npm - mohuclaw - Versions diffs - 1.0.1 - Mend

mohuclaw 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (92) hide show

package/LICENSE +21 -0
package/README.md +64 -0
package/bin/mohu-tui.js +73 -0
package/bin/mohu-webui.js +67 -0
package/dist/tui/tui.js +38733 -0
package/dist/webui/index.html +1551 -0
package/dist/webui/server.js +876 -0
package/ioc/c2-ips.txt +25 -0
package/ioc/file-hashes.txt +13 -0
package/ioc/malicious-domains.txt +46 -0
package/ioc/malicious-hashes.txt +5 -0
package/ioc/malicious-publishers.txt +34 -0
package/ioc/malicious-skill-patterns.txt +87 -0
package/package.json +46 -0
package/scripts/check/access_control.sh +183 -0
package/scripts/check/credential_storage.sh +222 -0
package/scripts/check/execution_sandbox.sh +502 -0
package/scripts/check/memory_poisoning.sh +334 -0
package/scripts/check/network_exposure.sh +479 -0
package/scripts/check/resource_cost.sh +182 -0
package/scripts/check/supply_chain.sh +553 -0
package/scripts/repair/access_control/_common.sh +249 -0
package/scripts/repair/access_control/check_1.sh +28 -0
package/scripts/repair/access_control/check_2.sh +27 -0
package/scripts/repair/access_control/check_3.sh +23 -0
package/scripts/repair/access_control/check_4.sh +23 -0
package/scripts/repair/access_control/check_5.sh +20 -0
package/scripts/repair/credential_storage/_common.sh +277 -0
package/scripts/repair/credential_storage/check_1.sh +47 -0
package/scripts/repair/credential_storage/check_2.sh +35 -0
package/scripts/repair/credential_storage/check_3.sh +53 -0
package/scripts/repair/credential_storage/logs/security-scan.log +15 -0
package/scripts/repair/execution_sandbox/_common.sh +302 -0
package/scripts/repair/execution_sandbox/check_1.sh +67 -0
package/scripts/repair/execution_sandbox/check_10.sh +23 -0
package/scripts/repair/execution_sandbox/check_11.sh +34 -0
package/scripts/repair/execution_sandbox/check_12.sh +38 -0
package/scripts/repair/execution_sandbox/check_13.sh +29 -0
package/scripts/repair/execution_sandbox/check_2.sh +46 -0
package/scripts/repair/execution_sandbox/check_3.sh +37 -0
package/scripts/repair/execution_sandbox/check_4.sh +23 -0
package/scripts/repair/execution_sandbox/check_5.sh +28 -0
package/scripts/repair/execution_sandbox/check_6.sh +17 -0
package/scripts/repair/execution_sandbox/check_7.sh +17 -0
package/scripts/repair/execution_sandbox/check_8.sh +17 -0
package/scripts/repair/execution_sandbox/check_9.sh +17 -0
package/scripts/repair/execution_sandbox/logs/security-scan.log +10 -0
package/scripts/repair/memory_poisoning/_common.sh +336 -0
package/scripts/repair/memory_poisoning/check_1.sh +51 -0
package/scripts/repair/memory_poisoning/check_2.sh +26 -0
package/scripts/repair/memory_poisoning/check_3.sh +24 -0
package/scripts/repair/memory_poisoning/check_4.sh +27 -0
package/scripts/repair/memory_poisoning/check_5.sh +20 -0
package/scripts/repair/network_exposure/_common.sh +330 -0
package/scripts/repair/network_exposure/check_1.sh +86 -0
package/scripts/repair/network_exposure/check_10.sh +16 -0
package/scripts/repair/network_exposure/check_11.sh +31 -0
package/scripts/repair/network_exposure/check_12.sh +24 -0
package/scripts/repair/network_exposure/check_2.sh +26 -0
package/scripts/repair/network_exposure/check_3.sh +43 -0
package/scripts/repair/network_exposure/check_4.sh +23 -0
package/scripts/repair/network_exposure/check_5.sh +16 -0
package/scripts/repair/network_exposure/check_6.sh +98 -0
package/scripts/repair/network_exposure/check_7.sh +35 -0
package/scripts/repair/network_exposure/check_8.sh +19 -0
package/scripts/repair/network_exposure/check_9.sh +19 -0
package/scripts/repair/resource_cost/_common.sh +303 -0
package/scripts/repair/resource_cost/check_1.sh +16 -0
package/scripts/repair/resource_cost/check_2.sh +16 -0
package/scripts/repair/resource_cost/check_3.sh +23 -0
package/scripts/repair/supply_chain/_common.sh +222 -0
package/scripts/repair/supply_chain/check_1.sh +95 -0
package/scripts/repair/supply_chain/check_10.sh +60 -0
package/scripts/repair/supply_chain/check_11.sh +63 -0
package/scripts/repair/supply_chain/check_12.sh +36 -0
package/scripts/repair/supply_chain/check_13.sh +44 -0
package/scripts/repair/supply_chain/check_14.sh +33 -0
package/scripts/repair/supply_chain/check_15.sh +33 -0
package/scripts/repair/supply_chain/check_16.sh +34 -0
package/scripts/repair/supply_chain/check_17.sh +61 -0
package/scripts/repair/supply_chain/check_18.sh +62 -0
package/scripts/repair/supply_chain/check_2.sh +93 -0
package/scripts/repair/supply_chain/check_3.sh +78 -0
package/scripts/repair/supply_chain/check_4.sh +72 -0
package/scripts/repair/supply_chain/check_5.sh +73 -0
package/scripts/repair/supply_chain/check_6.sh +81 -0
package/scripts/repair/supply_chain/check_7.sh +52 -0
package/scripts/repair/supply_chain/check_8.sh +71 -0
package/scripts/repair/supply_chain/check_9.sh +78 -0
package/scripts/repair/supply_chain/logs/security-scan.log +77 -0
package/scripts/scan.sh +228 -0
package/webui/index.html +1551 -0

package/scripts/repair/network_exposure/_common.sh ADDED Viewed

@@ -0,0 +1,330 @@
+#!/bin/bash
+# Exit codes: 0=SECURE, 1=WARNINGS, 2=COMPROMISED
+set -uo pipefail
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+# PROJECT_DIR="$(dirname "$SCRIPT_DIR")"
+# IOC_DIR="$PROJECT_DIR/ioc"
+PROJECT_DIR="$(cd "$SCRIPT_DIR/../../.." && pwd)"
+IOC_DIR="$PROJECT_DIR/ioc"
+SELF_DIR_NAME="$(basename "$PROJECT_DIR")"
+# Default OpenClaw paths
+# OPENCLAW_DIR="${OPENCLAW_HOME:-$HOME/.openclaw}"
+OPENCLAW_DIR="${OPENCLAW_HOME:-$HOME/test/openclaw-1}"
+SKILLS_DIR="$OPENCLAW_DIR/workspace/skills"
+WORKSPACE_DIR="$OPENCLAW_DIR/workspace"
+# LOG_DIR="$OPENCLAW_DIR/logs"
+LOG_DIR="logs"
+LOG_FILE="$LOG_DIR/security-scan.log"
+TIMESTAMP="$(date -u +"%Y-%m-%dT%H:%M:%SZ")"
+export PATH="$HOME/.local/bin:/opt/homebrew/opt/node@22/bin:/opt/homebrew/bin:/usr/local/bin:$PATH"
+# Overall counters
+CRITICAL=0
+WARNINGS=0
+CLEAN=0
+# Per-category counters
+CATEGORY_NAME=""
+CATEGORY_TOTAL_CHECKS=0
+CATEGORY_CRITICAL=0
+CATEGORY_WARNINGS=0
+CATEGORY_CLEAN=0
+mkdir -p "$LOG_DIR"
+log() {
+    echo "$1" | tee -a "$LOG_FILE"
+}
+header() {
+    # Usage: header <new_index> <message>
+    log ""
+    log "[$1/$CATEGORY_TOTAL_CHECKS] $2"
+}
+result_clean() {
+    log "CLEAN: $1"
+    CLEAN=$((CLEAN + 1))
+    CATEGORY_CLEAN=$((CATEGORY_CLEAN + 1))
+}
+result_warn() {
+    log "WARNING: $1"
+    WARNINGS=$((WARNINGS + 1))
+    CATEGORY_WARNINGS=$((CATEGORY_WARNINGS + 1))
+}
+result_critical() {
+    log "CRITICAL: $1"
+    CRITICAL=$((CRITICAL + 1))
+    CATEGORY_CRITICAL=$((CATEGORY_CRITICAL + 1))
+}
+category_start() {
+    # Usage: category_start <name> <total_checks>
+    CATEGORY_NAME="$1"
+    CATEGORY_TOTAL_CHECKS="$2"
+    CATEGORY_CRITICAL=0
+    CATEGORY_WARNINGS=0
+    CATEGORY_CLEAN=0
+    log ""
+    log "----------------------------------------"
+    log "CATEGORY START: $CATEGORY_NAME ($CATEGORY_TOTAL_CHECKS checks)"
+    log "----------------------------------------"
+}
+category_end() {
+    log ""
+    log "CATEGORY SUMMARY: $CATEGORY_NAME"
+    log "  critical: $CATEGORY_CRITICAL"
+    log "  warning : $CATEGORY_WARNINGS"
+    log "  clean   : $CATEGORY_CLEAN"
+    log "----------------------------------------"
+}
+# Use timeout if available (macOS may only have gtimeout via coreutils)
+TIMEOUT_BIN=""
+if command -v timeout >/dev/null 2>&1; then
+    TIMEOUT_BIN="timeout"
+elif command -v gtimeout >/dev/null 2>&1; then
+    TIMEOUT_BIN="gtimeout"
+fi
+run_with_timeout() {
+    local secs="$1"
+    shift
+    if [ -n "$TIMEOUT_BIN" ]; then
+        "$TIMEOUT_BIN" "$secs" "$@"
+    elif command -v python3 >/dev/null 2>&1; then
+        python3 - "$secs" "$@" <<'PY'
+import subprocess
+import sys
+def main():
+    try:
+        secs = float(sys.argv[1])
+    except Exception:
+        secs = 0
+    cmd = sys.argv[2:]
+    if not cmd:
+        sys.exit(1)
+    try:
+        proc = subprocess.Popen(cmd)
+        try:
+            proc.wait(timeout=secs if secs > 0 else None)
+        except subprocess.TimeoutExpired:
+            proc.kill()
+            proc.wait()
+            sys.exit(124)
+        sys.exit(proc.returncode if proc.returncode is not None else 0)
+    except FileNotFoundError:
+        sys.exit(127)
+if __name__ == "__main__":
+    main()
+PY
+    else
+        "$@"
+    fi
+}
+# Load IOC data
+load_ips() {
+    if [ -f "$IOC_DIR/c2-ips.txt" ]; then
+        grep -v '^#' "$IOC_DIR/c2-ips.txt" | grep -v '^$' | cut -d'|' -f1
+    else
+        echo "91.92.242"
+    fi
+}
+load_domains() {
+    if [ -f "$IOC_DIR/malicious-domains.txt" ]; then
+        grep -v '^#' "$IOC_DIR/malicious-domains.txt" | grep -v '^$' | cut -d'|' -f1
+    else
+        echo "webhook.site"
+    fi
+}
+sha256_file() {
+    # Cross-platform SHA-256 for a file
+    local target="$1"
+    [ -f "$target" ] || return 1
+    if command -v sha256sum >/dev/null 2>&1; then
+        sha256sum "$target" 2>/dev/null | awk '{print tolower($1)}'
+    elif command -v shasum >/dev/null 2>&1; then
+        shasum -a 256 "$target" 2>/dev/null | awk '{print tolower($1)}'
+    elif command -v openssl >/dev/null 2>&1; then
+        openssl dgst -sha256 "$target" 2>/dev/null | sed -E 's/^.*= //' | tr '[:upper:]' '[:lower:]'
+    else
+        return 1
+    fi
+}
+load_hash_iocs() {
+    # Expected format: <sha256>|<campaign>
+    # Similar to c2-ips.txt storage style
+    if [ -f "$IOC_DIR/malicious-hashes.txt" ]; then
+        grep -v '^#' "$IOC_DIR/malicious-hashes.txt" | grep -v '^$' || true
+    fi
+}
+lookup_malicious_hash_campaign() {
+    local needle
+    needle="$(printf "%s" "${1:-}" | tr '[:upper:]' '[:lower:]')"
+    [ -n "$needle" ] || return 1
+    while IFS='|' read -r hash_val campaign rest; do
+        hash_val="$(printf "%s" "$hash_val" | tr '[:upper:]' '[:lower:]')"
+        if [ "$hash_val" = "$needle" ]; then
+            printf "%s\n" "${campaign:-unknown}"
+            return 0
+        fi
+    done < <(load_hash_iocs)  # ← 进程替换，不产生子shell
+    return 1
+}
+extract_github_account_age_days() {
+    # Best-effort local metadata extraction only.
+    # We cannot reliably infer GitHub account age from filesystem alone unless
+    # the skill metadata explicitly records it.
+    local skill_dir="$1"
+    local val=""
+    for meta in "$skill_dir/package.json" "$skill_dir/config.json" "$skill_dir/SKILL.md"; do
+        [ -f "$meta" ] || continue
+        # JSON-ish keys
+        val="$(grep -iEo '"(githubAccountAge|github_account_age|accountAgeDays|githubAccountAgeDays)"[[:space:]]*:[[:space:]]*[0-9]+' "$meta" 2>/dev/null | head -1 | grep -oE '[0-9]+' || true)"
+        if [ -n "$val" ]; then
+            printf "%s\n" "$val"
+            return 0
+        fi
+        # YAML / markdown frontmatter-ish keys
+        val="$(grep -iE '^(githubAccountAge|github_account_age|accountAgeDays|githubAccountAgeDays)[[:space:]]*:[[:space:]]*[0-9]+' "$meta" 2>/dev/null | head -1 | grep -oE '[0-9]+' || true)"
+        if [ -n "$val" ]; then
+            printf "%s\n" "$val"
+            return 0
+        fi
+    done
+    return 1
+}
+export PATH="$HOME/.local/bin:/opt/homebrew/opt/node@22/bin:/opt/homebrew/bin:/usr/local/bin:$PATH"
+# ------------------------------------------------------------
+# Shared helpers
+# ------------------------------------------------------------
+OPENCLAW_PRESENT=false
+if command -v openclaw >/dev/null 2>&1; then
+    OPENCLAW_PRESENT=true
+fi
+OC_VERSION="unknown"
+PARSED_OC_VERSION=""
+OC_MAJOR=""
+OC_MINOR=""
+OC_PATCH=""
+if [ "$OPENCLAW_PRESENT" = true ]; then
+    OC_VERSION="$(run_with_timeout 5 openclaw --version 2>/dev/null || echo "unknown")"
+    PARSED_OC_VERSION="$(echo "$OC_VERSION" | grep -oE '[0-9]{4}\.[0-9]+\.[0-9]+' | head -1 || true)"
+    if [ -n "$PARSED_OC_VERSION" ]; then
+        OC_MAJOR="$(echo "$PARSED_OC_VERSION" | cut -d'.' -f1)"
+        OC_MINOR="$(echo "$PARSED_OC_VERSION" | cut -d'.' -f2)"
+        OC_PATCH="$(echo "$PARSED_OC_VERSION" | cut -d'.' -f3)"
+    fi
+fi
+get_oc_config() {
+    # Usage: get_oc_config <key> <default>
+    local key="$1"
+    local default_val="${2:-}"
+    if [ "$OPENCLAW_PRESENT" = true ]; then
+        run_with_timeout 10 openclaw config get "$key" 2>/dev/null || echo "$default_val"
+    else
+        echo "$default_val"
+    fi
+}
+normalize_config_val() {
+    # Normalize null/undefined-ish values to empty string
+    local val="${1:-}"
+    case "$val" in
+        null|undefined|"")
+            echo ""
+            ;;
+        *)
+            echo "$val"
+            ;;
+    esac
+}
+version_ge() {
+    # Usage: version_ge <major> <minor> <patch>
+    # returns 0 if OC_VERSION >= target, else 1
+    local t_major="$1"
+    local t_minor="$2"
+    local t_patch="$3"
+    if [ -z "$PARSED_OC_VERSION" ]; then
+        return 1
+    fi
+    if [ "$OC_MAJOR" -gt "$t_major" ] 2>/dev/null; then
+        return 0
+    fi
+    if [ "$OC_MAJOR" -lt "$t_major" ] 2>/dev/null; then
+        return 1
+    fi
+    if [ "$OC_MINOR" -gt "$t_minor" ] 2>/dev/null; then
+        return 0
+    fi
+    if [ "$OC_MINOR" -lt "$t_minor" ] 2>/dev/null; then
+        return 1
+    fi
+    if [ "$OC_PATCH" -ge "$t_patch" ] 2>/dev/null; then
+        return 0
+    fi
+    return 1
+}
+version_lt() {
+    # Usage: version_lt <major> <minor> <patch>
+    # returns 0 if OC_VERSION < target, else 1
+    if [ -z "$PARSED_OC_VERSION" ]; then
+        return 1
+    fi
+    if version_ge "$1" "$2" "$3"; then
+        return 1
+    fi
+    return 0
+}
+detect_gateway_port() {
+    local raw
+    raw="$(get_oc_config "gateway.port" "18789")"
+    raw="$(echo "$raw" | grep -oE '[0-9]+' | head -1 || true)"
+    if [ -z "$raw" ]; then
+        raw="18789"
+    fi
+    echo "$raw"
+}
+GW_PORT="$(detect_gateway_port)"

package/scripts/repair/network_exposure/check_1.sh ADDED Viewed

@@ -0,0 +1,86 @@
+#!/bin/bash
+# CHECK 1 (origin 13): Gateway Security Configuration
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/_common.sh"
+# Environment vars (set by caller / _common.sh sourced before this):
+#   AUTO_FIX       — if "1", automatically remove the offending skill
+# Example: AUTO_FIX=1 ./check_1.sh
+GW_ISSUES=0
+BIND="unknown"
+AUTH_MODE="unknown"
+if [ "$OPENCLAW_PRESENT" = true ]; then
+    log "  OpenClaw version: $OC_VERSION"
+    BIND="$(get_oc_config "gateway.bind" "unknown")"
+    if [ "$BIND" = "lan" ] || [ "$BIND" = "0.0.0.0" ]; then
+        GW_ISSUES=$((GW_ISSUES + 1))
+    fi
+    AUTH_MODE="$(get_oc_config "gateway.auth.mode" "unknown")"
+    if [ "$AUTH_MODE" = "none" ] || [ "$AUTH_MODE" = "off" ]; then
+        GW_ISSUES=$((GW_ISSUES + 1))
+    fi
+else
+    log "  openclaw command not found"
+fi
+# Auto-fix
+if [ "${AUTO_FIX:-0}" = "1" ]; then
+    FIXED=0
+    FAILED=0
+    if [ "$BIND" = "lan" ] || [ "$BIND" = "0.0.0.0" ]; then
+        log "AUTO-FIX: Setting gateway.bind to localhost..."
+        if openclaw config set gateway.bind localhost >> "$LOG_FILE" 2>&1; then
+            log "SUCCESS: gateway.bind set to localhost"
+            FIXED=$((FIXED + 1))
+        else
+            log "ERROR: Failed to set gateway.bind"
+            FAILED=$((FAILED + 1))
+        fi
+    fi
+    if [ "$AUTH_MODE" = "none" ] || [ "$AUTH_MODE" = "off" ]; then
+        log "AUTO-FIX: Setting gateway.auth.mode to token..."
+        if openclaw config set gateway.auth.mode token >> "$LOG_FILE" 2>&1; then
+            log "SUCCESS: gateway.auth.mode set to token"
+            FIXED=$((FIXED + 1))
+        else
+            log "ERROR: Failed to set gateway.auth.mode"
+            FAILED=$((FAILED + 1))
+        fi
+    fi
+    log "Auto-fix complete: $FIXED fixed, $FAILED failed"
+    if [ $FIXED -gt 0 ]; then
+        log "NOTE: Restart OpenClaw for changes to take effect: openclaw restart"
+    fi
+    exit 0
+fi
+# Guidance
+cat <<EOF
+Found $GW_ISSUES gateway configuration issue(s).
+An exposed or unauthenticated gateway allows anyone on the network to access OpenClaw.
+RECOMMENDED ACTIONS:
+1. Bind gateway to localhost only (current: $BIND)
+   openclaw config set gateway.bind localhost
+2. Enable gateway authentication (current: $AUTH_MODE)
+   openclaw config set gateway.auth.mode token
+3. Restart OpenClaw to apply changes
+   openclaw restart
+4. Verify current gateway config
+   openclaw config get gateway
+auto-fix
+EOF
+exit 1

package/scripts/repair/network_exposure/check_10.sh ADDED Viewed

@@ -0,0 +1,16 @@
+#!/bin/bash
+# CHECK 10 (origin 39/45): Deep Link + Sandbox Browser Bridge
+# Usage: ./check_10.sh
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/_common.sh"
+# Guidance
+cat <<EOF
+RECOMMENDED ACTIONS:
+1. Update OpenClaw:
+   openclaw update
+EOF
+exit 0

package/scripts/repair/network_exposure/check_11.sh ADDED Viewed

@@ -0,0 +1,31 @@
+#!/bin/bash
+# CHECK 11 (new / GW-003): Weak gateway auth token/password
+# Usage: ./check_11.sh
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/_common.sh"
+# Guidance
+cat <<EOF
+RECOMMENDED ACTIONS:
+1. Generate a strong random token:
+   openssl rand -hex 16
+2. Set the new token:
+   openclaw config set gateway.auth.password <new-token>
+3. Or set token mode and update:
+   openclaw config set gateway.auth.mode token
+   openclaw config set gateway.auth.token <new-token>
+4. Verify the new token length:
+   openclaw config get gateway.auth.password | wc -c
+   # Should be 32 or more
+5. Restart OpenClaw to apply changes:
+   openclaw restart
+EOF
+exit 0

package/scripts/repair/network_exposure/check_12.sh ADDED Viewed

@@ -0,0 +1,24 @@
+#!/bin/bash
+# CHECK 12 (new / GW-006): Gateway TLS enabled
+# Usage: ./check_12.sh
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/_common.sh"
+# Guidance
+cat <<EOF
+RECOMMENDED ACTIONS:
+1. Enable TLS on the gateway:
+   openclaw config set gateway.tls.enabled true
+2. Provide your TLS certificate and key via OpenClaw config:
+   openclaw config set gateway.tls.certFile /path/to/cert.pem
+   openclaw config set gateway.tls.keyFile /path/to/key.pem
+3. Restart OpenClaw to apply changes:
+   openclaw restart
+4. Consult OpenClaw documentation for TLS configuration details.
+EOF
+exit 0

package/scripts/repair/network_exposure/check_2.sh ADDED Viewed

@@ -0,0 +1,26 @@
+#!/bin/bash
+# CHECK 2 (origin 14): WebSocket Origin Validation
+# Usage: ./check_2.sh
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/_common.sh"
+# Guidance
+cat << EOF
+RECOMMENDED ACTIONS:
+1. Update OpenClaw immediately:
+   openclaw update
+2. Enable gateway authentication as an additional mitigation:
+   openclaw config set gateway.auth.mode token
+   openclaw config set gateway.auth.token \$(openssl rand -hex 16)
+3. Bind gateway to localhost only:
+   openclaw config set gateway.bind localhost
+4. Restart OpenClaw to apply changes:
+   openclaw restart
+EOF
+exit 0

package/scripts/repair/network_exposure/check_3.sh ADDED Viewed

@@ -0,0 +1,43 @@
+#!/bin/bash
+# CHECK 3 (origin 25): Reverse Proxy / Localhost Trust Bypass
+# Usage: ./check_3.sh
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/_common.sh"
+# Environment vars (set by caller / _common.sh sourced before this):
+#   AUTO_FIX       — if "1", automatically remove the offending skill
+# Example: AUTO_FIX=1 ./check_3.sh
+# Auto-fix
+if [ "${AUTO_FIX:-0}" = "1" ]; then
+    if [ "$DISABLE_DEVICE_AUTH" = "true" ]; then
+        log "AUTO-FIX: Re-enabling device authentication..."
+        if openclaw config set gateway.dangerouslyDisableDeviceAuth false >> "$LOG_FILE" 2>&1; then
+            log "SUCCESS: Device authentication re-enabled"
+        else
+            log "ERROR: Failed to re-enable device authentication"
+        fi
+    fi
+    exit 0
+fi
+# Guidance
+cat <<EOF
+RECOMMENDED ACTIONS:
+1. Re-enable device authentication:
+   openclaw config set gateway.dangerouslyDisableDeviceAuth false
+2. Bind gateway to localhost instead of LAN:
+   openclaw config set gateway.bind localhost
+3. If reverse proxy is needed, configure trusted proxies explicitly:
+   openclaw config set gateway.trustedProxies '["127.0.0.1"]'
+4. Restart OpenClaw to apply changes:
+   openclaw restart
+auto-fix
+EOF
+exit 0

package/scripts/repair/network_exposure/check_4.sh ADDED Viewed

@@ -0,0 +1,23 @@
+#!/bin/bash
+# CHECK 4 (origin 33): ClawJacked Brute-Force Protection
+# Usage: ./check_4.sh
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/_common.sh"
+# Guidance
+cat << EOF
+RECOMMENDED ACTIONS:
+1. Update OpenClaw immediately:
+   openclaw update
+2. Set a strong gateway password (if not already set):
+   openclaw config set gateway.auth.mode token
+   openclaw config set gateway.auth.token <strong-random-token>
+3. Verify rate limiting is enabled after update:
+   openclaw config get gateway.auth.rateLimit
+EOF
+exit 0

package/scripts/repair/network_exposure/check_5.sh ADDED Viewed

@@ -0,0 +1,16 @@
+#!/bin/bash
+# CHECK 5 (origin 41): Browser Relay CDP Unauthenticated Access
+# Usage: ./check_5.sh
+# Guidance
+cat << EOF
+RECOMMENDED ACTIONS:
+1. Update OpenClaw immediately:
+   openclaw update
+2. Disable Browser Relay until patched:
+   openclaw config set browser.relay.enabled false
+EOF
+exit 0

package/scripts/repair/network_exposure/check_6.sh ADDED Viewed

@@ -0,0 +1,98 @@
+#!/bin/bash
+# CHECK 6 (origin 31): Internet Exposure Detection
+# Usage: ./check_6.sh
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/_common.sh"
+OC_PORT="$(openclaw config get gateway.port 2>/dev/null || echo "3000")"
+if command -v firewall-cmd &>/dev/null && firewall-cmd --state &>/dev/null 2>&1; then
+    FW_TYPE="firewalld"
+elif command -v ufw &>/dev/null; then
+    FW_TYPE="ufw"
+else
+    FW_TYPE="iptables"
+fi
+case "$FW_TYPE" in
+    firewalld)
+        cat <<EOF
+RECOMMENDED ACTIONS:
+1. Block OpenClaw port from external access:
+   sudo firewall-cmd --permanent --remove-port=$OC_PORT/tcp
+   sudo firewall-cmd --reload
+2. Allow only localhost access (if needed):
+   sudo firewall-cmd --permanent --zone=trusted --add-source=127.0.0.1
+   sudo firewall-cmd --permanent --zone=trusted --add-port=$OC_PORT/tcp
+   sudo firewall-cmd --reload
+3. Verify rules:
+   sudo firewall-cmd --list-all
+4. Check status:
+   sudo firewall-cmd --state
+EOF
+        ;;
+    ufw)
+        cat <<EOF
+==========================================
+GUIDANCE: Manual Review Required
+==========================================
+Linux Firewall Configuration (ufw)
+RECOMMENDED ACTIONS:
+1. Enable ufw if not already enabled:
+   sudo ufw enable
+2. Deny OpenClaw port by default:
+   sudo ufw deny $OC_PORT/tcp
+3. Allow only localhost access:
+   sudo ufw allow from 127.0.0.1 to any port $OC_PORT proto tcp
+4. Verify rules:
+   sudo ufw status verbose
+5. Check numbered rules:
+   sudo ufw status numbered
+EOF
+        ;;
+    iptables)
+        cat <<EOF
+==========================================
+GUIDANCE: Manual Review Required
+==========================================
+Linux Firewall Configuration (iptables)
+RECOMMENDED ACTIONS:
+1. Allow localhost access only:
+   sudo iptables -A INPUT -p tcp --dport $OC_PORT -s 127.0.0.1 -j ACCEPT
+   sudo iptables -A INPUT -p tcp --dport $OC_PORT -j DROP
+2. For IPv6:
+   sudo ip6tables -A INPUT -p tcp --dport $OC_PORT -s ::1 -j ACCEPT
+   sudo ip6tables -A INPUT -p tcp --dport $OC_PORT -j DROP
+3. Save rules (Debian/Ubuntu):
+   sudo apt-get install iptables-persistent
+   sudo netfilter-persistent save
+4. Save rules (RHEL/CentOS):
+   sudo service iptables save
+5. Verify rules:
+   sudo iptables -L -n -v
+6. Make persistent across reboots:
+   sudo systemctl enable iptables
+   sudo systemctl enable ip6tables
+EOF
+        ;;
+esac
+exit 0