openclaw-plugin-vt-sentinel 0.8.1 → 0.8.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/dist/index.js +11 -5
  2. package/package.json +1 -1
package/dist/index.js CHANGED
@@ -145,7 +145,10 @@ function generateUpdateCommands(opts) {
145
145
  return lines.join('\n');
146
146
  }
147
147
  const stateDir = opts.stateDir;
148
- const quotedExtDir = `"${path.join(stateDir, 'extensions', PACKAGE_NAME)}"`;
148
+ // Escape double quotes in paths to prevent shell injection via OPENCLAW_STATE_DIR
149
+ const escapeForShell = (s) => s.replace(/"/g, '\\"');
150
+ const extDir = path.join(stateDir, 'extensions', PACKAGE_NAME);
151
+ const quotedExtDir = `"${escapeForShell(extDir)}"`;
149
152
  const configPath = path.join(stateDir, 'openclaw.json');
150
153
  const lines = [];
151
154
  lines.push(`Upgrade: v${opts.currentVersion} → v${opts.latestVersion}`);
@@ -167,9 +170,12 @@ function generateUpdateCommands(opts) {
167
170
  lines.push(` rm -rf ${quotedExtDir} (Linux/macOS)`);
168
171
  lines.push(` rmdir /s /q ${quotedExtDir.replace(/\//g, '\\\\')} (Windows)`);
169
172
  lines.push('');
170
- lines.push(` 2b. Back up and clean the config entry:`);
171
- // Generate a safe node -e script for config cleanup
172
- const cleanupScript = `node -e "const fs=require('fs'),p='${configPath.replace(/\\/g, '\\\\').replace(/'/g, "\\'")}';try{const b=fs.readFileSync(p,'utf8');fs.writeFileSync(p+'.bak',b);const c=JSON.parse(b);if(c.plugins){delete(c.plugins.entries||{})['${PACKAGE_NAME}'];delete(c.plugins.installs||{})['${PACKAGE_NAME}'];}fs.writeFileSync(p,JSON.stringify(c,null,2));console.log('Config cleaned (backup: '+p+'.bak)')}catch(e){console.error('Failed: '+e.message);process.exit(1)}"`;
173
+ lines.push(` 2b. Back up and clean the stale install entry (preserves your config):`);
174
+ // Generate a safe node -e script for config cleanup.
175
+ // Only deletes plugins.installs (stale install metadata), NOT plugins.entries (user config with apiKey etc.).
176
+ // Tries json5 parser first (likely available as openclaw dependency), falls back to JSON.parse.
177
+ const safeConfigPath = configPath.replace(/\\/g, '\\\\').replace(/'/g, "\\'").replace(/"/g, '\\"');
178
+ const cleanupScript = `node -e "const fs=require('fs'),p='${safeConfigPath}';try{const b=fs.readFileSync(p,'utf8');fs.writeFileSync(p+'.bak',b);const P=(()=>{try{return require('json5').parse}catch{return JSON.parse}})();const c=P(b);if(c.plugins&&c.plugins.installs){delete c.plugins.installs['${PACKAGE_NAME}'];}fs.writeFileSync(p,JSON.stringify(c,null,2));console.log('Config cleaned (backup: '+p+'.bak)')}catch(e){console.error('Failed: '+e.message+'. Manually remove ${PACKAGE_NAME} from plugins.installs in '+p);process.exit(1)}"`;
173
179
  lines.push(` ${cleanupScript}`);
174
180
  lines.push('');
175
181
  lines.push(` 2c. Reinstall:`);
@@ -1031,7 +1037,7 @@ function vtSentinelPlugin(api) {
1031
1037
  required: [],
1032
1038
  },
1033
1039
  execute: async (_ctx, rawParams) => {
1034
- const params = rawParams || {};
1040
+ const params = (typeof rawParams === 'object' && rawParams !== null) ? rawParams : {};
1035
1041
  // Strict validation: reject non-boolean confirm
1036
1042
  if ('confirm' in params && typeof params.confirm !== 'boolean') {
1037
1043
  return textResponse('Error: confirm must be true or false');
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "openclaw-plugin-vt-sentinel",
3
- "version": "0.8.1",
3
+ "version": "0.8.3",
4
4
  "description": "VirusTotal Sentinel for OpenClaw - Malware detection and AI-powered code analysis",
5
5
  "main": "dist/index.js",
6
6
  "types": "dist/index.d.ts",