mohuclaw 1.0.1

package/scripts/repair/execution_sandbox/check_4.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+# CHECK 4 (origin 35): Exec safeBins Validation Bypass
+# Usage: ./check_4.sh
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/_common.sh"
+
+# Guidance
+cat <<EOF
+RECOMMENDED ACTIONS:
+1. Update OpenClaw immediately:
+   openclaw update
+
+2. Audit safeBins configuration:
+   openclaw config get tools.exec.safeBins
+
+3. Consider removing 'sort' from safeBins until patched:
+   openclaw config set tools.exec.safeBins <updated-list>
+
+EOF
+
+exit 0
+

package/scripts/repair/execution_sandbox/check_5.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+# CHECK 5 (origin 37): PATH Hijacking / Command Hijacking
+# Usage: ./check_5.sh
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/_common.sh"
+
+# Guidance
+cat <<EOF
+RECOMMENDED ACTIONS:
+1. Review and remove suspicious executables flagged above (check logs for exact paths)
+
+2. Verify which binary is actually being used:
+   which -a node python3 bash curl git openclaw
+
+3. Check for planted executables in workspace:
+   find $WORKSPACE_DIR -maxdepth 3 -type f -executable -name "node" -o -name "python3" -o -name "bash" -o -name "curl" -o -name "git"
+
+4. Ensure user-writable directories appear AFTER system directories in PATH:
+   echo \$PATH
+   # /usr/local/bin and /usr/bin should come before ~/bin etc.
+
+5. Remove or investigate any non-whitelisted writable directories from PATH:
+   export PATH="/usr/local/bin:/usr/bin:/bin"
+
+EOF
+
+exit 0

package/scripts/repair/execution_sandbox/check_6.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+# CHECK 6 (origin 43): Exec-Approvals Shell Expansion Bypass
+# Usage: ./check_6.sh
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/_common.sh"
+
+# Guidance
+cat <<EOF
+RECOMMENDED ACTIONS:
+1. Update OpenClaw immediately:
+   openclaw update
+
+EOF
+
+exit 0
+

package/scripts/repair/execution_sandbox/check_7.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+# CHECK 7 (origin 44): Approval Field Injection / Exec Gating Bypass
+# Usage: ./check_7.sh
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/_common.sh"
+
+# Guidance
+cat <<EOF
+RECOMMENDED ACTIONS:
+1. Update OpenClaw immediately:
+   openclaw update
+
+EOF
+
+exit 0
+

package/scripts/repair/execution_sandbox/check_8.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+# CHECK 8 (origin 42): Browser Control API Path Traversal
+# Usage: ./check_8.sh
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/_common.sh"
+
+# Guidance
+cat <<EOF
+RECOMMENDED ACTIONS:
+1. Update OpenClaw immediately:
+   openclaw update
+
+EOF
+
+exit 0
+

package/scripts/repair/execution_sandbox/check_9.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+# CHECK 9 (origin 47): TAR Archive Path Traversal
+# Usage: ./check_9.sh
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/_common.sh"
+
+# Guidance
+cat <<EOF
+RECOMMENDED ACTIONS:
+1. Update OpenClaw immediately:
+   openclaw update
+
+EOF
+
+exit 0
+

package/scripts/repair/execution_sandbox/logs/security-scan.log

@@ -0,0 +1,10 @@
+Auto-fix complete: 0 fixed, 0 failed
+Auto-fix complete: 0 fixed, 0 failed
+Auto-fix complete: 0 fixed, 0 failed
+Auto-fix complete: 0 fixed, 0 failed
+Auto-fix complete: 0 fixed, 0 failed
+Auto-fix complete: 0 fixed, 0 failed
+Auto-fix complete: 0 fixed, 0 failed
+Auto-fix complete: 0 fixed, 0 failed
+Auto-fix complete: 0 fixed, 0 failed
+Auto-fix complete: 0 fixed, 0 failed

package/scripts/repair/memory_poisoning/_common.sh

@@ -0,0 +1,336 @@
+#!/bin/bash
+# Exit codes: 0=SECURE, 1=WARNINGS, 2=COMPROMISED
+
+set -uo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+# PROJECT_DIR="$(dirname "$SCRIPT_DIR")"
+# IOC_DIR="$PROJECT_DIR/ioc"
+PROJECT_DIR="$(cd "$SCRIPT_DIR/../../.." && pwd)"
+IOC_DIR="$PROJECT_DIR/ioc"
+SELF_DIR_NAME="$(basename "$PROJECT_DIR")"
+
+# Default OpenClaw paths
+# OPENCLAW_DIR="${OPENCLAW_HOME:-$HOME/.openclaw}"
+OPENCLAW_DIR="${OPENCLAW_HOME:-$HOME/test/openclaw-1}"
+SKILLS_DIR="$OPENCLAW_DIR/workspace/skills"
+WORKSPACE_DIR="$OPENCLAW_DIR/workspace"
+# LOG_DIR="$OPENCLAW_DIR/logs"
+LOG_DIR="logs"
+LOG_FILE="$LOG_DIR/security-scan.log"
+TIMESTAMP="$(date -u +"%Y-%m-%dT%H:%M:%SZ")"
+
+export PATH="$HOME/.local/bin:/opt/homebrew/opt/node@22/bin:/opt/homebrew/bin:/usr/local/bin:$PATH"
+
+# Overall counters
+CRITICAL=0
+WARNINGS=0
+CLEAN=0
+
+# Per-category counters
+CATEGORY_NAME=""
+CATEGORY_TOTAL_CHECKS=0
+CATEGORY_CRITICAL=0
+CATEGORY_WARNINGS=0
+CATEGORY_CLEAN=0
+
+mkdir -p "$LOG_DIR"
+
+log() {
+    echo "$1" | tee -a "$LOG_FILE"
+}
+
+header() {
+    # Usage: header <new_index> <message>
+    log ""
+    log "[$1/$CATEGORY_TOTAL_CHECKS] $2"
+}
+
+result_clean() {
+    log "CLEAN: $1"
+    CLEAN=$((CLEAN + 1))
+    CATEGORY_CLEAN=$((CATEGORY_CLEAN + 1))
+}
+
+result_warn() {
+    log "WARNING: $1"
+    WARNINGS=$((WARNINGS + 1))
+    CATEGORY_WARNINGS=$((CATEGORY_WARNINGS + 1))
+}
+
+result_critical() {
+    log "CRITICAL: $1"
+    CRITICAL=$((CRITICAL + 1))
+    CATEGORY_CRITICAL=$((CATEGORY_CRITICAL + 1))
+}
+
+category_start() {
+    # Usage: category_start <name> <total_checks>
+    CATEGORY_NAME="$1"
+    CATEGORY_TOTAL_CHECKS="$2"
+    CATEGORY_CRITICAL=0
+    CATEGORY_WARNINGS=0
+    CATEGORY_CLEAN=0
+
+    log ""
+    log "----------------------------------------"
+    log "CATEGORY START: $CATEGORY_NAME ($CATEGORY_TOTAL_CHECKS checks)"
+    log "----------------------------------------"
+}
+
+category_end() {
+    log ""
+    log "CATEGORY SUMMARY: $CATEGORY_NAME"
+    log "  critical: $CATEGORY_CRITICAL"
+    log "  warning : $CATEGORY_WARNINGS"
+    log "  clean   : $CATEGORY_CLEAN"
+    log "----------------------------------------"
+}
+
+# Use timeout if available (macOS may only have gtimeout via coreutils)
+TIMEOUT_BIN=""
+if command -v timeout >/dev/null 2>&1; then
+    TIMEOUT_BIN="timeout"
+elif command -v gtimeout >/dev/null 2>&1; then
+    TIMEOUT_BIN="gtimeout"
+fi
+
+run_with_timeout() {
+    local secs="$1"
+    shift
+
+    if [ -n "$TIMEOUT_BIN" ]; then
+        "$TIMEOUT_BIN" "$secs" "$@"
+    elif command -v python3 >/dev/null 2>&1; then
+        python3 - "$secs" "$@" <<'PY'
+import subprocess
+import sys
+
+def main():
+    try:
+        secs = float(sys.argv[1])
+    except Exception:
+        secs = 0
+
+    cmd = sys.argv[2:]
+    if not cmd:
+        sys.exit(1)
+
+    try:
+        proc = subprocess.Popen(cmd)
+        try:
+            proc.wait(timeout=secs if secs > 0 else None)
+        except subprocess.TimeoutExpired:
+            proc.kill()
+            proc.wait()
+            sys.exit(124)
+        sys.exit(proc.returncode if proc.returncode is not None else 0)
+    except FileNotFoundError:
+        sys.exit(127)
+
+if __name__ == "__main__":
+    main()
+PY
+    else
+        "$@"
+    fi
+}
+
+# Load IOC data
+load_ips() {
+    if [ -f "$IOC_DIR/c2-ips.txt" ]; then
+        grep -v '^#' "$IOC_DIR/c2-ips.txt" | grep -v '^$' | cut -d'|' -f1
+    else
+        echo "91.92.242"
+    fi
+}
+
+load_domains() {
+    if [ -f "$IOC_DIR/malicious-domains.txt" ]; then
+        grep -v '^#' "$IOC_DIR/malicious-domains.txt" | grep -v '^$' | cut -d'|' -f1
+    else
+        echo "webhook.site"
+    fi
+}
+
+sha256_file() {
+    # Cross-platform SHA-256 for a file
+    local target="$1"
+    [ -f "$target" ] || return 1
+
+    if command -v sha256sum >/dev/null 2>&1; then
+        sha256sum "$target" 2>/dev/null | awk '{print tolower($1)}'
+    elif command -v shasum >/dev/null 2>&1; then
+        shasum -a 256 "$target" 2>/dev/null | awk '{print tolower($1)}'
+    elif command -v openssl >/dev/null 2>&1; then
+        openssl dgst -sha256 "$target" 2>/dev/null | sed -E 's/^.*= //' | tr '[:upper:]' '[:lower:]'
+    else
+        return 1
+    fi
+}
+
+load_hash_iocs() {
+    # Expected format: <sha256>|<campaign>
+    # Similar to c2-ips.txt storage style
+    if [ -f "$IOC_DIR/malicious-hashes.txt" ]; then
+        grep -v '^#' "$IOC_DIR/malicious-hashes.txt" | grep -v '^$' || true
+    fi
+}
+
+lookup_malicious_hash_campaign() {
+    local needle
+    needle="$(printf "%s" "${1:-}" | tr '[:upper:]' '[:lower:]')"
+    [ -n "$needle" ] || return 1
+
+    while IFS='|' read -r hash_val campaign rest; do
+        hash_val="$(printf "%s" "$hash_val" | tr '[:upper:]' '[:lower:]')"
+        if [ "$hash_val" = "$needle" ]; then
+            printf "%s\n" "${campaign:-unknown}"
+            return 0
+        fi
+    done < <(load_hash_iocs)  # ← 进程替换，不产生子shell
+    
+    return 1
+}
+
+extract_github_account_age_days() {
+    # Best-effort local metadata extraction only.
+    # We cannot reliably infer GitHub account age from filesystem alone unless
+    # the skill metadata explicitly records it.
+    local skill_dir="$1"
+    local val=""
+
+    for meta in "$skill_dir/package.json" "$skill_dir/config.json" "$skill_dir/SKILL.md"; do
+        [ -f "$meta" ] || continue
+
+        # JSON-ish keys
+        val="$(grep -iEo '"(githubAccountAge|github_account_age|accountAgeDays|githubAccountAgeDays)"[[:space:]]*:[[:space:]]*[0-9]+' "$meta" 2>/dev/null | head -1 | grep -oE '[0-9]+' || true)"
+        if [ -n "$val" ]; then
+            printf "%s\n" "$val"
+            return 0
+        fi
+
+        # YAML / markdown frontmatter-ish keys
+        val="$(grep -iE '^(githubAccountAge|github_account_age|accountAgeDays|githubAccountAgeDays)[[:space:]]*:[[:space:]]*[0-9]+' "$meta" 2>/dev/null | head -1 | grep -oE '[0-9]+' || true)"
+        if [ -n "$val" ]; then
+            printf "%s\n" "$val"
+            return 0
+        fi
+    done
+
+    return 1
+}
+
+
+OPENCLAW_PRESENT=false
+if command -v openclaw >/dev/null 2>&1; then
+    OPENCLAW_PRESENT=true
+fi
+
+has_pcre_grep() {
+    echo 'test' | grep -P 't.st' >/dev/null 2>&1
+}
+
+get_oc_config() {
+    # Usage: get_oc_config <key> <default>
+    local key="$1"
+    local default_val="${2:-}"
+    if [ "$OPENCLAW_PRESENT" = true ]; then
+        run_with_timeout 10 openclaw config get "$key" 2>/dev/null || echo "$default_val"
+    else
+        echo "$default_val"
+    fi
+}
+
+normalize_config_val() {
+    local val="${1:-}"
+    case "$val" in
+        null|undefined|"")
+            echo ""
+            ;;
+        *)
+            echo "$val"
+            ;;
+    esac
+}
+
+get_perm() {
+    local target="$1"
+
+    [ -e "$target" ] || {
+        echo "unknown"
+        return
+    }
+
+    case "$(uname -s)" in
+        Darwin|FreeBSD|OpenBSD|NetBSD)
+            stat -f '%Lp' "$target" 2>/dev/null || echo "unknown"
+            ;;
+        Linux)
+            stat -c '%a' "$target" 2>/dev/null || echo "unknown"
+            ;;
+        *)
+            stat -c '%a' "$target" 2>/dev/null || stat -f '%Lp' "$target" 2>/dev/null || echo "unknown"
+            ;;
+    esac
+}
+
+list_memory_files() {
+    # Enumerate workspace-level and agent-level memory files
+    local f
+    for f in \
+        "$WORKSPACE_DIR/SOUL.md" \
+        "$WORKSPACE_DIR/MEMORY.md" \
+        "$WORKSPACE_DIR/IDENTITY.md"
+    do
+        [ -f "$f" ] && echo "$f"
+    done
+
+    if [ -d "$OPENCLAW_DIR/agents" ]; then
+        find "$OPENCLAW_DIR/agents" -mindepth 2 -maxdepth 2 -type f \
+            \( -name 'soul.md' -o -name 'SOUL.md' -o -name 'MEMORY.md' -o -name 'IDENTITY.md' \) \
+            2>/dev/null || true
+    fi
+}
+
+extract_allowed_domains() {
+    # Build allowlist from config + defaults
+    # Defaults follow the TS snippet.
+    local cfg raw_domains
+    cfg="$(normalize_config_val "$(get_oc_config "secureclaw.network.egressAllowlist" "")")"
+
+    {
+        echo "api.anthropic.com"
+        echo "api.openai.com"
+        echo "generativelanguage.googleapis.com"
+        if [ -n "$cfg" ]; then
+            echo "$cfg" | grep -oE '[A-Za-z0-9.-]+\.[A-Za-z]{2,}' || true
+        fi
+    } | awk 'NF' | sort -u
+}
+
+url_host_allowed() {
+    # Usage: url_host_allowed <hostname>
+    local host="${1:-}"
+    local allowed
+    [ -n "$host" ] || return 1
+
+    while IFS= read -r allowed; do
+        [ -z "$allowed" ] && continue
+        if [ "$host" = "$allowed" ]; then
+            return 0
+        fi
+        case "$host" in
+            *."$allowed")
+                return 0
+                ;;
+        esac
+    done <<EOF
+$ALLOWED_DOMAINS
+EOF
+
+    return 1
+}
+
+# Precompute allowed domains once
+ALLOWED_DOMAINS="$(extract_allowed_domains)"

package/scripts/repair/memory_poisoning/check_1.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+# CHECK 1 (origin 10 + expanded patterns): Memory Poisoning Detection
+# Usage: ./check_1.sh
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/_common.sh"
+
+MEMORY_POISON=0
+MEMORY_FILES_FOUND=0
+FOUND_FILES=()
+
+while IFS= read -r memfile; do
+    [ -z "$memfile" ] && continue
+    [ -f "$memfile" ] || continue
+
+    MEMORY_FILES_FOUND=$((MEMORY_FILES_FOUND + 1))
+
+    POISON_HITS="$(grep -inE \
+        'ignore[[:space:]]+previous[[:space:]]+instructions|ignore[[:space:]]+all[[:space:]]+previous|disregard[[:space:]]+(all[[:space:]]+)?previous|override.*instruction|new[[:space:]]+system[[:space:]]+prompt|system[[:space:]]+prompt|forget.*previous|you[[:space:]]+are[[:space:]]+now|act[[:space:]]+as[[:space:]]+if|pretend[[:space:]]+to[[:space:]]+be|from[[:space:]]+now[[:space:]]+on.*ignore|forward[[:space:]]+to|send[[:space:]]+to|exfiltrat(e|ion)|leak[[:space:]]+(the[[:space:]]+)?(secret|token|credential|key)|reveal[[:space:]]+(the[[:space:]]+)?(system[[:space:]]+prompt|secret|token|credential|key)|post[[:space:]]+to[[:space:]]+https?://|upload[[:space:]]+to[[:space:]]+https?://' \
+        "$memfile" 2>/dev/null || true)"
+
+    if [ -n "$POISON_HITS" ]; then
+        MEMORY_POISON=$((MEMORY_POISON + 1))
+        FOUND_FILES+=("$memfile")
+    fi
+done <<EOF
+$(list_memory_files)
+EOF
+
+# 生成文件路径列表
+FILE_LIST=""
+for f in "${FOUND_FILES[@]}"; do
+    FILE_LIST="${FILE_LIST}   $f\n"
+done
+
+# Guidance
+cat <<EOF
+RECOMMENDED ACTIONS:
+1. Inspect the flagged memory files:
+$(printf "%b" "$FILE_LIST")
+
+2. Remove any lines containing prompt injection patterns
+
+3. If the file has been heavily tampered with, restore from a known-good backup or recreate it from scratch
+
+4. Clear Agent memory if compromise is suspected:
+   openclaw memory clear
+
+EOF
+
+exit 0

package/scripts/repair/memory_poisoning/check_2.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+# CHECK 2 (origin 40): Log Poisoning / WebSocket Header Injection
+# Usage: ./check_2.sh
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/_common.sh"
+
+# Guidance
+cat <<EOF
+RECOMMENDED ACTIONS:
+1. Enable WebSocket header redaction:
+   openclaw config set logging.redactHeaders true
+
+2. Strip ANSI escape sequences from logs:
+   sed -i 's/\x1b\[[0-9;]*[a-zA-Z]//g' $LOG_DIR/*.log
+
+3. Strip control characters from logs:
+   for f in $LOG_DIR/*.log; do tr -d '\000-\010\016-\037' < "\$f" > "\$f.clean" && mv "\$f.clean" "\$f"; done
+
+4. Restart OpenClaw to apply config changes:
+   openclaw restart
+
+EOF
+
+exit 0
+

package/scripts/repair/memory_poisoning/check_3.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+# CHECK 3 (new / MEM-003): Base64 encoded blocks in memory
+# Usage: ./check_3.sh
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/_common.sh"
+
+# Guidance
+cat <<EOF
+RECOMMENDED ACTIONS:
+1. Inspect the flagged memory files and decode suspicious blocks manually:
+   base64 -d <<< "<paste-base64-string>"
+
+2. If the decoded content contains suspicious instructions (API calls, exfiltration), delete the memory file immediately
+
+3. Review which skill or conversation created this memory entry.
+
+4. Consider clearing all memory and starting fresh if compromise is suspected:
+   openclaw memory clear
+
+EOF
+
+exit 0
+

package/scripts/repair/memory_poisoning/check_4.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+# CHECK 4 (new / MEM-004): Non-whitelisted URLs in memory
+# Usage: ./check_4.sh
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/_common.sh"
+
+# Guidance
+cat <<EOF
+RECOMMENDED ACTIONS:
+1. Review the flagged memory files and inspect the suspicious URLs (check logs above)
+
+2. If the URL is malicious, delete the memory entry:
+   openclaw memory clear
+
+3. If the domain is legitimate and should be allowed, add it to the egress allowlist:
+   openclaw config set egress.allowlist '["api.openai.com","api.anthropic.com","<your-domain>"]'
+
+4. Review which skill or conversation introduced this URL into memory.
+
+5. Check network logs for any outbound connections to the flagged domain:
+   grep "<suspicious-domain>" ~/.openclaw/logs/*.log
+
+EOF
+
+exit 0
+

package/scripts/repair/memory_poisoning/check_5.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+# CHECK 5 (new / MEM-005): Memory file permissions
+# Usage: ./check_5.sh
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/_common.sh"
+
+# Guidance
+cat <<EOF
+RECOMMENDED ACTIONS:
+1. Fix memory file permissions:
+   chmod 600 <memory-file-path>
+
+2. Or fix all memory files at once:
+   find ~/.openclaw/workspace/memory -type f -exec chmod 600 {} \;
+
+EOF
+
+exit 0
+