACrC,IAAI,EAAE;AAAA,cACN,kBAAkB,EAAE,MAAM,EAAE,QAAQ,MAAM;AAAA,cAC1C,iBAAiB,EAAE,MAAM,EAAE,QAAQ,YAAY;AAAA,cAC/C,sBAAsB;AAAA,gBACpB,OAAO,kBAAkB,EAAE,QAAQ,QAAQ;AAAA,cAC7C;AAAA,cACA,YAAY;AAAA,gBACV,mBAAmB,kBAAkB,EAAE,QAAQ,QAAQ;AAAA,cACzD;AAAA,YACF,EAAE;AAAA,UACJ;AAAA,QACF;AAAA,QACA,SAAS,OAAO,SAAS,IAAI,CAAC,MAAM;AAClC,gBAAM,SAAS,EAAE,WAAW,MAAM,EAAE,MAAM,YAAY,EAAE,QAAQ,eAAe,GAAG;AAClF,iBAAO;AAAA,YACL;AAAA,YACA,OAAO,kBAAkB,EAAE,QAAQ;AAAA,YACnC,SAAS;AAAA,cACP,MAAM,EAAE,eAAe,EAAE,WAAW,cAAc,EAAE,QAAQ,KAAK;AAAA,cACjE,GAAI,EAAE,MAAM,EAAE,UAAU,GAAG,EAAE,WAAW;AAAA;AAAA,WAAgB,EAAE,GAAG,GAAG,IAAI,CAAC;AAAA,YACvE;AAAA,YACA,WAAW;AAAA,cACT;AAAA,gBACE,kBAAkB;AAAA,kBAChB,kBAAkB,EAAE,KAAK,WAAW;AAAA,kBACpC,QAAQ,EAAE,WAAW,EAAE,cAAc,EAAE;AAAA,gBACzC;AAAA,cACF;AAAA,YACF;AAAA,UACF;AAAA,QACF,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AAEA,UAAQ,IAAI,KAAK,UAAU,OAAO,MAAM,CAAC,CAAC;AAC5C;;;ACxEA,SAAS,cAAc,eAAe,WAAW,kBAAkB;AACnE,SAAS,YAAY;AACrB,SAAS,SAAS,UAAU,eAAe;AAC3C,SAAS,kBAAkB;AAG3B,IAAM,aAAa,KAAK,QAAQ,GAAG,UAAU;AAC7C,IAAM,cAAc,KAAK,YAAY,aAAa;AAClD,IAAM,qBAAqB;AAQ3B,SAAS,aAAqB;AAC5B,MAAI;AACF,QAAI,WAAW,WAAW,GAAG;AAC3B,aAAO,KAAK,MAAM,aAAa,aAAa,OAAO,CAAC;AAAA,IACtD;AAAA,EACF,QAAQ;AAAA,EAER;AACA,SAAO,CAAC;AACV;AAEA,SAAS,WAAW,QAAsB;AACxC,MAAI;AACF,cAAU,YAAY,EAAE,WAAW,KAAK,CAAC;AACzC,kBAAc,aAAa,KAAK,UAAU,QAAQ,MAAM,CAAC,CAAC;AAAA,EAC5D,QAAQ;AAAA,EAER;AACF;AAEO,SAAS,qBAA8B;AAC5C,QAAM,MAAM,QAAQ,IAAI;AACxB,MAAI,QAAQ,OAAO,QAAQ,MAAO,QAAO;AACzC,MAAI,QAAQ,OAAO,QAAQ,KAAM,QAAO;AACxC,QAAM,SAAS,WAAW;AAC1B,SAAO,OAAO,cAAc;AAC9B;AAEO,SAAS,aAAa,SAAwB;AACnD,QAAM,SAAS,WAAW;AAC1B,SAAO,YAAY,UAAU,OAAO;AACpC,aAAW,MAAM;AACnB;AAEO,SAAS,eAAwB;AACtC,QAAM,SAAS,WAAW;AAC1B,SAAO,OAAO,cAAc;AAC9B;AAEA,SAAS,cAAsB;AAC7B,QAAM,SAAS,WAAW;AAC1B,MAAI,CAAC,OAAO,UAAU;AACpB,WAAO,WAAW,WAAW;AAC7B,eAAW,MAAM;AAAA,EACnB;AACA,SAAO,OAAO;AAChB;AAEA,SAAS,qBAA6B;AACpC,QAAM,SAAS,WAAW;AAC1B,SAAO,aAAa,OAAO,aAAa,KAAK;AAC7C,aAAW,MAAM;AACjB,SAAO,OAAO;AAChB;AAEO,SAAS,cAAc,QAA0B;AACtD,MAAI,CAAC,mBAAmB,EAAG;AAE3B,QAAM,YAAY,mBAAmB;AAErC,QAAM,UAAU;AAAA,IACd,UAAU,YAAY;AAAA,IACtB;AAAA,IACA,KAAI,oBAAI,KAAK,GAAE,YAAY;AAAA,IAC3B,IAAI,SAAS;AAAA,IACb,WAAW,QAAQ;AAAA,IACnB,WAAW,OAAO;AAAA,IAClB,WAAW,OAAO;AAAA,IAClB,WAAW,OAAO;AAAA,IAClB,eAAe,OAAO;AAAA,IACtB,QAAQ,OAAO,UAAU;AAAA,EAC3B;AAGA,QAAM,oBAAoB;AAAA,IACxB,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,IAC9C,MAAM,KAAK,UAAU,OAAO;AAAA,IAC5B,QAAQ,YAAY,QAAQ,GAAI;AAAA,EAClC,CAAC,EAAE,MAAM,MAAM;AAAA,EAEf,CAAC;AACH;;;AbjFA,eAAe,iBAAiB,MAA+B;AAC7D,QAAM,OAAO;AAAA,IACX,0DAA0D,IAAI;AAAA,IAC9D,oCAAoC,IAAI;AAAA,EAC1C;AAEA,aAAW,OAAO,MAAM;AACtB,QAAI;AACF,YAAM,MAAM,MAAM,MAAM,KAAK,EAAE,QAAQ,YAAY,QAAQ,GAAK,EAAE,CAAC;AACnE,UAAI,IAAI,IAAI;AACV,eAAO,MAAM,IAAI,KAAK;AAAA,MACxB;AAAA,IACF,QAAQ;AAAA,IAER;AAAA,EACF;AAEA,QAAM,IAAI;AAAA,IACR,0BAA0B,IAAI;AAAA,EAChC;AACF;AAEA,eAAsB,YACpB,QACA,SACe;AACf,MAAI;AAEJ,MAAI,QAAQ,QAAQ;AAClB,QAAI;AACF,cAAQ,OAAO,MAAM,aAAa,MAAM;AAAA,CAAqB;AAC7D,gBAAU,MAAM,iBAAiB,MAAM;AAAA,IACzC,SAAS,KAAK;AACZ,cAAQ;AAAA,QACN,eAAe,QAAQ,IAAI,UAAU;AAAA,MACvC;AACA,cAAQ,KAAK,CAAC;AAAA,IAChB;AAAA,EACF,OAAO;AACL,UAAM,YAAY,QAAQ,MAAM;AAChC,QAAI,YAAY;AAEhB,QACEC,YAAW,SAAS,KACpB,CAAC,UAAU,SAAS,KAAK,KACzBA,YAAWC,MAAK,WAAW,UAAU,CAAC,GACtC;AACA,kBAAYA,MAAK,WAAW,UAAU;AAAA,IACxC;AAEA,QAAI,CAACD,YAAW,SAAS,KAAK,SAAS,SAAS,EAAE,YAAY,GAAG;AAC/D,cAAQ,MAAM,kCAAkC,SAAS,EAAE;AAC3D,cAAQ,MAAM,oEAAoE,MAAM,YAAY;AACpG,cAAQ,KAAK,CAAC;AAAA,IAChB;AAEA,cAAUE,cAAa,WAAW,OAAO;AAAA,EAC3C;AAGA,QAAM,UAAUD,MAAK,QAAQ,IAAI,GAAG,aAAa;AACjD,MAAID,YAAW,OAAO,GAAG;AACvB,UAAM,aAAaE,cAAa,SAAS,OAAO,EAC7C,MAAM,IAAI,EACV,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,YAAY,CAAC,EACjC,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,WAAW,GAAG,CAAC;AAGxC,UAAM,UAAU,QAAQ,MAAM,6BAA6B;AAC3D,QAAI,SAAS;AACX,YAAM,SAAS,QAAQ,CAAC,EAAE,YAAY;AACtC,iBAAW,OAAO,YAAY;AAC5B,cAAM,cAAc,OAAO,YAAY;AACvC,YACE,YAAY,SAAS,GAAG,KACxB,OAAO,SAAS,SAAS,GAAG,EAAE,KAC9B,OAAO,SAAS,WAAW,GAAG,EAAE,KAChC,OAAO,SAAS,SAAS,GAAG,EAAE,GAC9B;AACA,kBAAQ;AAAA,YACNC,OAAM,MAAM,MAAM,KAAK,UAAU,IACjCA,OAAM,IAAI,kCAAkC,GAAG,EAAE;AAAA,UACnD;AACA,kBAAQ,MAAMA,OAAM,IAAI,aAAa,OAAO,EAAE,CAAC;AAC/C,kBAAQ,KAAK,CAAC;AAAA,QAChB;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAGA,QAAM,aAAaF,MAAK,QAAQ,IAAI,GAAG,gBAAgB;AACvD,QAAM,iBAA2B,CAAC;AAClC,MAAID,YAAW,UAAU,GAAG;AAC1B,UAAM,QAAQE,cAAa,YAAY,OAAO,EAAE,MAAM,IAAI;AAC1D,eAAW,QAAQ,OAAO;AACxB,YAAM,UAAU,KAAK,KAAK;AAC1B,UAAI,WAAW,CAAC,QAAQ,WAAW,GAAG,GAAG;AACvC,uBAAe,KAAK,OAAO;AAAA,MAC7B;AAAA,IACF;AAAA,EACF;AAEA,QAAM,SAAS,MAAM,UAAU,SAAS;AAAA,IACtC,UAAU,QAAQ,YAAY;AAAA,IAC9B,gBAAgB,eAAe,SAAS,iBAAiB;AAAA,EAC3D,CAAC;AAED,MAAI,CAAC,QAAQ,OAAO;AAClB,QAAI,QAAQ,WAAW,SAAS;AAC9B,uBAAiB,MAAM;AAAA,IACzB,WAAW,QAAQ,WAAW,QAAQ;AACpC,sBAAgB,MAAM;AAAA,IACxB,OAAO;AACL,sBAAgB,MAAM;AAAA,IACxB;AAAA,EACF;AAGA,MAAI,CAAC,QAAQ,SAAS,QAAQ,WAAW,UAAU,QAAQ,WAAW,SAAS;AAC7E,QAAI,CAAC,aAAa,GAAG;AACnB,YAAM,WAAW,MAAM,OAAO,UAAe;AAC7C,YAAM,KAAK,SAAS,gBAAgB,EAAE,OAAO,QAAQ,OAAO,QAAQ,QAAQ,OAAO,CAAC;AACpF,YAAM,SAAS,MAAM,IAAI,QAAgB,CAACE,aAAY;AACpD,WAAG;AAAA,UACDD,OAAM,IAAI,gEAA2D;AAAA,UACrE,CAAC,MAAM;AAAE,eAAG,MAAM;AAAG,YAAAC,SAAQ,EAAE,KAAK,EAAE,YAAY,CAAC;AAAA,UAAG;AAAA,QACxD;AAAA,MACF,CAAC;AACD,mBAAa,WAAW,OAAO,WAAW,KAAK;AAAA,IACjD;AAEA,kBAAc,MAAM;AAGpB,YAAQ;AAAA,MACND,OAAM,IAAI,IAAI,IACdA,OAAM,KAAK,2CAAsC,IACjDA,OAAM,UAAU,KAAK,2BAA2B;AAAA,IAClD;AACA,YAAQ,IAAI;AAAA,EACd,OAAO;AACL,kBAAc,MAAM;AAAA,EACtB;AAEA,QAAM,SAAS,QAAQ,WAAW,QAAQ,QAAQ,SAAS;AAC3D,MAAI,QAAQ;AACV,UAAM,gBAAgB,CAAC,OAAO,UAAU,QAAQ,UAAU;AAC1D,UAAM,YAAY,cAAc,QAAQ,MAAM;AAC9C,UAAM,aAAa,OAAO,SAAS;AAAA,MACjC,CAAC,MAAM,cAAc,QAAQ,EAAE,QAAQ,KAAK;AAAA,IAC9C;AACA,QAAI,YAAY;AACd,cAAQ,KAAK,CAAC;AAAA,IAChB;AAAA,EACF;AACF;;;Ac7KA,SAAS,aAAa,cAAAE,aAAY,gBAAAC,qBAAoB;AACtD,SAAS,QAAAC,aAAY;AACrB,SAAS,WAAAC,gBAAe;AAGxB,OAAOC,YAAW;AAElB,IAAM,qBAAqB;AAAA,EACzBC,MAAKC,SAAQ,GAAG,aAAa,QAAQ;AAAA,EACrCD,MAAKC,SAAQ,GAAG,aAAa,aAAa,QAAQ;AACpD;AAEA,eAAsB,aAAa,UAA4B,CAAC,GAAkB;AAChF,QAAM,aAAa,QAAQ,MAAM,CAAC,QAAQ,GAAG,IAAI;AACjD,UAAQ,IAAIF,OAAM,KAAK,wDAAmD,CAAC;AAE3E,MAAI,eAAe;AACnB,MAAI,eAAe;AAEnB,aAAW,OAAO,YAAY;AAC5B,QAAI,CAACG,YAAW,GAAG,GAAG;AACpB,UAAI,QAAQ,KAAK;AACf,gBAAQ,MAAMH,OAAM,OAAO,iCAAiC,GAAG;AAAA,CAAI,CAAC;AACpE,gBAAQ,KAAK,CAAC;AAAA,MAChB;AACA;AAAA,IACF;AAGA,UAAM,kBAAkBC,MAAK,KAAK,UAAU;AAC5C,QAAIE,YAAW,eAAe,GAAG;AAC/B,YAAM,UAAUC,cAAa,iBAAiB,OAAO;AACrD,YAAM,SAAS,MAAM,UAAU,OAAO;AACtC;AACA,sBAAgB,OAAO,SAAS;AAChC,sBAAgB,MAAM;AACtB;AAAA,IACF;AAEA,UAAM,UAAU,YAAY,KAAK,EAAE,eAAe,KAAK,CAAC;AACxD,eAAW,SAAS,SAAS;AAC3B,UAAI,CAAC,MAAM,YAAY,EAAG;AAC1B,YAAM,YAAYH,MAAK,KAAK,MAAM,MAAM,UAAU;AAClD,UAAI,CAACE,YAAW,SAAS,EAAG;AAE5B,YAAM,UAAUC,cAAa,WAAW,OAAO;AAC/C,YAAM,SAAS,MAAM,UAAU,OAAO;AACtC;AACA,sBAAgB,OAAO,SAAS;AAEhC,sBAAgB,MAAM;AAAA,IACxB;AAAA,EACF;AAEA,UAAQ,IAAIJ,OAAM,KAAK;AAAA,kBAAqB,YAAY,oBAAoB,YAAY;AAAA,CAAa,CAAC;AACxG;;;ACvDA,SAAS,gBAAAK,eAAc,cAAAC,aAAY,aAAa;AAChD,SAAS,QAAAC,aAAY;AACrB,SAAS,WAAAC,gBAAe;AACxB,OAAOC,YAAW;AAIlB,IAAMC,sBAAqB;AAAA,EACzBC,MAAKC,SAAQ,GAAG,aAAa,QAAQ;AAAA,EACrCD,MAAKC,SAAQ,GAAG,aAAa,aAAa,QAAQ;AACpD;AAEA,eAAsB,aAAa,SAGjB;AAChB,QAAM,YAAY,QAAQ,aAAa;AACvC,QAAM,aAAa,QAAQ,MAAM,CAAC,QAAQ,GAAG,IAAIF;AACjD,UAAQ;AAAA,IACNG,OAAM;AAAA,MACJ;AAAA,gEAA8D,SAAS;AAAA;AAAA,IACzE;AAAA,EACF;AAEA,QAAM,YAAsB,CAAC;AAC7B,aAAW,OAAO,YAAY;AAC5B,QAAIC,YAAW,GAAG,GAAG;AACnB,gBAAU,KAAK,GAAG;AAAA,IACpB;AAAA,EACF;AAEA,MAAI,UAAU,WAAW,GAAG;AAC1B,YAAQ;AAAA,MACND,OAAM;AAAA,QACJ;AAAA,MACF;AAAA,IACF;AACA,YAAQ,IAAIA,OAAM,IAAI,uBAAuB,CAAC;AAC9C,eAAW,OAAO,YAAY;AAC5B,cAAQ,IAAIA,OAAM,IAAI,KAAK,GAAG,EAAE,CAAC;AAAA,IACnC;AACA,YAAQ,IAAI;AACZ,YAAQ,KAAK,CAAC;AAAA,EAChB;AAEA,UAAQ,IAAIA,OAAM,IAAI,WAAW,CAAC;AAClC,aAAW,OAAO,WAAW;AAC3B,YAAQ,IAAIA,OAAM,IAAI,KAAK,GAAG,EAAE,CAAC;AAAA,EACnC;AACA,UAAQ,IAAI;AAEZ,aAAW,OAAO,WAAW;AAC3B,UAAM,UAAU,MAAM,KAAK,EAAE,WAAW,KAAK,GAAG,OAAO,OAAO,aAAa;AACzE,UAAI,CAAC,UAAU,SAAS,UAAU,EAAG;AAErC,YAAM,YAAYF,MAAK,KAAK,QAAQ;AACpC,UAAI,CAACG,YAAW,SAAS,EAAG;AAE5B,cAAQ,IAAID,OAAM,IAAI;AAAA,mBAAsB,QAAQ,EAAE,CAAC;AAEvD,UAAI;AACF,cAAM,UAAUE,cAAa,WAAW,OAAO;AAC/C,cAAM,SAAS,MAAM,UAAU,OAAO;AAEtC,YAAI,OAAO,QAAQ;AACjB,kBAAQ,IAAIF,OAAM,IAAI,UAAU,CAAC;AAAA,QACnC;AACA,wBAAgB,MAAM;AAEtB,YAAI,OAAO,YAAY,WAAW;AAChC,kBAAQ;AAAA,YACNA,OAAM,MAAM,MAAM;AAAA,cAChB,8BAAyB,OAAO,SAAS,sBAAsB,SAAS;AAAA,YAC1E;AAAA,UACF;AACA,kBAAQ;AAAA,YACNA,OAAM;AAAA,cACJ,yDAAyD,SAAS;AAAA;AAAA,YACpE;AAAA,UACF;AAAA,QACF;AAAA,MACF,SAAS,KAAK;AACZ,gBAAQ,MAAMA,OAAM,IAAI,kBAAkB,QAAQ,GAAG,GAAG,GAAG;AAAA,MAC7D;AAAA,IACF,CAAC;AAED,YAAQ,GAAG,UAAU,MAAM;AACzB,cAAQ,MAAM;AACd,cAAQ,IAAIA,OAAM,IAAI,kBAAkB,CAAC;AACzC,cAAQ,KAAK,CAAC;AAAA,IAChB,CAAC;AAAA,EACH;AAEA,UAAQ,IAAIA,OAAM,IAAI,kCAAkC,CAAC;AACzD,QAAM,IAAI,QAAQ,MAAM;AAAA,EAAC,CAAC;AAC5B;;;AC/FA,SAAS,gBAAAG,eAAc,cAAAC,aAAY,YAAAC,iBAAgB;AACnD,SAAS,WAAAC,UAAS,QAAAC,aAAY;AAC9B,OAAOC,YAAW;AAIlB,IAAMC,gBAA0C;AAAA,EAC9C,GAAG;AAAA,EACH,GAAG;AAAA,EACH,GAAG;AAAA,EACH,GAAG;AAAA,EACH,GAAG;AACL;AAEA,IAAM,eAA0C;AAAA,EAC9C,GAAG;AAAA,EACH,GAAG;AAAA,EACH,GAAG;AAAA,EACH,GAAG;AAAA,EACH,GAAG;AACL;AAEA,eAAsB,aACpB,QACA,SACe;AACf,QAAM,YAAYC,SAAQ,MAAM;AAChC,MAAI,YAAY;AAEhB,MACEC,YAAW,SAAS,KACpB,CAAC,UAAU,SAAS,KAAK,KACzBA,YAAWC,MAAK,WAAW,UAAU,CAAC,GACtC;AACA,gBAAYA,MAAK,WAAW,UAAU;AAAA,EACxC;AAEA,MAAI,CAACD,YAAW,SAAS,KAAKE,UAAS,SAAS,EAAE,YAAY,GAAG;AAC/D,YAAQ,MAAM,kCAAkC,SAAS,EAAE;AAC3D,YAAQ,KAAK,CAAC;AAAA,EAChB;AAEA,QAAM,UAAUC,cAAa,WAAW,OAAO;AAC/C,QAAM,SAAS,MAAM,UAAU,OAAO;AAEtC,QAAM,QAAQ,aAAa,OAAO,SAAS;AAC3C,QAAM,QAAQL,cAAa,OAAO,SAAS;AAC3C,QAAM,WAAW,wCAAwC,OAAO,SAAS,MAAM,KAAK,IAAI,KAAK;AAC7F,QAAM,UAAU;AAEhB,MAAI,QAAQ,UAAU;AACpB,YAAQ,IAAI,cAAc,OAAO,SAAS,KAAK,QAAQ,MAAM,OAAO,GAAG;AAAA,EACzE,OAAO;AACL,YAAQ,IAAI;AACZ,YAAQ,IAAIM,OAAM,KAAK,uBAAuB,CAAC;AAC/C,YAAQ,IAAI;AACZ,YAAQ,IAAI,aAAaA,OAAM,KAAK,OAAO,SAAS,CAAC,EAAE;AACvD,YAAQ,IAAI,aAAa,OAAO,SAAS,KAAK,KAAK,GAAG;AACtD,YAAQ,IAAI,aAAa,OAAO,SAAS,MAAM;AAC/C,YAAQ,IAAI;AACZ,YAAQ,IAAIA,OAAM,IAAI,+BAA+B,CAAC;AACtD,YAAQ,IAAI;AACZ,YAAQ,IAAI,gBAAgB,OAAO,SAAS,KAAK,QAAQ,MAAM,OAAO,GAAG;AACzE,YAAQ,IAAI;AACZ,YAAQ,IAAIA,OAAM,IAAI,SAAS,CAAC;AAChC,YAAQ,IAAI;AACZ,YAAQ,IAAI,cAAc,OAAO,eAAe,QAAQ,kBAAkB,OAAO,SAAS,QAAQ;AAClG,YAAQ,IAAI;AAAA,EACd;AACF;;;AjB/DA,IAAM,UAAU,IAAI,QAAQ;AAE5B,QACG,KAAK,SAAS,EACd,YAAY,oDAAoD,EAChE,QAAQ,OAAO;AAElB,QACG,QAAQ,MAAM,EACd,YAAY,mCAAmC,EAC/C,SAAS,YAAY,uCAAuC,EAC5D,OAAO,qBAAqB,2CAA2C,UAAU,EACjF,OAAO,wBAAwB,8CAA8C,EAC7E,OAAO,cAAc,0DAA0D,EAC/E,OAAO,YAAY,wDAAwD,EAC3E,OAAO,eAAe,sDAAsD,EAC5E,OAAO,eAAe,yCAAyC,EAC/D,OAAO,OAAO,QAAQ,SAAS;AAC9B,MAAI,KAAK,WAAW;AAClB,UAAM,MAAM;AACZ,YAAQ,IAAI,WAAW,GAAG,MAAM;AAChC,UAAM,EAAE,KAAK,IAAI,MAAM,OAAO,eAAoB;AAClD,UAAM,MAAM,QAAQ,aAAa,UAAU,SAAS,GAAG,KAAK,QAAQ,aAAa,WAAW,QAAQ,GAAG,KAAK,YAAY,GAAG;AAC3H,SAAK,GAAG;AAAA,EACV;AACA,QAAM,YAAY,QAAQ;AAAA,IACxB,QAAQ,KAAK;AAAA,IACb,QAAQ,KAAK;AAAA,IACb,UAAU,KAAK;AAAA,IACf,QAAQ,KAAK;AAAA,IACb,OAAO,KAAK;AAAA,EACd,CAAC;AACH,CAAC;AAEH,QACG,QAAQ,OAAO,EACf,YAAY,oCAAoC,EAChD,OAAO,gBAAgB,iCAAiC,EACxD,OAAO,OAAO,SAAS;AACtB,QAAM,aAAa,EAAE,KAAK,KAAK,IAAI,CAAC;AACtC,CAAC;AAEH,QACG,QAAQ,OAAO,EACf,YAAY,qDAAgD,EAC5D,OAAO,uBAAuB,qCAAqC,IAAI,EACvE,OAAO,gBAAgB,kCAAkC,EACzD,OAAO,OAAO,SAAS;AACtB,QAAM,aAAa,EAAE,WAAW,SAAS,KAAK,SAAS,GAAG,KAAK,KAAK,IAAI,CAAC;AAC3E,CAAC;AAEH,QACG,QAAQ,OAAO,EACf,YAAY,6CAA6C,EACzD,SAAS,YAAY,uCAAuC,EAC5D,OAAO,QAAQ,kCAAkC,EACjD,OAAO,OAAO,QAAQ,SAAS;AAC9B,QAAM,aAAa,QAAQ,EAAE,UAAU,KAAK,GAAG,CAAC;AAClD,CAAC;AAEH,QACG,QAAQ,UAAU,EAClB,YAAY,gDAAgD,EAC5D,OAAO,YAAY;AAClB,QAAM,MAAM;AACZ,UAAQ,IAAI,WAAW,GAAG,MAAM;AAChC,QAAM,EAAE,KAAK,IAAI,MAAM,OAAO,eAAoB;AAClD,QAAM,MAAM,QAAQ,aAAa,UAAU,SAAS,GAAG,KAAK,QAAQ,aAAa,WAAW,QAAQ,GAAG,KAAK,YAAY,GAAG;AAC3H,OAAK,GAAG;AACV,CAAC;AAEH,QAAQ,MAAM;","names":["readFileSync","existsSync","join","chalk","re","existsSync","join","readFileSync","chalk","resolve","existsSync","readFileSync","join","homedir","chalk","join","homedir","existsSync","readFileSync","readFileSync","existsSync","join","homedir","chalk","DEFAULT_SKILL_DIRS","join","homedir","chalk","existsSync","readFileSync","readFileSync","existsSync","statSync","resolve","join","chalk","GRADE_COLORS","resolve","existsSync","join","statSync","readFileSync","chalk"]}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "clawvet",
3
- "version": "0.5.0",
3
+ "version": "0.6.0",
4
4
  "description": "Skill vetting & supply chain security for OpenClaw. Scans SKILL.md files for prompt injection, credential theft, RCE, typosquatting, and social engineering.",
5
5
  "type": "module",
6
6
  "bin": {