hackmyagent-core 0.3.9 → 0.4.1

package/README.md

@@ -7,13 +7,24 @@
 
 **Website:** [hackmyagent.com](https://hackmyagent.com) — Scan external infrastructure for exposed MCP endpoints, configs, and credentials
 
+## What's New — v0.4.0
+
+**First scanner for [CVE-2026-25253](https://hackmyagent.com/blog/cve-2026-25253-detection)** (CVSS 8.8) — the OpenClaw WebSocket hijacking RCE.
+
+- **CVE-001:** Detect vulnerable OpenClaw versions (before v2026.1.29)
+- **CVE-002:** Missing `controlUi.allowedOrigins` (patch alone isn't enough)
+- **SUPPLY-005–008:** ClawHavoc campaign IOCs (C2 IPs, malware filenames, ClickFix patterns)
+- **GATEWAY-007–008, CONFIG-007–009:** Config hardening (open DM wildcards, disabled sandbox, weak tokens)
+
+11 new checks. 145+ total.
+
 ## Disclaimer
 
 HackMyAgent performs passive reconnaissance only (port checks and HTTP requests) — it does not exploit vulnerabilities. However, please only scan systems you own or have permission to test. The authors assume no liability for misuse of this tool.
 
 ```bash
 npx hackmyagent check @publisher/skill     # verify a skill before installing
-npx hackmyagent secure                      # harden your agent setup (100 checks)
+npx hackmyagent secure                      # harden your agent setup (145+ checks)
 npx hackmyagent secure --fix                # auto-fix security issues
 npx hackmyagent scan example.com            # scan for exposed infrastructure
 npx hackmyagent attack --local              # red team with 55 attack payloads
@@ -29,10 +40,10 @@ npx hackmyagent secure --benchmark oasb-1   # run OASB-1 security benchmark
 
 ## Why HackMyAgent?
 
-AI agents are powerful but introduce new attack surfaces. Skills can be malicious. Configs can leak secrets. MCP servers can be exposed. HackMyAgent helps you:
+CVE-2026-25253 turned every OpenClaw installation into a remote code execution target. 341 malicious skills were distributed through ClawHub. AI agent security is no longer theoretical — HackMyAgent helps you:
 
 - **Check** skills before installing (publisher verification, permission analysis)
-- **Secure** your agent setup (100-point CIS security scan, auto-remediation)
+- **Secure** your agent setup (145+ security checks with auto-remediation)
 - **Scan** external infrastructure (exposed MCP endpoints, leaked configs)
 
 ## Installation
@@ -52,7 +63,7 @@ npm install --save-dev hackmyagent
 
 ### `hackmyagent secure`
 
-Scan and harden your local agent setup with 100 security checks across 24 categories.
+Scan and harden your local agent setup with 145+ security checks across 31 categories.
 
 ```bash
 # Basic scan
@@ -92,7 +103,26 @@ hackmyagent secure --verbose
 | AUDIT | 4 | Audit trails |
 | SANDBOX | 4 | Process isolation |
 | TOOL | 4 | Tool permission boundaries |
-| And 13 more... | 42 | Auth, deps, env, git, io, log, perm, proc, rate, sec, api, vscode, cursor |
+| AUTH | 4 | Authentication checks |
+| DEPS | 4 | Dependency security |
+| ENV | 4 | Environment variable safety |
+| GIT | 4 | Git security (.gitignore, secrets in history) |
+| IO | 4 | Input/output validation |
+| LOG | 4 | Logging and monitoring |
+| PERM | 4 | File permissions |
+| PROC | 4 | Process isolation |
+| RATE | 4 | Rate limiting |
+| SEC | 4 | General security headers |
+| API | 4 | API security |
+| VSCODE | 4 | VS Code configuration |
+| CURSOR | 4 | Cursor IDE configuration |
+| CVE | 2 | CVE-2026-25253 detection |
+| GATEWAY | 8 | Gateway misconfigurations |
+| CONFIG | 9 | Insecure settings |
+| SUPPLY | 8 | Supply chain attacks |
+| SKILL | 12 | Malicious skill detection |
+| HEARTBEAT | 6 | Heartbeat/cron abuse |
+| WINDSURF | 3 | Windsurf IDE configuration |
 
 **Exit Codes:**
 - `0` - No critical/high issues
@@ -299,7 +329,7 @@ hackmyagent secure -b oasb-1 --fail-below 70
 
 ### `hackmyagent secure-openclaw`
 
-Scan OpenClaw/Moltbot installations with 34 specialized security checks and auto-remediation.
+Scan OpenClaw/Moltbot installations with 45 specialized security checks and auto-remediation.
 
 ```bash
 hackmyagent secure-openclaw              # scan default location
@@ -310,8 +340,11 @@ hackmyagent secure-openclaw --json       # JSON output for CI/CD
 ```
 
 **Detects:**
+- CVE-2026-25253 vulnerable versions (before v2026.1.29)
+- Missing `controlUi.allowedOrigins` (patch alone isn't enough)
+- ClawHavoc C2 IP addresses and malware filenames
+- ClickFix social engineering patterns
 - Unsigned/malicious skills (ClawHavoc campaign patterns)
-- ClickFix social engineering attacks
 - Reverse shell backdoors
 - Credential exfiltration (wallets, SSH keys, API keys)
 - Heartbeat/cron abuse
@@ -331,9 +364,10 @@ hackmyagent secure-openclaw --json       # JSON output for CI/CD
 |----------|--------|-------------|
 | SKILL | 12 | Malicious skill detection |
 | HEARTBEAT | 6 | Heartbeat/cron abuse |
-| GATEWAY | 6 | Gateway misconfigurations (4 auto-fixable) |
-| CONFIG | 6 | Insecure settings |
-| SUPPLY | 4 | Supply chain attacks |
+| GATEWAY | 8 | Gateway misconfigurations (4 auto-fixable) |
+| CONFIG | 9 | Insecure settings |
+| SUPPLY | 8 | Supply chain attacks |
+| CVE | 2 | CVE-2026-25253 detection |
 
 See [SECURITY_CHECKS.md](docs/SECURITY_CHECKS.md#openclaw-security-checks) for full documentation.
 
@@ -428,7 +462,7 @@ hackmyagent secure --json | jq '.findings[] | select(.severity == "critical")'
 
 ## Security Check Reference
 
-For the complete list of 100 security checks with descriptions and remediation guidance, see [SECURITY_CHECKS.md](docs/SECURITY_CHECKS.md).
+For the complete list of 145+ security checks with descriptions and remediation guidance, see [SECURITY_CHECKS.md](docs/SECURITY_CHECKS.md).
 
 ## Auto-Fix Capabilities
 

package/dist/hardening/scanner.d.ts

@@ -135,5 +135,9 @@ export declare class HardeningScanner {
      * OpenClaw supply chain security checks (SUPPLY-001 to SUPPLY-004)
      */
     private checkOpenclawSupplyChain;
+    /**
+     * OpenClaw CVE-specific checks (CVE-001, CVE-002)
+     */
+    private checkOpenclawCVE;
 }
 //# sourceMappingURL=scanner.d.ts.map

package/dist/hardening/scanner.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"scanner.d.ts","sourceRoot":"","sources":["../../src/hardening/scanner.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,OAAO,KAAK,EAAE,UAAU,EAA0C,MAAM,kBAAkB,CAAC;AAwD3F,MAAM,WAAW,WAAW;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,0CAA0C;IAC1C,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,0DAA0D;IAC1D,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,wEAAwE;IACxE,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;CACxB;AAgHD,qBAAa,gBAAgB;IAE3B,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,CAelC;IAEF;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAMvB,IAAI,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC;YA0NvC,cAAc;IAsE5B;;OAEG;YACW,iBAAiB;IA+F/B;;OAEG;IACH,OAAO,CAAC,gBAAgB;YAeV,uBAAuB;YAmGvB,aAAa;YAgDb,cAAc;YA+Fd,oBAAoB;YAwDpB,gBAAgB;YA0IhB,oBAAoB;YAgFpB,gBAAgB;YA2IhB,mBAAmB;YA4EnB,iBAAiB;YAyCjB,iBAAiB;YA+DjB,wBAAwB;YA0FxB,wBAAwB;YAmExB,wBAAwB;YAqHxB,oBAAoB;YA+GpB,uBAAuB;YA8HvB,iBAAiB;YA8GjB,oBAAoB;YAuGpB,mBAAmB;YAiGnB,gBAAgB;YAmIhB,oBAAoB;YAoIpB,gBAAgB;YAyHhB,qBAAqB;YA+GrB,eAAe;IAiI7B;;OAEG;YACW,mBAAmB;IA8GjC;;OAEG;YACW,oBAAoB;IAiKlC;;OAEG;YACW,iBAAiB;IA4I/B;;OAEG;YACW,oBAAoB;IAwIlC;;OAEG;YACW,eAAe;IAqJ7B;;OAEG;YACW,eAAe;IAuI7B;;OAEG;YACW,eAAe;IAyG7B;;OAEG;YACW,mBAAmB;IAmHjC,OAAO,CAAC,cAAc;IAsBtB;;OAEG;YACW,YAAY;IAkD1B;;OAEG;IACG,QAAQ,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IA6DhD;;;OAGG;YACW,cAAc;IAgD5B;;OAEG;YACW,mBAAmB;IAoUjC;;;OAGG;YACW,kBAAkB;IAgDhC;;OAEG;YACW,sBAAsB;IA2LpC;;OAEG;YACW,sBAAsB;IA+BpC;;OAEG;YACW,oBAAoB;IA0RlC;;OAEG;IACH,OAAO,CAAC,mBAAmB;IA4B3B;;OAEG;YACW,iBAAiB;IA8D/B;;OAEG;YACW,mBAAmB;IAmRjC;;OAEG;YACW,wBAAwB;CAsJvC"}
+{"version":3,"file":"scanner.d.ts","sourceRoot":"","sources":["../../src/hardening/scanner.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,OAAO,KAAK,EAAE,UAAU,EAA0C,MAAM,kBAAkB,CAAC;AAyD3F,MAAM,WAAW,WAAW;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,0CAA0C;IAC1C,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,0DAA0D;IAC1D,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,wEAAwE;IACxE,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;CACxB;AA8HD,qBAAa,gBAAgB;IAE3B,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,CAelC;IAEF;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAMvB,IAAI,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC;YA8NvC,cAAc;IAsE5B;;OAEG;YACW,iBAAiB;IA+F/B;;OAEG;IACH,OAAO,CAAC,gBAAgB;YAeV,uBAAuB;YAmGvB,aAAa;YAgDb,cAAc;YA+Fd,oBAAoB;YAwDpB,gBAAgB;YA0IhB,oBAAoB;YAgFpB,gBAAgB;YA2IhB,mBAAmB;YA4EnB,iBAAiB;YAyCjB,iBAAiB;YA+DjB,wBAAwB;YA0FxB,wBAAwB;YAmExB,wBAAwB;YAqHxB,oBAAoB;YA+GpB,uBAAuB;YA8HvB,iBAAiB;YA8GjB,oBAAoB;YAuGpB,mBAAmB;YAiGnB,gBAAgB;YAmIhB,oBAAoB;YAoIpB,gBAAgB;YAyHhB,qBAAqB;YA+GrB,eAAe;IAiI7B;;OAEG;YACW,mBAAmB;IA8GjC;;OAEG;YACW,oBAAoB;IAiKlC;;OAEG;YACW,iBAAiB;IA4I/B;;OAEG;YACW,oBAAoB;IAwIlC;;OAEG;YACW,eAAe;IAqJ7B;;OAEG;YACW,eAAe;IAuI7B;;OAEG;YACW,eAAe;IAyG7B;;OAEG;YACW,mBAAmB;IAmHjC,OAAO,CAAC,cAAc;IAsBtB;;OAEG;YACW,YAAY;IAkD1B;;OAEG;IACG,QAAQ,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IA6DhD;;;OAGG;YACW,cAAc;IAgD5B;;OAEG;YACW,mBAAmB;IAoUjC;;;OAGG;YACW,kBAAkB;IAgDhC;;OAEG;YACW,sBAAsB;IA2LpC;;OAEG;YACW,sBAAsB;IA+BpC;;OAEG;YACW,oBAAoB;IAqVlC;;OAEG;IACH,OAAO,CAAC,mBAAmB;IA4B3B;;OAEG;YACW,iBAAiB;IA8D/B;;OAEG;YACW,mBAAmB;IA6VjC;;OAEG;YACW,wBAAwB;IA4OtC;;OAEG;YACW,gBAAgB;CAmG/B"}

package/dist/hardening/scanner.js

@@ -71,6 +71,7 @@ const CHECK_PROJECT_TYPES = {
     'GATEWAY-': ['openclaw'], // Gateway configuration security
     'CONFIG-': ['openclaw', 'mcp'], // Configuration file security
     'SUPPLY-': ['openclaw', 'mcp'], // Supply chain security
+    'CVE-': ['openclaw'], // CVE-specific detection
     'API-': ['api'], // API security headers
     'RATE-': ['webapp', 'api'], // Rate limiting
     'PROC-': ['webapp', 'api'], // Process security (headers, etc.)
@@ -165,6 +166,19 @@ const HEARTBEAT_DANGEROUS_CAPS = [
     'filesystem:/',
     'network:*',
 ];
+// ClawHavoc campaign IOCs (Koi Security research, Jan 2026)
+const CLAWHAVOC_C2_IPS = ['91.92.242.30'];
+const CLAWHAVOC_MALICIOUS_FILES = [
+    'openclaw-agent.exe', 'openclaw-agent.zip', 'openclawcli.zip',
+    'agent-setup.exe', 'openclaw-installer.dmg',
+];
+const CLAWHAVOC_CLICKFIX_PATTERNS = [
+    /download.*paste.*terminal/i,
+    /copy.*(?:command|script).*terminal/i,
+    /right[- ]click.*open/i,
+    /run.*\.exe/i,
+];
+const CLAWHAVOC_ARCHIVE_PASSWORD = /password\s*[:=]\s*["']?(openclaw|claw|agent|setup)["']?/i;
 const PROMPT_INJECTION_PATTERNS = [
     /ignore\s+(all\s+)?(previous|prior|above)/gi,
     /disregard\s+(all\s+)?(previous|prior)/gi,
@@ -320,6 +334,9 @@ class HardeningScanner {
         // OpenClaw supply chain checks
         const supplyFindings = await this.checkOpenclawSupplyChain(targetDir, shouldFix);
         findings.push(...supplyFindings);
+        // OpenClaw CVE-specific checks
+        const cveFindings = await this.checkOpenclawCVE(targetDir, shouldFix);
+        findings.push(...cveFindings);
         // Filter findings to only show real, actionable issues:
         // 1. Only failed checks (passed: false)
         // 2. Only checks with a file path (concrete findings, not generic advice)
@@ -4495,6 +4512,58 @@ dist/
                     fix: 'Manually disable privileged mode and remove sensitive host mounts - requires careful review',
                 });
             }
+            // GATEWAY-007: Open DM Policy with Wildcard
+            const channels = config.channels;
+            const dm = config.dm;
+            let hasOpenDmWildcard = false;
+            if (channels) {
+                for (const [, channelConfig] of Object.entries(channels)) {
+                    if (channelConfig.dmPolicy === 'open' &&
+                        Array.isArray(channelConfig.allowFrom) &&
+                        channelConfig.allowFrom.includes('*')) {
+                        hasOpenDmWildcard = true;
+                        break;
+                    }
+                }
+            }
+            if (!hasOpenDmWildcard && dm?.policy === 'open') {
+                const allowList = dm.allowFrom;
+                if (Array.isArray(allowList) && allowList.includes('*')) {
+                    hasOpenDmWildcard = true;
+                }
+            }
+            if (hasOpenDmWildcard) {
+                findings.push({
+                    checkId: 'GATEWAY-007',
+                    name: 'Open DM Policy with Wildcard',
+                    description: 'Direct message policy allows messages from any source',
+                    category: 'gateway',
+                    severity: 'critical',
+                    passed: false,
+                    message: 'DM policy is open with wildcard allowFrom - anyone can message the agent',
+                    file: relativePath,
+                    fixable: false,
+                    fix: 'Replace wildcard "*" in allowFrom with specific allowed sender IDs or domains',
+                });
+            }
+            // GATEWAY-008: Tailscale Funnel Exposure
+            const tailscale = gateway?.tailscale;
+            const tailscaleRoot = config.tailscale;
+            const funnelEnabled = tailscale?.funnel === true || tailscaleRoot?.funnel === true;
+            if (funnelEnabled) {
+                findings.push({
+                    checkId: 'GATEWAY-008',
+                    name: 'Tailscale Funnel Exposure',
+                    description: 'Tailscale Funnel is enabled, exposing the agent to the public internet',
+                    category: 'gateway',
+                    severity: 'high',
+                    passed: false,
+                    message: 'Tailscale Funnel enabled - agent is publicly accessible from the internet',
+                    file: relativePath,
+                    fixable: false,
+                    fix: 'Disable Tailscale Funnel unless public access is intentional. Use Tailscale ACLs to restrict access.',
+                });
+            }
             // Write modified config back to file if any fixes were applied
             if (configModified) {
                 try {
@@ -4873,6 +4942,71 @@ dist/
                     fix: 'Disable autoFollow or review moltbook security settings',
                 });
             }
+            // CONFIG-007: Unrestricted Elevated Execution
+            const tools = config.tools;
+            const elevated = tools?.elevated;
+            const exec = config.exec;
+            const execApprovals = exec?.approvals;
+            const hasUnrestrictedExec = elevated?.defaultLevel === 'full' ||
+                execApprovals?.set === 'off';
+            if (hasUnrestrictedExec) {
+                findings.push({
+                    checkId: 'CONFIG-007',
+                    name: 'Unrestricted Elevated Execution',
+                    description: 'Elevated execution is set to full access without restrictions or approvals are bypassed',
+                    category: 'config',
+                    severity: 'critical',
+                    passed: false,
+                    message: elevated?.defaultLevel === 'full'
+                        ? 'tools.elevated.defaultLevel is "full" - all tools run with maximum privileges'
+                        : 'exec.approvals.set is "off" - execution approval is bypassed',
+                    file: relativePath,
+                    fixable: false,
+                    fix: 'Set tools.elevated.defaultLevel to "restricted" and enable exec.approvals',
+                });
+            }
+            // CONFIG-008: Sandbox Disabled
+            const sandbox = config.sandbox;
+            const toolExec = tools?.exec;
+            const sandboxDisabled = sandbox?.enabled === false ||
+                toolExec?.sandbox === false;
+            if (sandboxDisabled) {
+                findings.push({
+                    checkId: 'CONFIG-008',
+                    name: 'Sandbox Disabled',
+                    description: 'Sandbox execution environment is explicitly disabled in config',
+                    category: 'config',
+                    severity: 'high',
+                    passed: false,
+                    message: sandbox?.enabled === false
+                        ? 'sandbox.enabled is false - code runs without isolation'
+                        : 'tools.exec.sandbox is false - tool execution is not sandboxed',
+                    file: relativePath,
+                    fixable: false,
+                    fix: 'Enable sandbox: set sandbox.enabled to true or tools.exec.sandbox to true',
+                });
+            }
+            // CONFIG-009: Weak Gateway Token
+            const gatewayConfig = config.gateway;
+            const gatewayAuth = gatewayConfig?.auth;
+            const tokenValue = gatewayAuth?.token || config.token;
+            if (typeof tokenValue === 'string' &&
+                tokenValue.length > 0 &&
+                tokenValue.length < 24 &&
+                !tokenValue.startsWith('${')) {
+                findings.push({
+                    checkId: 'CONFIG-009',
+                    name: 'Weak Gateway Token',
+                    description: 'Gateway authentication token is too short (< 24 characters)',
+                    category: 'config',
+                    severity: 'high',
+                    passed: false,
+                    message: `Token is only ${tokenValue.length} characters - minimum 24 recommended`,
+                    file: relativePath,
+                    fixable: false,
+                    fix: 'Generate a stronger token: openssl rand -base64 32',
+                });
+            }
         }
         return findings;
     }
@@ -4891,6 +5025,16 @@ dist/
             'phantom-wallet',
             'youtube-downloader',
             'clawhub',
+            'clawhub1',
+            'clawhubb',
+            'cllawhub',
+            'clawhub-official',
+            'openclaw-official',
+            'openclaw1',
+            'opennclaw',
+            'insiderwallet',
+            'wallet-finder',
+            'crypto-insider',
         ];
         for (const skillFile of skillFiles) {
             const relativePath = path.relative(targetDir, skillFile);
@@ -5008,6 +5152,170 @@ dist/
                 fixable: false,
                 fix: 'Add installed_hash: with SHA-256 hash of the original skill content',
             });
+            // SUPPLY-005: ClawHavoc C2 IP
+            for (const ip of CLAWHAVOC_C2_IPS) {
+                if (content.includes(ip)) {
+                    findings.push({
+                        checkId: 'SUPPLY-005',
+                        name: 'ClawHavoc C2 IP Detected',
+                        description: 'Skill contains known ClawHavoc command-and-control IP address',
+                        category: 'supply',
+                        severity: 'critical',
+                        passed: false,
+                        message: `Known C2 IP address found: ${ip}`,
+                        file: relativePath,
+                        fixable: false,
+                        fix: 'Remove this skill immediately - contains known malware C2 infrastructure',
+                    });
+                    break;
+                }
+            }
+            // SUPPLY-006: Malware Filenames
+            for (const filename of CLAWHAVOC_MALICIOUS_FILES) {
+                if (content.toLowerCase().includes(filename.toLowerCase())) {
+                    findings.push({
+                        checkId: 'SUPPLY-006',
+                        name: 'ClawHavoc Malware Filename',
+                        description: 'Skill references known ClawHavoc malware payload filename',
+                        category: 'supply',
+                        severity: 'critical',
+                        passed: false,
+                        message: `Known malware filename referenced: "${filename}"`,
+                        file: relativePath,
+                        fixable: false,
+                        fix: 'Remove this skill immediately - references known malware payload',
+                    });
+                    break;
+                }
+            }
+            // SUPPLY-007: ClickFix Pattern
+            for (const pattern of CLAWHAVOC_CLICKFIX_PATTERNS) {
+                const match = content.match(pattern);
+                if (match) {
+                    findings.push({
+                        checkId: 'SUPPLY-007',
+                        name: 'ClawHavoc ClickFix Pattern',
+                        description: 'Skill contains social engineering instructions to execute malware',
+                        category: 'supply',
+                        severity: 'high',
+                        passed: false,
+                        message: `ClickFix social engineering pattern detected: "${match[0]}"`,
+                        file: relativePath,
+                        fixable: false,
+                        fix: 'Review and remove suspicious download/execute instructions',
+                    });
+                    break;
+                }
+            }
+            // SUPPLY-008: Suspicious Archive Password
+            const archiveMatch = content.match(CLAWHAVOC_ARCHIVE_PASSWORD);
+            if (archiveMatch) {
+                findings.push({
+                    checkId: 'SUPPLY-008',
+                    name: 'Suspicious Archive Password',
+                    description: 'Skill contains password-protected archive reference typical of malware distribution',
+                    category: 'supply',
+                    severity: 'high',
+                    passed: false,
+                    message: `Suspicious archive password pattern: "${archiveMatch[0]}"`,
+                    file: relativePath,
+                    fixable: false,
+                    fix: 'Investigate password-protected archive reference - common malware distribution technique',
+                });
+            }
+        }
+        return findings;
+    }
+    /**
+     * OpenClaw CVE-specific checks (CVE-001, CVE-002)
+     */
+    async checkOpenclawCVE(targetDir, _autoFix) {
+        const findings = [];
+        // CVE-001: Vulnerable OpenClaw Version
+        const pkgJsonPath = path.join(targetDir, 'package.json');
+        try {
+            const pkgContent = await fs.readFile(pkgJsonPath, 'utf-8');
+            const pkg = JSON.parse(pkgContent);
+            const deps = { ...pkg.dependencies, ...pkg.devDependencies };
+            const openclawVersion = deps?.openclaw || deps?.['@openclaw/core'];
+            if (openclawVersion) {
+                // Extract numeric version (strip ^ ~ >= etc.)
+                const versionMatch = openclawVersion.match(/(\d{4})\.(\d{1,2})\.(\d{1,2})/);
+                if (versionMatch) {
+                    const year = parseInt(versionMatch[1], 10);
+                    const month = parseInt(versionMatch[2], 10);
+                    const day = parseInt(versionMatch[3], 10);
+                    // Patch release: v2026.1.29
+                    const isVulnerable = year < 2026 ||
+                        (year === 2026 && month < 1) ||
+                        (year === 2026 && month === 1 && day < 29);
+                    findings.push({
+                        checkId: 'CVE-001',
+                        name: 'CVE-2026-25253: WebSocket Hijacking RCE',
+                        description: 'OpenClaw version vulnerable to CVE-2026-25253 (CVSS 8.8) - WebSocket hijacking enables 1-click RCE',
+                        category: 'cve',
+                        severity: 'critical',
+                        passed: !isVulnerable,
+                        message: isVulnerable
+                            ? `OpenClaw ${openclawVersion} is vulnerable to CVE-2026-25253 - upgrade to v2026.1.29+`
+                            : `OpenClaw ${openclawVersion} includes CVE-2026-25253 fix`,
+                        file: 'package.json',
+                        fixable: false,
+                        fix: 'Upgrade openclaw to v2026.1.29 or later: npm install openclaw@latest',
+                    });
+                }
+            }
+        }
+        catch {
+            // No package.json or parse error - skip CVE-001
+        }
+        // CVE-002: Missing Control UI Origin Restrictions
+        const configFiles = await this.findGatewayConfigFiles(targetDir);
+        for (const configFile of configFiles) {
+            const relativePath = path.relative(targetDir, configFile);
+            try {
+                const stats = await fs.stat(configFile);
+                if (stats.size > MAX_FILE_SIZE)
+                    continue;
+                const content = await fs.readFile(configFile, 'utf-8');
+                const config = JSON.parse(content);
+                const gateway = config.gateway;
+                const controlUi = gateway?.controlUi;
+                const hasAllowedOrigins = controlUi?.allowedOrigins && Array.isArray(controlUi.allowedOrigins) && controlUi.allowedOrigins.length > 0;
+                // Only flag if auth is configured (no auth = lower risk)
+                const hasAuth = gateway?.auth || config.auth || config.token || gateway?.token;
+                if (hasAuth && !hasAllowedOrigins) {
+                    findings.push({
+                        checkId: 'CVE-002',
+                        name: 'CVE-2026-25253: Missing Control UI Origin Restrictions',
+                        description: 'Auth is configured but controlUi.allowedOrigins is missing - vulnerable to cross-origin WebSocket hijacking',
+                        category: 'cve',
+                        severity: 'critical',
+                        passed: false,
+                        message: 'Auth configured without controlUi.allowedOrigins - cross-origin requests can steal auth tokens',
+                        file: relativePath,
+                        fixable: false,
+                        fix: 'Add gateway.controlUi.allowedOrigins with your allowed origins (e.g., ["http://localhost:3000"])',
+                    });
+                }
+                else if (hasAuth && hasAllowedOrigins) {
+                    findings.push({
+                        checkId: 'CVE-002',
+                        name: 'CVE-2026-25253: Control UI Origin Restrictions',
+                        description: 'Control UI origin restrictions are configured',
+                        category: 'cve',
+                        severity: 'critical',
+                        passed: true,
+                        message: 'controlUi.allowedOrigins is configured',
+                        file: relativePath,
+                        fixable: false,
+                        fix: 'No action needed',
+                    });
+                }
+            }
+            catch {
+                continue;
+            }
         }
         return findings;
     }