openclaw-smartmeter 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CONTRIBUTING.md +148 -0
- package/LICENSE +190 -0
- package/README.md +275 -0
- package/SECURITY.md +89 -0
- package/SKILL.md +0 -0
- package/SPEC.md +708 -0
- package/canvas-template/README.md +166 -0
- package/canvas-template/analysis.public.json +141 -0
- package/canvas-template/app.js +425 -0
- package/canvas-template/index.html +162 -0
- package/canvas-template/preview-server.py +63 -0
- package/canvas-template/styles.css +575 -0
- package/docs/backlog.md +63 -0
- package/package.json +41 -0
- package/src/analyzer/aggregator.js +256 -0
- package/src/analyzer/classifier.js +160 -0
- package/src/analyzer/parser.js +187 -0
- package/src/analyzer/recommender.js +158 -0
- package/src/analyzer/storage.js +31 -0
- package/src/canvas/deployer.js +321 -0
- package/src/cli/commands.js +267 -0
- package/src/cli/index.js +82 -0
- package/src/cli/utils.js +146 -0
- package/src/generator/agent-creator.js +61 -0
- package/src/generator/config-builder.js +163 -0
- package/src/generator/merger.js +27 -0
- package/src/generator/validator.js +54 -0
package/SECURITY.md
ADDED
|
@@ -0,0 +1,89 @@
|
|
|
1
|
+
# Security Policy
|
|
2
|
+
|
|
3
|
+
## Supported Versions
|
|
4
|
+
|
|
5
|
+
| Version | Supported |
|
|
6
|
+
|---------|--------------------|
|
|
7
|
+
| 1.x | Yes |
|
|
8
|
+
|
|
9
|
+
## Reporting a Vulnerability
|
|
10
|
+
|
|
11
|
+
We take security seriously. If you discover a security vulnerability in SmartMeter, please report it responsibly.
|
|
12
|
+
|
|
13
|
+
**Do not open a public GitHub issue for security vulnerabilities.**
|
|
14
|
+
|
|
15
|
+
### How to Report
|
|
16
|
+
|
|
17
|
+
Please use GitHub's private security advisory feature:
|
|
18
|
+
|
|
19
|
+
1. Go to https://github.com/vajih/openclaw-smartmeter/security/advisories/new
|
|
20
|
+
2. Click "New draft security advisory"
|
|
21
|
+
3. Fill in the details of the vulnerability
|
|
22
|
+
4. Click "Create draft security advisory"
|
|
23
|
+
|
|
24
|
+
Alternatively, you can email **vajihkhan@gmail.com** with details.
|
|
25
|
+
|
|
26
|
+
### What to Expect
|
|
27
|
+
|
|
28
|
+
- **Acknowledgment** within 48 hours of your report
|
|
29
|
+
- **Assessment** within 5 business days
|
|
30
|
+
- **Resolution timeline** communicated after assessment
|
|
31
|
+
- **Credit** in the release notes (unless you prefer anonymity)
|
|
32
|
+
|
|
33
|
+
## Security Considerations
|
|
34
|
+
|
|
35
|
+
### Data Handling
|
|
36
|
+
|
|
37
|
+
SmartMeter processes OpenClaw session logs which may contain:
|
|
38
|
+
|
|
39
|
+
- **User prompts and AI responses** - These remain local and are never transmitted externally
|
|
40
|
+
- **API usage metrics** - Token counts, costs, and model identifiers
|
|
41
|
+
- **File paths** - Session file locations on disk
|
|
42
|
+
|
|
43
|
+
### Data Storage
|
|
44
|
+
|
|
45
|
+
- All analysis data is stored locally at `~/.openclaw/smartmeter/`
|
|
46
|
+
- The `analysis.public.json` file (used by the dashboard) is sanitized to exclude:
|
|
47
|
+
- Full file paths
|
|
48
|
+
- Session-level details
|
|
49
|
+
- Any API keys or credentials
|
|
50
|
+
- No data is sent to external servers
|
|
51
|
+
|
|
52
|
+
### Canvas Dashboard
|
|
53
|
+
|
|
54
|
+
- The dashboard runs locally via the OpenClaw gateway
|
|
55
|
+
- It serves static files from `~/.openclaw/canvas/smartmeter/`
|
|
56
|
+
- No external network requests are made by the dashboard
|
|
57
|
+
- Data refreshes happen via local HTTP polling only
|
|
58
|
+
|
|
59
|
+
### Dependencies
|
|
60
|
+
|
|
61
|
+
SmartMeter uses minimal dependencies to reduce supply chain risk:
|
|
62
|
+
|
|
63
|
+
| Dependency | Purpose | Risk Level |
|
|
64
|
+
|-------------|----------------------|------------|
|
|
65
|
+
| commander | CLI argument parsing | Low |
|
|
66
|
+
| open | Browser launching | Low |
|
|
67
|
+
| fs-extra | File operations | Low |
|
|
68
|
+
|
|
69
|
+
### Best Practices
|
|
70
|
+
|
|
71
|
+
- Keep Node.js and dependencies up to date
|
|
72
|
+
- Review `analysis.public.json` before sharing screenshots publicly
|
|
73
|
+
- Do not commit `~/.openclaw/` directory contents to version control (already in `.gitignore`)
|
|
74
|
+
- Rotate API keys if you suspect they were logged in session files
|
|
75
|
+
|
|
76
|
+
## Scope
|
|
77
|
+
|
|
78
|
+
The following are **in scope** for security reports:
|
|
79
|
+
|
|
80
|
+
- Data leakage in `analysis.public.json` (sensitive data not properly sanitized)
|
|
81
|
+
- Path traversal vulnerabilities in file operations
|
|
82
|
+
- Command injection via CLI arguments
|
|
83
|
+
- Dependency vulnerabilities with known CVEs
|
|
84
|
+
|
|
85
|
+
The following are **out of scope**:
|
|
86
|
+
|
|
87
|
+
- Issues in the OpenClaw platform itself (report to OpenClaw directly)
|
|
88
|
+
- Social engineering attacks
|
|
89
|
+
- Denial of service against local processes
|
package/SKILL.md
ADDED
|
File without changes
|