openclawsec 1.0.0

package/cli.js

@@ -0,0 +1,184 @@
+#!/usr/bin/env node
+
+const { scan } = require('./src/commands/scan');
+const { doctor } = require('./src/commands/doctor');
+const { audit } = require('./src/commands/audit');
+const { runMonitor, checkStatus } = require('./src/commands/monitor');
+const out = require('./src/utils/output');
+
+const COMMANDS = {
+  scan: {
+    description: 'Run full security scan',
+    aliases: ['s', 'scan']
+  },
+  doctor: {
+    description: 'Quick health check',
+    aliases: ['d', 'doctor', 'diag']
+  },
+  audit: {
+    description: 'Audit installed skills and secrets',
+    aliases: ['a', 'audit']
+  },
+  monitor: {
+    description: 'Continuous monitoring mode',
+    aliases: ['m', 'monitor', 'watch']
+  },
+  status: {
+    description: 'Check monitoring status',
+    aliases: ['st', 'status']
+  },
+  help: {
+    description: 'Show this help message',
+    aliases: ['h', 'help', '--help', '-h']
+  },
+  version: {
+    description: 'Show ClawShield version',
+    aliases: ['v', 'version', '--version', '-v']
+  }
+};
+
+const VERSION = '1.0.0';
+
+function showBanner() {
+  console.log('');
+  console.log(out.COLORS.title('   _____ _     _____   __'));
+  console.log(out.COLORS.title('  / ____| |   |  __ \\ / _|'));
+  console.log(out.COLORS.title(' | |    | |   | |__) | |_ '));
+  console.log(out.COLORS.title(' | |    | |   |  ___/|  _|'));
+  console.log(out.COLORS.title(' | |____| |___| |    | |  '));
+  console.log(out.COLORS.title('  \\_____|______|_|    |_|  '));
+  console.log('');
+  console.log(out.COLORS.dim('   OpenClaw Security Monitor v' + VERSION));
+  console.log(out.COLORS.dim('   https://github.com/clawshield/openclawsec'));
+  console.log('');
+}
+
+function showHelp() {
+  showBanner();
+  
+  console.log(out.COLORS.title('USAGE:'));
+  console.log('  clawshield <command> [options]');
+  console.log('');
+  
+  console.log(out.COLORS.title('COMMANDS:'));
+  
+  const longestDesc = Math.max(...Object.values(COMMANDS).map(c => c.description.length));
+  
+  for (const [name, cmd] of Object.entries(COMMANDS)) {
+    const paddedName = name.padEnd(12);
+    const aliases = cmd.aliases.filter(a => a !== name).join(', ');
+    console.log(`  ${out.COLORS.cyan(paddedName)} ${out.COLORS.dim(cmd.description)}`);
+    if (aliases) {
+      console.log(`${out.COLORS.dim(' '.repeat(14))}(alias: ${aliases})`);
+    }
+  }
+  
+  console.log('');
+  console.log(out.COLORS.title('EXAMPLES:'));
+  console.log(`  ${out.COLORS.cyan('clawshield scan')}          ${out.COLORS.dim('Run full security scan')}`);
+  console.log(`  ${out.COLORS.cyan('clawshield doctor')}        ${out.COLORS.dim('Quick health check')}`);
+  console.log(`  ${out.COLORS.cyan('clawshield audit')}          ${out.COLORS.dim('Audit skills and secrets')}`);
+  console.log(`  ${out.COLORS.cyan('clawshield monitor')}        ${out.COLORS.dim('Continuous monitoring')}`);
+  console.log(`  ${out.COLORS.cyan('clawshield monitor --60')}   ${out.COLORS.dim('Monitor every 60 minutes')}`);
+  console.log(`  ${out.COLORS.cyan('clawshield status')}         ${out.COLORS.dim('Check monitoring status')}`);
+  console.log('');
+  console.log(out.COLORS.title('QUICK START:'));
+  console.log('  1. Run: clawshield scan    # Full security scan');
+  console.log('  2. Run: clawshield doctor  # Quick check');
+  console.log('  3. Run: clawshield monitor # Continuous monitoring');
+  console.log('');
+  console.log(out.COLORS.dim('For more info, visit: https://github.com/clawshield/openclawsec'));
+  console.log('');
+}
+
+function showVersion() {
+  console.log('ClawShield v' + VERSION);
+  console.log('OpenClaw Security Monitor');
+  console.log('');
+  console.log('License: MIT');
+  console.log('Repository: https://github.com/clawshield/openclawsec');
+}
+
+function findCommand(input) {
+  const cmd = input.toLowerCase();
+  
+  for (const [name, config] of Object.entries(COMMANDS)) {
+    if (name === cmd || config.aliases.includes(cmd)) {
+      return name;
+    }
+  }
+  
+  return null;
+}
+
+async function main() {
+  const args = process.argv.slice(2);
+  
+  if (args.length === 0) {
+    showHelp();
+    return;
+  }
+  
+  const inputCmd = args[0];
+  const command = findCommand(inputCmd);
+  
+  if (!command) {
+    console.log(out.COLORS.error(`Unknown command: ${inputCmd}`));
+    console.log('');
+    console.log(`Run '${out.COLORS.cyan('clawshield help')}' for available commands`);
+    process.exit(1);
+  }
+  
+  if (command === 'help') {
+    showHelp();
+    return;
+  }
+  
+  if (command === 'version') {
+    showVersion();
+    return;
+  }
+  
+  const remainingArgs = args.slice(1);
+  
+  switch (command) {
+    case 'scan':
+      await scan();
+      break;
+      
+    case 'doctor':
+      await doctor();
+      break;
+      
+    case 'audit':
+      audit();
+      break;
+      
+    case 'monitor':
+      let interval = 60 * 60 * 1000;
+      
+      const intervalArg = remainingArgs.find(arg => arg.startsWith('--'));
+      if (intervalArg) {
+        const minutes = parseInt(intervalArg.replace('--', ''));
+        if (!isNaN(minutes) && minutes > 0) {
+          interval = minutes * 60 * 1000;
+        }
+      }
+      
+      await runMonitor(interval);
+      break;
+      
+    case 'status':
+      checkStatus();
+      break;
+      
+    default:
+      console.log(out.COLORS.error('Command not implemented: ' + command));
+      process.exit(1);
+  }
+}
+
+main().catch(error => {
+  console.error(out.COLORS.error('Fatal error: ' + error.message));
+  process.exit(1);
+});

package/package.json

@@ -0,0 +1,33 @@
+{
+  "name": "openclawsec",
+  "version": "1.0.0",
+  "description": "OpenClaw Security Monitoring & Hardening Tool",
+  "main": "cli.js",
+  "bin": {
+    "openclawsec": "./cli.js"
+  },
+  "scripts": {
+    "start": "node cli.js",
+    "scan": "node cli.js scan",
+    "doctor": "node cli.js doctor",
+    "audit": "node cli.js audit",
+    "monitor": "node cli.js monitor"
+  },
+  "keywords": ["openclaw", "security", "monitoring", "cli", "cve", "hardening"],
+  "author": "rastuak",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/rastuak/clawshield.git"
+  },
+  "bugs": {
+    "url": "https://github.com/rastuak/clawshield/issues"
+  },
+  "homepage": "https://github.com/rastuak/clawshield",
+  "dependencies": {
+    "chalk": "^4.1.2",
+    "ora": "^5.4.1",
+    "node-fetch": "^2.7.0",
+    "tablemark": "^3.1.0"
+  }
+}

package/src/checks/configHarden.js

@@ -0,0 +1,210 @@
+const out = require('../utils/output');
+
+function getOpenClawConfigPath() {
+  const home = process.env.USERPROFILE || process.env.HOME || process.env.HOMEPATH;
+  
+  const possiblePaths = [
+    `${home}\\.openclaw\\openclaw.json`,
+    `${home}\\.config\\openclaw\\openclaw.json`,
+    `${home}\\openclaw\\openclaw.json`,
+    '.openclaw/openclaw.json',
+    '~/.openclaw/openclaw.json'
+  ];
+  
+  return possiblePaths[0];
+}
+
+function getConfigFromFile(path) {
+  const fs = require('fs');
+  const pathLib = require('path');
+  
+  const configPath = path || getOpenClawConfigPath();
+  
+  try {
+    if (fs.existsSync(configPath)) {
+      const content = fs.readFileSync(configPath, 'utf8');
+      return JSON.parse(content);
+    }
+  } catch (error) {
+    return null;
+  }
+  
+  return null;
+}
+
+function checkGatewayExposure(config) {
+  out.heading('Gateway Port Exposure Check');
+  
+  const issues = [];
+  
+  if (!config) {
+    out.warning('Could not read openclaw.json configuration');
+    out.text('Checking default gateway port (18789) accessibility...');
+  }
+  
+  const port = config?.gateway?.port || 18789;
+  const host = config?.gateway?.host || '127.0.0.1';
+  
+  out.keyValue('Gateway Port', port.toString());
+  out.keyValue('Gateway Host', host);
+  
+  if (host === '0.0.0.0' || host === '::') {
+    issues.push({
+      severity: 'critical',
+      message: 'Gateway is bound to 0.0.0.0 - accessible from all network interfaces',
+      recommendation: 'Bind to 127.0.0.1 or localhost only for security'
+    });
+    out.critical('Gateway is exposed to all network interfaces!');
+  } else if (host === '127.0.0.1' || host === 'localhost') {
+    out.passed('Gateway is bound to localhost only - not exposed externally');
+  } else {
+    issues.push({
+      severity: 'warning',
+      message: `Gateway is bound to ${host} - verify this is intentional`,
+      recommendation: 'Ensure this is an expected configuration'
+    });
+    out.warning(`Gateway bound to non-default host: ${host}`);
+  }
+  
+  if (config?.gateway?.token === undefined || config?.gateway?.token === null || config?.gateway?.token === '') {
+    issues.push({
+      severity: 'critical',
+      message: 'No gateway token configured - authentication is disabled!',
+      recommendation: 'Set a strong gateway token in config'
+    });
+    out.critical('No gateway token configured! Anyone can access your gateway.');
+  } else if (config?.gateway?.token) {
+    if (config.gateway.token.length < 32) {
+      issues.push({
+        severity: 'warning',
+        message: 'Gateway token is shorter than recommended (32+ chars)',
+        recommendation: 'Use a longer, random token for better security'
+      });
+      out.warning('Gateway token is shorter than recommended');
+    } else {
+      out.passed('Gateway token is configured');
+    }
+  }
+  
+  return {
+    port,
+    host,
+    issues,
+    exposed: host === '0.0.0.0' || host === '::'
+  };
+}
+
+function checkDMPolicy(config) {
+  out.heading('Direct Message Policy Check');
+  
+  const dmPolicy = config?.channels?.dmScope || config?.dmScope || 'main';
+  
+  out.keyValue('DM Policy', dmPolicy);
+  
+  if (dmPolicy === 'all') {
+    out.critical('DM policy set to "all" - messages from any user trigger responses');
+    out.text('This allows anyone to send messages to your agent!');
+    out.text('Recommendation: Set to "pairing" or "allowlist"');
+    return { severity: 'critical', policy: dmPolicy, issues: ['DM policy too permissive'] };
+  } else if (dmPolicy === 'main') {
+    out.passed('DM policy is set to "main" - only existing conversations active');
+    return { severity: 'passed', policy: dmPolicy, issues: [] };
+  } else if (dmPolicy === 'pairing') {
+    out.passed('DM policy is set to "pairing" - users must be approved first');
+    return { severity: 'passed', policy: dmPolicy, issues: [] };
+  } else if (dmPolicy === 'allowlist') {
+    out.passed('DM policy is set to "allowlist" - only approved users can interact');
+    return { severity: 'passed', policy: dmPolicy, issues: [] };
+  } else {
+    out.warning(`Unknown DM policy: ${dmPolicy}`);
+    return { severity: 'warning', policy: dmPolicy, issues: [`Unknown DM policy: ${dmPolicy}`] };
+  }
+}
+
+function checkToolsPermissions(config) {
+  out.heading('Tools & Permissions Check');
+  
+  const toolsProfile = config?.tools?.profile || 'full';
+  
+  out.keyValue('Tools Profile', toolsProfile);
+  
+  const issues = [];
+  
+  if (toolsProfile === 'full') {
+    issues.push({
+      severity: 'warning',
+      message: 'Tools profile is set to "full" - agent has maximum permissions',
+      recommendation: 'Consider using "messaging" profile for general use'
+    });
+    out.warning('Tools profile is "full" - maximum permissions granted');
+  } else if (toolsProfile === 'messaging') {
+    out.passed('Tools profile is "messaging" - safe default permissions');
+  } else if (toolsProfile === 'minimal') {
+    out.passed('Tools profile is "minimal" - restricted permissions');
+  } else {
+    out.warning(`Unknown tools profile: ${toolsProfile}`);
+  }
+  
+  const dangerousTools = [];
+  if (config?.tools?.allowed?.includes('exec') || toolsProfile === 'full') {
+    dangerousTools.push('exec (shell commands)');
+  }
+  if (config?.tools?.allowed?.includes('browser') || toolsProfile === 'full') {
+    dangerousTools.push('browser (web browsing)');
+  }
+  if (config?.tools?.allowed?.includes('read') || toolsProfile === 'full') {
+    dangerousTools.push('read (file system access)');
+  }
+  if (config?.tools?.allowed?.includes('write') || toolsProfile === 'full') {
+    dangerousTools.push('write (file system modification)');
+  }
+  
+  if (dangerousTools.length > 0 && toolsProfile !== 'full') {
+    out.text('Dangerous tools enabled:');
+    dangerousTools.forEach(tool => {
+      out.text(`  - ${tool}`);
+    });
+  }
+  
+  return { profile: toolsProfile, issues, dangerousTools };
+}
+
+function checkSecrets(config) {
+  out.heading('Secrets & API Keys Check');
+  
+  const secrets = config?.secrets || config?.apiKeys || {};
+  
+  const hasOpenAI = !!secrets?.OPENAI_API_KEY;
+  const hasAnthropic = !!secrets?.ANTHROPIC_API_KEY || !!secrets?.CLAUDE_API_KEY;
+  const hasGemini = !!secrets?.GEMINI_API_KEY;
+  
+  if (hasOpenAI || hasAnthropic || hasGemini) {
+    out.warning('API keys are stored in openclaw.json config file');
+    out.text('Consider using environment variables or a secrets manager instead');
+    out.text('API keys in config files can be accidentally committed to git');
+  }
+  
+  const issues = [];
+  if (Object.keys(secrets).length > 0) {
+    issues.push({
+      severity: 'warning',
+      message: `${Object.keys(secrets).length} API key(s) found in config`,
+      recommendation: 'Use environment variables or secrets manager'
+    });
+  }
+  
+  return { secrets, issues, hasOpenAI, hasAnthropic, hasGemini };
+}
+
+function check(config) {
+  const results = {
+    gateway: checkGatewayExposure(config),
+    dmPolicy: checkDMPolicy(config),
+    tools: checkToolsPermissions(config),
+    secrets: checkSecrets(config)
+  };
+  
+  return results;
+}
+
+module.exports = { check, getOpenClawConfigPath, getConfigFromFile, checkGatewayExposure, checkDMPolicy, checkToolsPermissions, checkSecrets };

package/src/checks/cve.js

@@ -0,0 +1,115 @@
+const fetch = require('node-fetch');
+const out = require('../utils/output');
+
+const NVD_API_URL = 'https://services.nvd.nist.gov/rest/json/cves/2.0';
+
+const KNOWN_CVES = [
+  { id: 'CVE-2026-25253', severity: 'HIGH', cvss: 8.8, description: 'WebSocket token exfiltration - Remote Code Execution' },
+  { id: 'CVE-2026-24763', severity: 'HIGH', cvss: 8.8, description: 'Docker sandbox bypass via PATH manipulation' },
+  { id: 'CVE-2026-33579', severity: 'HIGH', cvss: 8.1, description: 'Privilege escalation via /pair approve' },
+  { id: 'CVE-2026-28446', severity: 'HIGH', cvss: 9.8, description: 'Voice RCE affecting 42,000 instances' },
+  { id: 'CVE-2026-44113', severity: 'HIGH', cvss: 8.3, description: 'TOCTOU race condition in OpenShell filesystem bridge' },
+  { id: 'CVE-2026-25157', severity: 'MEDIUM', cvss: 7.5, description: 'SSH node command injection' },
+  { id: 'CVE-2026-25593', severity: 'MEDIUM', cvss: 6.5, description: 'Authentication bypass on untrusted LANs' },
+  { id: 'CVE-2026-25475', severity: 'MEDIUM', cvss: 5.3, description: 'Gateway configuration exposure' },
+  { id: 'CVE-2026-32302', severity: 'MEDIUM', cvss: 6.1, description: 'WebSocket Origin Validation Bypass' },
+  { id: 'CVE-2026-26327', severity: 'MEDIUM', cvss: 7.1, description: 'Auth bypass via rogue service advertisements' }
+];
+
+const VULNERABLE_BEFORE = {
+  'CVE-2026-25253': '2026.1.29',
+  'CVE-2026-24763': '2026.1.30',
+  'CVE-2026-33579': '2026.3.28',
+  'CVE-2026-28446': '2026.2.12',
+  'CVE-2026-44113': '2026.4.22',
+  'CVE-2026-25157': '2026.1.25',
+  'CVE-2026-25593': '2026.1.30',
+  'CVE-2026-25475': '2026.1.30',
+  'CVE-2026-32302': '2026.3.11',
+  'CVE-2026-26327': '2026.1.30'
+};
+
+function compareVersions(installed, vulnerable) {
+  const iParts = installed.split('.').map(Number);
+  const vParts = vulnerable.split('.').map(Number);
+  
+  for (let i = 0; i < 3; i++) {
+    if ((iParts[i] || 0) < (vParts[i] || 0)) return -1;
+    if ((iParts[i] || 0) > (vParts[i] || 0)) return 1;
+  }
+  return 0;
+}
+
+async function check(installedVersion) {
+  out.heading('CVE Vulnerability Check');
+  
+  if (!installedVersion || installedVersion === 'unknown') {
+    out.warning('Cannot check CVEs without knowing the installed version');
+    out.text('Run: clawshield doctor to detect your OpenClaw version first');
+    return { cves: [], vulnerable: false };
+  }
+  
+  out.keyValue('Your Version', installedVersion);
+  out.text('');
+  
+  const affected = [];
+  const fixed = [];
+  
+  for (const cve of KNOWN_CVES) {
+    const fixedVersion = VULNERABLE_BEFORE[cve.id];
+    if (!fixedVersion) continue;
+    
+    if (compareVersions(installedVersion, fixedVersion) < 0) {
+      affected.push(cve);
+    } else {
+      fixed.push(cve);
+    }
+  }
+  
+  if (affected.length > 0) {
+    out.critical(`FOUND ${affected.length} VULNERABILITIES!`);
+    out.text('');
+    
+    affected.forEach(cve => {
+      console.log(`  ${out.COLORS.critical('●')} ${out.COLORS.error(cve.id)} ${out.COLORS.dim(`CVSS ${cve.cvss}`)}`);
+      console.log(`    ${cve.description}`);
+      console.log(`    ${out.COLORS.warning('Fixed in:')} v${VULNERABLE_BEFORE[cve.id]}`);
+      console.log('');
+    });
+    
+    out.text('URGENT: Update OpenClaw immediately!');
+    out.text('Run: openclaw upgrade or npm update -g openclaw');
+  } else {
+    out.passed(`No known vulnerabilities in version ${installedVersion}`);
+  }
+  
+  if (fixed.length > 0 && affected.length === 0) {
+    out.text('');
+    out.info(`${fixed.length} older vulnerabilities were detected but are now fixed`);
+  }
+  
+  return {
+    cves: affected,
+    fixed,
+    vulnerable: affected.length > 0,
+    count: affected.length
+  };
+}
+
+async function getCVEFromNVD(cveId) {
+  try {
+    const response = await fetch(`${NVD_API_URL}?cveId=${cveId}`, {
+      headers: { 'User-Agent': 'ClawShield-Security-Tool' }
+    });
+    
+    if (response.ok) {
+      const data = await response.json();
+      return data.vulnerabilities?.[0]?.cve;
+    }
+  } catch (error) {
+    out.error(`Failed to fetch CVE from NVD: ${error.message}`);
+  }
+  return null;
+}
+
+module.exports = { check, getCVEFromNVD, KNOWN_CVES, VULNERABLE_BEFORE };