npm - whitzard-claw - Versions diffs - 1.0.0 - Mend

whitzard-claw 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (91) hide show

package/README.md +89 -0
package/bin/whitzard-tui.js +73 -0
package/bin/whitzard-webui.js +67 -0
package/dist/tui/tui.js +38733 -0
package/dist/webui/index.html +1235 -0
package/dist/webui/server.js +876 -0
package/ioc/c2-ips.txt +25 -0
package/ioc/file-hashes.txt +13 -0
package/ioc/malicious-domains.txt +46 -0
package/ioc/malicious-hashes.txt +5 -0
package/ioc/malicious-publishers.txt +34 -0
package/ioc/malicious-skill-patterns.txt +87 -0
package/package.json +50 -0
package/scripts/check/access_control.sh +183 -0
package/scripts/check/credential_storage.sh +222 -0
package/scripts/check/execution_sandbox.sh +502 -0
package/scripts/check/memory_poisoning.sh +334 -0
package/scripts/check/network_exposure.sh +479 -0
package/scripts/check/resource_cost.sh +182 -0
package/scripts/check/supply_chain.sh +553 -0
package/scripts/repair/access_control/_common.sh +249 -0
package/scripts/repair/access_control/check_1.sh +28 -0
package/scripts/repair/access_control/check_2.sh +27 -0
package/scripts/repair/access_control/check_3.sh +23 -0
package/scripts/repair/access_control/check_4.sh +23 -0
package/scripts/repair/access_control/check_5.sh +20 -0
package/scripts/repair/credential_storage/_common.sh +277 -0
package/scripts/repair/credential_storage/check_1.sh +47 -0
package/scripts/repair/credential_storage/check_2.sh +35 -0
package/scripts/repair/credential_storage/check_3.sh +53 -0
package/scripts/repair/credential_storage/logs/security-scan.log +15 -0
package/scripts/repair/execution_sandbox/_common.sh +302 -0
package/scripts/repair/execution_sandbox/check_1.sh +67 -0
package/scripts/repair/execution_sandbox/check_10.sh +23 -0
package/scripts/repair/execution_sandbox/check_11.sh +34 -0
package/scripts/repair/execution_sandbox/check_12.sh +38 -0
package/scripts/repair/execution_sandbox/check_13.sh +29 -0
package/scripts/repair/execution_sandbox/check_2.sh +46 -0
package/scripts/repair/execution_sandbox/check_3.sh +37 -0
package/scripts/repair/execution_sandbox/check_4.sh +23 -0
package/scripts/repair/execution_sandbox/check_5.sh +28 -0
package/scripts/repair/execution_sandbox/check_6.sh +17 -0
package/scripts/repair/execution_sandbox/check_7.sh +17 -0
package/scripts/repair/execution_sandbox/check_8.sh +17 -0
package/scripts/repair/execution_sandbox/check_9.sh +17 -0
package/scripts/repair/execution_sandbox/logs/security-scan.log +10 -0
package/scripts/repair/memory_poisoning/_common.sh +336 -0
package/scripts/repair/memory_poisoning/check_1.sh +51 -0
package/scripts/repair/memory_poisoning/check_2.sh +26 -0
package/scripts/repair/memory_poisoning/check_3.sh +24 -0
package/scripts/repair/memory_poisoning/check_4.sh +27 -0
package/scripts/repair/memory_poisoning/check_5.sh +20 -0
package/scripts/repair/network_exposure/_common.sh +330 -0
package/scripts/repair/network_exposure/check_1.sh +86 -0
package/scripts/repair/network_exposure/check_10.sh +16 -0
package/scripts/repair/network_exposure/check_11.sh +31 -0
package/scripts/repair/network_exposure/check_12.sh +24 -0
package/scripts/repair/network_exposure/check_2.sh +26 -0
package/scripts/repair/network_exposure/check_3.sh +43 -0
package/scripts/repair/network_exposure/check_4.sh +23 -0
package/scripts/repair/network_exposure/check_5.sh +16 -0
package/scripts/repair/network_exposure/check_6.sh +98 -0
package/scripts/repair/network_exposure/check_7.sh +35 -0
package/scripts/repair/network_exposure/check_8.sh +19 -0
package/scripts/repair/network_exposure/check_9.sh +19 -0
package/scripts/repair/resource_cost/_common.sh +303 -0
package/scripts/repair/resource_cost/check_1.sh +16 -0
package/scripts/repair/resource_cost/check_2.sh +16 -0
package/scripts/repair/resource_cost/check_3.sh +23 -0
package/scripts/repair/supply_chain/_common.sh +222 -0
package/scripts/repair/supply_chain/check_1.sh +95 -0
package/scripts/repair/supply_chain/check_10.sh +60 -0
package/scripts/repair/supply_chain/check_11.sh +63 -0
package/scripts/repair/supply_chain/check_12.sh +36 -0
package/scripts/repair/supply_chain/check_13.sh +44 -0
package/scripts/repair/supply_chain/check_14.sh +33 -0
package/scripts/repair/supply_chain/check_15.sh +33 -0
package/scripts/repair/supply_chain/check_16.sh +34 -0
package/scripts/repair/supply_chain/check_17.sh +61 -0
package/scripts/repair/supply_chain/check_18.sh +62 -0
package/scripts/repair/supply_chain/check_2.sh +93 -0
package/scripts/repair/supply_chain/check_3.sh +78 -0
package/scripts/repair/supply_chain/check_4.sh +72 -0
package/scripts/repair/supply_chain/check_5.sh +73 -0
package/scripts/repair/supply_chain/check_6.sh +81 -0
package/scripts/repair/supply_chain/check_7.sh +52 -0
package/scripts/repair/supply_chain/check_8.sh +71 -0
package/scripts/repair/supply_chain/check_9.sh +78 -0
package/scripts/repair/supply_chain/logs/security-scan.log +77 -0
package/scripts/scan.sh +228 -0
package/webui/index.html +1235 -0

package/scripts/scan.sh ADDED Viewed

@@ -0,0 +1,228 @@
+#!/bin/bash
+# Exit codes: 0=SECURE, 1=WARNINGS, 2=COMPROMISED
+set -uo pipefail
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+PROJECT_DIR="$(dirname "$SCRIPT_DIR")"
+IOC_DIR="$PROJECT_DIR/ioc"
+SELF_DIR_NAME="$(basename "$PROJECT_DIR")"
+# Default OpenClaw paths - Use environment variable or default to user's home
+OPENCLAW_DIR="${OPENCLAW_HOME:-$HOME/.openclaw}"
+SKILLS_DIR="$OPENCLAW_DIR/workspace/skills"
+WORKSPACE_DIR="$OPENCLAW_DIR/workspace"
+LOG_DIR="$PROJECT_DIR/logs"
+LOG_FILE="$LOG_DIR/security-scan.log"
+TIMESTAMP="$(date -u +"%Y-%m-%dT%H:%M:%SZ")"
+# Set PATH for Linux systems (adjust as needed for your environment)
+export PATH="$HOME/.local/bin:/usr/local/bin:/usr/bin:$PATH"
+# Overall counters
+CRITICAL=0
+WARNINGS=0
+CLEAN=0
+# Per-category counters
+CATEGORY_NAME=""
+CATEGORY_TOTAL_CHECKS=0
+CATEGORY_CRITICAL=0
+CATEGORY_WARNINGS=0
+CATEGORY_CLEAN=0
+mkdir -p "$LOG_DIR"
+log() {
+    echo "$1" | tee -a "$LOG_FILE"
+}
+header() {
+    # Usage: header <new_index> <message>
+    log ""
+    log "[$1/$CATEGORY_TOTAL_CHECKS] $2"
+}
+result_clean() {
+    log "CLEAN: $1"
+    CLEAN=$((CLEAN + 1))
+    CATEGORY_CLEAN=$((CATEGORY_CLEAN + 1))
+}
+result_warn() {
+    log "WARNING: $1"
+    WARNINGS=$((WARNINGS + 1))
+    CATEGORY_WARNINGS=$((CATEGORY_WARNINGS + 1))
+}
+result_critical() {
+    log "CRITICAL: $1"
+    CRITICAL=$((CRITICAL + 1))
+    CATEGORY_CRITICAL=$((CATEGORY_CRITICAL + 1))
+}
+category_start() {
+    # Usage: category_start <name> <total_checks>
+    CATEGORY_NAME="$1"
+    CATEGORY_TOTAL_CHECKS="$2"
+    CATEGORY_CRITICAL=0
+    CATEGORY_WARNINGS=0
+    CATEGORY_CLEAN=0
+    log ""
+    log "----------------------------------------"
+    log "CATEGORY START: $CATEGORY_NAME ($CATEGORY_TOTAL_CHECKS checks)"
+    log "----------------------------------------"
+}
+category_end() {
+    log ""
+    log "CATEGORY SUMMARY: $CATEGORY_NAME"
+    log "  critical: $CATEGORY_CRITICAL"
+    log "  warning : $CATEGORY_WARNINGS"
+    log "  clean   : $CATEGORY_CLEAN"
+    log "----------------------------------------"
+}
+# Use timeout if available (macOS may only have gtimeout via coreutils)
+TIMEOUT_BIN=""
+if command -v timeout >/dev/null 2>&1; then
+    TIMEOUT_BIN="timeout"
+elif command -v gtimeout >/dev/null 2>&1; then
+    TIMEOUT_BIN="gtimeout"
+fi
+run_with_timeout() {
+    local secs="$1"
+    shift
+    if [ -n "$TIMEOUT_BIN" ]; then
+        "$TIMEOUT_BIN" "$secs" "$@"
+    elif command -v python3 >/dev/null 2>&1; then
+        python3 - "$secs" "$@" <<'PY'
+import subprocess
+import sys
+def main():
+    try:
+        secs = float(sys.argv[1])
+    except Exception:
+        secs = 0
+    cmd = sys.argv[2:]
+    if not cmd:
+        sys.exit(1)
+    try:
+        proc = subprocess.Popen(cmd)
+        try:
+            proc.wait(timeout=secs if secs > 0 else None)
+        except subprocess.TimeoutExpired:
+            proc.kill()
+            proc.wait()
+            sys.exit(124)
+        sys.exit(proc.returncode if proc.returncode is not None else 0)
+    except FileNotFoundError:
+        sys.exit(127)
+if __name__ == "__main__":
+    main()
+PY
+    else
+        "$@"
+    fi
+}
+# Load IOC data
+load_ips() {
+    if [ -f "$IOC_DIR/c2-ips.txt" ]; then
+        grep -v '^#' "$IOC_DIR/c2-ips.txt" | grep -v '^$' | cut -d'|' -f1
+    else
+        echo "91.92.242"
+    fi
+}
+load_domains() {
+    if [ -f "$IOC_DIR/malicious-domains.txt" ]; then
+        grep -v '^#' "$IOC_DIR/malicious-domains.txt" | grep -v '^$' | cut -d'|' -f1
+    else
+        echo "webhook.site"
+    fi
+}
+log "========================================"
+log "OPENCLAW SECURITY SCAN - $TIMESTAMP"
+log "========================================"
+log "PROJECT_DIR  : $PROJECT_DIR"
+log "OPENCLAW_DIR : $OPENCLAW_DIR"
+log "SKILLS_DIR   : $SKILLS_DIR"
+log "WORKSPACE_DIR: $WORKSPACE_DIR"
+log "LOG_FILE     : $LOG_FILE"
+# ============================================================
+# CATEGORY 1: NETWORK GATEWAY
+# ============================================================
+category_start "NETWORK_EXPOSURE" 12
+source "$SCRIPT_DIR/check/network_exposure.sh"
+category_end
+# ============================================================
+# CATEGORY 2: ACCESS CONTROL
+# ============================================================
+category_start "ACCESS_CONTROL" 5
+source "$SCRIPT_DIR/check/access_control.sh"
+category_end
+# ============================================================
+# CATEGORY 3: EXECUTION SANDBOX
+# ============================================================
+category_start "EXECUTION_SANDBOX" 13
+source "$SCRIPT_DIR/check/execution_sandbox.sh"
+category_end
+# ============================================================
+# CATEGORY 4: CREDENTIAL STORAGE
+# ============================================================
+category_start "CREDENTIAL_STORAGE" 3
+source "$SCRIPT_DIR/check/credential_storage.sh"
+category_end
+# ============================================================
+# CATEGORY 5: MEMORY POISONING
+# ============================================================
+category_start "MEMORY_POISONING" 5
+source "$SCRIPT_DIR/check/memory_poisoning.sh"
+category_end
+# ============================================================
+# CATEGORY 6: SUPPLY CHAIN
+# ============================================================
+category_start "SUPPLY_CHAIN" 18
+source "$SCRIPT_DIR/check/supply_chain.sh"
+category_end
+# ============================================================
+# CATEGORY 7: RESOURCE COST
+# ============================================================
+category_start "RESOURCE_COST" 3
+source "$SCRIPT_DIR/check/resource_cost.sh"
+category_end
+# ============================================================
+# FINAL SUMMARY
+# ============================================================
+log ""
+log "========================================"
+log "SCAN COMPLETE: $CRITICAL critical, $WARNINGS warnings, $CLEAN clean"
+log "========================================"
+if [ "$CRITICAL" -gt 0 ]; then
+    log "STATUS: COMPROMISED - Immediate action required"
+    exit 2
+elif [ "$WARNINGS" -gt 0 ]; then
+    log "STATUS: ATTENTION - Review warnings"
+    exit 1
+else
+    log "STATUS: SECURE"
+    exit 0
+fi