whitzard-claw 1.0.0

package/ioc/c2-ips.txt

@@ -0,0 +1,25 @@
+# OpenClaw Known C2 IP Addresses
+# Source: Koi Security ClawHavoc report, VirusTotal, community reports, Hudson Rock, Antiy CERT, Oasis Security
+# Format: IP|campaign|first_seen|notes
+# Last updated: 2026-03-06
+#
+# Usage: grep patterns in this file match network connections and skill content
+
+# ClawHavoc primary C2 (AMOS stealer delivery) - expanded to 824+ skills
+91.92.242.30|clawhavoc|2026-01-27|Primary AMOS C2, 824+ skills (up from 335)
+95.92.242.30|clawhavoc|2026-01-27|Secondary C2
+96.92.242.30|clawhavoc|2026-01-27|Secondary C2
+
+# Reverse shell endpoint
+54.91.154.110|clawhavoc-revshell|2026-01-28|Reverse shell target port 13338
+
+# Payload distribution
+202.161.50.59|clawhavoc|2026-01-28|Payload staging
+
+# Vidar infostealer campaign (Hudson Rock, Feb 13 2026)
+# Note: Vidar C2 uses fast-flux DNS; monitor for connections to
+# known Vidar infrastructure patterns rather than static IPs.
+# These IPs are associated with Vidar credential exfil endpoints.
+
+# Catch-all pattern for the 91.92.242.x range
+# 91.92.242.*|clawhavoc-range|2026-01-27|Entire /24 suspect

package/ioc/file-hashes.txt

@@ -0,0 +1,13 @@
+# OpenClaw Known Malicious File Hashes (SHA-256)
+# Source: Koi Security, VirusTotal
+# Format: hash|filename|platform|family|notes
+
+# Windows AMOS loader
+17703b3d5e8e1fe69d6a6c78a240d8c84b32465fe62bed5610fb29335fe42283|openclaw-agent.exe|windows|amos-loader|Packed trojan, ClawHavoc
+
+# macOS AMOS stealer variants
+1e6d4b0538558429422b71d1f4d724c8ce31be92d299df33a8339e32316e2298|x5ki60w1ih838sp7|macos|amos|Mach-O universal binary, 16 VT detections
+0e52566ccff4830e30ef45d2ad804eefba4ffe42062919398bf1334aab74dd65|unknown|macos|amos|AMOS variant
+
+# Malicious skill archive
+79e8f3f7a6113773cdbced2c7329e6dbb2d0b8b3bf5a18c6c97cb096652bc1f2|skill-archive|any|clawhavoc|Malicious skill package

package/ioc/malicious-domains.txt

@@ -0,0 +1,46 @@
+# OpenClaw Known Malicious Domains
+# Source: Koi Security, VirusTotal, Snyk research, Endor Labs, Oasis Security, Huntress
+# Format: domain|type|campaign|notes
+# Last updated: 2026-03-06
+
+# Payload hosting
+install.app-distribution.net|payload|clawhavoc|AMOS installer distribution
+glot.io|payload-host|clawhavoc|Base64-obfuscated shell scripts (legitimate service abused)
+
+# Exfiltration
+webhook.site|exfil|generic|Data exfiltration webhook service
+pipedream.net|exfil|generic|Data exfiltration
+requestbin.com|exfil|generic|Data exfiltration
+hookbin.com|exfil|generic|Data exfiltration
+burpcollaborator.net|exfil|generic|Pentest tool (suspicious in skills)
+ngrok.io|exfil|generic|Tunneling service for exfiltration
+interact.sh|exfil|generic|OAST tool for exfiltration
+
+# Moltbook infrastructure (CSA report - monitor for agent-to-agent poisoning)
+moltbook.com|monitor|csa-report|AI agent social network - monitor for credential exposure and content poisoning
+
+# Fake distribution & decoy domains
+github.com/hedefbari|payload|clawhavoc|Attacker GitHub - openclaw-agent.zip
+github.com/Ddoy233|payload|opensourcemalware|GitHub repo openclawcli - Windows infostealer
+download.setup-service.com|decoy|clawhavoc|Decoy domain string in bash payload scripts
+open-meteo.com|data-cover|bloom-campaign|Legitimate weather API abused as cover for exfiltration (skill: reddit-trends)
+
+# Vidar infostealer infrastructure (Hudson Rock, Feb 13 2026)
+# Vidar uses fast-flux DNS; these are known distribution and panel domains
+# targeting OpenClaw config directories (openclaw.json, device.json, soul.md)
+
+# Log poisoning injection endpoints (Eye Security, Feb 2026)
+# Injected via WebSocket Origin/User-Agent headers into gateway logs
+# Pattern: attacker-controlled domains appearing in log files
+
+# VirusTotal scanning integration bypass attempts
+# Skills trying to evade SHA-256 hash scanning via dynamic generation
+
+# Fake OpenClaw installer infrastructure (Huntress, Feb-Mar 2026)
+# GhostSocks proxy malware + Vidar stealer distributed via fake GitHub repos
+# Bing AI search results poisoned to promote these malicious repos
+github.com/openclaw-installer|fake-installer|ghostsocks|Fake OpenClaw installer - GhostSocks + Vidar (Huntress, removed Feb 10)
+
+# Stealth Packer C2 infrastructure (Huntress, Feb 2026)
+# Rust-based malware loaders that inject infostealers in memory
+# Vidar payloads contact Telegram/Steam profiles for C2 data

package/ioc/malicious-hashes.txt

@@ -0,0 +1,5 @@
+# sha256|campaign
+# Known malicious OpenClaw skill file hashes
+
+e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855|clawhavoc-empty-payload
+a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2|clawhavoc-exfiltrator

package/ioc/malicious-publishers.txt

@@ -0,0 +1,34 @@
+# Known Malicious ClawHub / GitHub Publishers
+# Sources: Koi Security, VirusTotal, Bloom Security/JFrog, Snyk, OpenSourceMalware, Antiy CERT, Flare
+# Format: username|skill_count|campaign|notes
+# Last updated: 2026-03-06
+
+# ClawHavoc campaign (Koi Security + Antiy CERT update)
+# Campaign expanded from 341 to 824+ skills, 1,184 malicious packages across 12 accounts
+hightower6eu|354|clawhavoc|Primary ClawHavoc publisher, crypto/finance/social lures (up from 314)
+sakaen736jih|199|clawhavoc|Automated submissions one every few minutes, second largest operator
+davidsmorais|mixed|clawhavoc-takeover|Established 2016 account - suspected account takeover, mix of clean/malicious
+
+# Bloom Security / JFrog campaign (3 distinct campaigns, 37 skills)
+zaycv|multiple|bloom-campaign|ClawHub + GitHub publisher of malicious skills
+noreplyboter|2|bloom-campaign|Published polymarket-all-in-one, better-polymarket (reverse shells)
+rjnpage|1|bloom-campaign|Published rankaj (.env credential exfiltration via webhook)
+aslaep123|multiple|bloom-campaign|Published reddit-trends (silent .env exfiltration)
+gpaitai|multiple|bloom-campaign|GitHub account distributing malicious skills
+lvy19811120-gif|multiple|bloom-campaign|GitHub account distributing malicious skills
+
+# Snyk ToxicSkills campaign (Feb 5, 2026)
+# 76 confirmed malicious payloads out of 3,984 scanned skills
+# 8 malicious skills still publicly available at time of disclosure
+clawdhub1|~100|snyk-clawdhub|Active variant of removed clawhub typosquat, drops reverse shells
+
+# Snyk / OpenSourceMalware campaign
+Ddoy233|1|opensourcemalware|GitHub repo openclawcli - Windows infostealer in password-protected ZIP
+
+# GitHub accounts hosting malicious payloads
+hedefbari|1|clawhavoc|GitHub hosting openclaw-agent.zip
+
+# Fake OpenClaw installer campaign (Huntress, Feb-Mar 2026)
+# Bing AI search poisoning promoted these repos to top results
+# Distributed GhostSocks proxy malware + Vidar stealer via Stealth Packer
+openclaw-installer|fake-repo|ghostsocks-vidar|GitHub fake installer repo (removed Feb 10, Huntress)

package/ioc/malicious-skill-patterns.txt

@@ -0,0 +1,87 @@
+# Malicious Skill Name Patterns
+# These patterns match known malicious skill naming conventions
+# Sources: Koi Security, Bloom Security/JFrog, Snyk, OpenSourceMalware, Antiy CERT, Endor Labs
+# Format: pattern|category|notes
+# Last updated: 2026-03-06
+
+# ClawHub typosquats (28 variants found)
+^clawhub[0-9]*$|typosquat|clawhub misspelling
+^clawhubb$|typosquat|double-b
+^clawwhub$|typosquat|double-w
+^cllawhub$|typosquat|double-l
+^clawhubcli$|typosquat|fake CLI
+^claw-hub$|typosquat|hyphenated
+^clawhubb?-cli$|typosquat|CLI variant
+
+# Crypto lures (111+ skills)
+solana-wallet|crypto-lure|solana wallet variants
+phantom-wallet|crypto-lure|phantom wallet variants
+wallet-tracker|crypto-lure|generic wallet tracker
+bybit-agent|crypto-lure|exchange bot
+base-agent|crypto-lure|Base chain bot
+eth-gas-track|crypto-lure|gas tracker lures
+
+# Prediction market lures (34 skills)
+polymarket|prediction-lure|polymarket variants
+better-polymarket|prediction-lure|specific malicious name
+
+# YouTube lures (57 skills)
+youtube-summarize|youtube-lure|summarizer variants
+youtube-.*-pro$|youtube-lure|pro suffix pattern
+
+# Auto-updater lures (28 skills)
+auto-updat|updater-lure|fake updater skills
+
+# Finance lures (51 skills)
+yahoo-finance|finance-lure|finance data lures
+stock-track|finance-lure|stock tracker
+
+# Google workspace lures (17 skills)
+google-workspace|gworkspace-lure|workspace integration lures
+gmail-|gworkspace-lure|gmail tool lures
+gdrive-|gworkspace-lure|drive tool lures
+
+# Known specific malicious skill names (Bloom Security/JFrog, Snyk)
+^rankaj$|exfil-skill|.env credential exfiltration via webhook (rjnpage)
+^reddit-trends$|exfil-skill|Silent .env exfil disguised as weather/reddit tool (aslaep123)
+^polymarket-all-in-one$|reverse-shell|Contains reverse shell backdoor (noreplyboter)
+^linkedin-job-application$|exfil-skill|Job application lure skill (bloom-campaign)
+^openclawcli$|malware-installer|Windows infostealer in password-protected ZIP (Ddoy233)
+^clawdhub1$|typosquat|Active variant of clawhub typosquat (~100 installations)
+
+# Social media / job lures (Bloom Security)
+reddit-|social-lure|Reddit tool lures
+linkedin-|social-lure|LinkedIn tool lures
+twitter-|social-lure|Twitter/X tool lures
+
+# NEW categories discovered Feb 2026 (Antiy CERT, Snyk ToxicSkills)
+# Browser automation agent lures
+browser-automat|browser-lure|Browser automation agent lures
+web-scrape|browser-lure|Web scraping tool lures
+
+# Coding agent lures
+coding-agent|coding-lure|Coding assistant lures
+code-review|coding-lure|Code review tool lures
+
+# PDF tool lures
+pdf-convert|pdf-lure|PDF conversion tool lures
+pdf-extract|pdf-lure|PDF extraction tool lures
+
+# Fake security scanning skills (ironic camouflage)
+security-scan|security-lure|Fake security scanners that are themselves malicious
+virus-scan|security-lure|Fake antivirus/scanning tools
+
+# WhatsApp integration lures
+whatsapp-|messaging-lure|WhatsApp integration lures
+telegram-bot|messaging-lure|Telegram bot lures
+
+# Fake installer lures (Huntress, Mar 2026 - Bing AI search poisoning)
+openclaw-install|fake-installer|Fake OpenClaw installer (GhostSocks/Vidar)
+openclaw-setup|fake-installer|Fake setup scripts
+openclaw-windows|fake-installer|Windows-specific fake installer
+openclaw-mac|fake-installer|macOS-specific fake installer
+
+# Voice-call/telephony lures (post CVE-2026-28446 wave)
+voice-call|voice-lure|Voice/telephony integration lures
+voice-agent|voice-lure|Voice agent lures
+phone-|voice-lure|Phone integration lures

package/package.json

@@ -0,0 +1,50 @@
+{
+  "name": "whitzard-claw",
+  "version": "1.0.0",
+  "description": "Whitzard-Claw Security Assistant",
+  "type": "module",
+  "bin": {
+    "whitzard-tui": "bin/whitzard-tui.js",
+    "whitzard-webui": "bin/whitzard-webui.js"
+  },
+  "files": [
+    "dist",
+    "scripts",
+    "ioc",
+    "webui/index.html",
+    "bin"
+  ],
+  "scripts": {
+    "build:tui": "cd tui && NODE_ENV=production npx esbuild tui.tsx --bundle --platform=node --target=node18 --format=esm --outfile=../dist/tui/tui.js --external:react-devtools-core --define:self=global --banner:js=\"import { createRequire } from 'module'; const require = createRequire(import.meta.url);\"",
+    "build:webui": "mkdir -p dist/webui && cp webui/server.js dist/webui/ && cp webui/index.html dist/webui/",
+    "build": "npm run build:tui && npm run build:webui",
+    "prepublishOnly": "npm run build",
+    "test": "echo \"No tests specified\" && exit 0"
+  },
+  "keywords": [
+    "security",
+    "scanner",
+    "openclaw",
+    "cli",
+    "tui",
+    "webui"
+  ],
+  "author": "",
+  "license": "MIT",
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "dependencies": {
+    "express": "^4.18.2",
+    "ink": "^6.8.0",
+    "ink-spinner": "^5.0.0",
+    "ink-text-input": "^6.0.0",
+    "react": "^19.2.4"
+  },
+  "devDependencies": {
+    "@types/node": "^25.5.0",
+    "@types/react": "^19.2.14",
+    "esbuild": "^0.21.0",
+    "typescript": "^5.9.3"
+  }
+}

package/scripts/check/access_control.sh

@@ -0,0 +1,183 @@
+# shellcheck shell=bash
+
+# ------------------------------------------------------------
+# Shared helpers
+# ------------------------------------------------------------
+
+OPENCLAW_PRESENT=false
+if command -v openclaw >/dev/null 2>&1; then
+    OPENCLAW_PRESENT=true
+fi
+
+get_oc_config() {
+    # Usage: get_oc_config <key> <default>
+    local key="$1"
+    local default_val="${2:-}"
+    if [ "$OPENCLAW_PRESENT" = true ]; then
+        run_with_timeout 10 openclaw config get "$key" 2>/dev/null || echo "$default_val"
+    else
+        echo "$default_val"
+    fi
+}
+
+normalize_config_val() {
+    local val="${1:-}"
+    case "$val" in
+        null|undefined|"")
+            echo ""
+            ;;
+        *)
+            echo "$val"
+            ;;
+    esac
+}
+
+# ============================================================
+# CHECK 1 (origin 17 / covers AC-001 partially + AC-003 partially)
+# DM Policy Audit
+# ============================================================
+header 1 "Auditing DM access policies..."
+
+DM_ISSUES=0
+
+if [ "$OPENCLAW_PRESENT" = true ]; then
+    for channel in whatsapp telegram discord slack signal; do
+        DM_POLICY="$(normalize_config_val "$(get_oc_config "channels.${channel}.dmPolicy" "")")"
+        if [ "$DM_POLICY" = "open" ]; then
+            result_warn "Channel '$channel' has dmPolicy='open' (anyone can message)"
+            DM_ISSUES=$((DM_ISSUES + 1))
+        fi
+
+        # Keep existing wildcard check strategy as requested
+        ALLOW_FROM="$(normalize_config_val "$(get_oc_config "channels.${channel}.allowFrom" "")")"
+        if echo "$ALLOW_FROM" | grep -qE '"\*"|\[[^]]*\*[^]]*\]|\*' 2>/dev/null; then
+            result_warn "Channel '$channel' has wildcard allowFrom"
+            DM_ISSUES=$((DM_ISSUES + 1))
+        fi
+    done
+else
+    log "  openclaw command not found"
+fi
+
+if [ "$DM_ISSUES" -eq 0 ]; then
+    result_clean "DM policies acceptable"
+fi
+
+# ============================================================
+# CHECK 2 (new / AC-002): Open group policy
+# ============================================================
+header 2 "Checking group access policies..."
+
+GROUP_POLICY_ISSUES=0
+
+if [ "$OPENCLAW_PRESENT" = true ]; then
+    for channel in whatsapp telegram discord slack signal; do
+        GROUP_POLICY="$(normalize_config_val "$(get_oc_config "channels.${channel}.groupPolicy" "")")"
+        if [ "$GROUP_POLICY" = "open" ]; then
+            result_warn "Channel '$channel' has groupPolicy='open' (group members can interact without restrictions)"
+            GROUP_POLICY_ISSUES=$((GROUP_POLICY_ISSUES + 1))
+        fi
+    done
+else
+    log "  openclaw command not found"
+fi
+
+if [ "$GROUP_POLICY_ISSUES" -eq 0 ]; then
+    result_clean "Group policies acceptable"
+fi
+
+# ============================================================
+# CHECK 3 (new / AC-003): Wildcard allowlist
+# ============================================================
+header 3 "Checking channel allowlists for wildcard entries..."
+
+ALLOWLIST_ISSUES=0
+
+if [ "$OPENCLAW_PRESENT" = true ]; then
+    for channel in whatsapp telegram discord slack signal; do
+        ALLOWLIST_VAL="$(normalize_config_val "$(get_oc_config "channels.${channel}.allowlist" "")")"
+        if echo "$ALLOWLIST_VAL" | grep -qE '"\*"|\[[^]]*\*[^]]*\]|\*' 2>/dev/null; then
+            result_warn "Channel '$channel' has wildcard in allowlist"
+            ALLOWLIST_ISSUES=$((ALLOWLIST_ISSUES + 1))
+        fi
+    done
+else
+    log "  openclaw command not found"
+fi
+
+if [ "$ALLOWLIST_ISSUES" -eq 0 ]; then
+    result_clean "Channel allowlists acceptable"
+fi
+
+# ============================================================
+# CHECK 4 (new / AC-004): No pairing and no allowlist
+# ============================================================
+header 4 "Checking channels without pairing or allowlist..."
+
+PAIRING_ALLOWLIST_ISSUES=0
+
+if [ "$OPENCLAW_PRESENT" = true ]; then
+    for channel in whatsapp telegram discord slack signal; do
+        DM_POLICY="$(normalize_config_val "$(get_oc_config "channels.${channel}.dmPolicy" "")")"
+        ALLOWLIST_VAL="$(normalize_config_val "$(get_oc_config "channels.${channel}.allowlist" "")")"
+        ALLOW_FROM_VAL="$(normalize_config_val "$(get_oc_config "channels.${channel}.allowFrom" "")")"
+        GROUP_POLICY="$(normalize_config_val "$(get_oc_config "channels.${channel}.groupPolicy" "")")"
+
+        HAS_ALLOWLIST=false
+        if [ -n "$ALLOWLIST_VAL" ] && [ "$ALLOWLIST_VAL" != "[]" ]; then
+            HAS_ALLOWLIST=true
+        elif [ -n "$ALLOW_FROM_VAL" ] && [ "$ALLOW_FROM_VAL" != "[]" ]; then
+            HAS_ALLOWLIST=true
+        fi
+
+        CHANNEL_CONFIGURED=false
+        if [ -n "$DM_POLICY" ] || [ -n "$GROUP_POLICY" ] || [ -n "$ALLOWLIST_VAL" ] || [ -n "$ALLOW_FROM_VAL" ]; then
+            CHANNEL_CONFIGURED=true
+        fi
+
+        if [ "$CHANNEL_CONFIGURED" = true ] && [ "$DM_POLICY" != "pairing" ] && [ "$HAS_ALLOWLIST" = false ]; then
+            result_warn "Channel '$channel' has no pairing and no allowlist (dmPolicy='${DM_POLICY:-undefined}')"
+            PAIRING_ALLOWLIST_ISSUES=$((PAIRING_ALLOWLIST_ISSUES + 1))
+        fi
+    done
+else
+    log "  openclaw command not found"
+fi
+
+if [ "$PAIRING_ALLOWLIST_ISSUES" -eq 0 ]; then
+    result_clean "Pairing/allowlist protections acceptable"
+fi
+
+# ============================================================
+# CHECK 5 (new / AC-005): Session DM scope isolation
+# ============================================================
+header 5 "Checking session DM scope isolation..."
+
+SESSION_SCOPE_ISSUES=0
+
+if [ "$OPENCLAW_PRESENT" = true ]; then
+    SESSION_DM_SCOPE="$(normalize_config_val "$(get_oc_config "session.dmScope" "")")"
+
+    CHANNEL_COUNT=0
+    for channel in whatsapp telegram discord slack signal; do
+        DM_POLICY="$(normalize_config_val "$(get_oc_config "channels.${channel}.dmPolicy" "")")"
+        GROUP_POLICY="$(normalize_config_val "$(get_oc_config "channels.${channel}.groupPolicy" "")")"
+        ALLOWLIST_VAL="$(normalize_config_val "$(get_oc_config "channels.${channel}.allowlist" "")")"
+        ALLOW_FROM_VAL="$(normalize_config_val "$(get_oc_config "channels.${channel}.allowFrom" "")")"
+
+        if [ -n "$DM_POLICY" ] || [ -n "$GROUP_POLICY" ] || [ -n "$ALLOWLIST_VAL" ] || [ -n "$ALLOW_FROM_VAL" ]; then
+            CHANNEL_COUNT=$((CHANNEL_COUNT + 1))
+        fi
+    done
+
+    if [ "$CHANNEL_COUNT" -gt 1 ] 2>/dev/null && [ "$SESSION_DM_SCOPE" != "per-channel-peer" ]; then
+        result_warn "session.dmScope is '${SESSION_DM_SCOPE:-undefined}' with ${CHANNEL_COUNT} configured channels; DM context may not be isolated per user"
+        SESSION_SCOPE_ISSUES=$((SESSION_SCOPE_ISSUES + 1))
+    fi
+else
+    log "  openclaw command not found"
+fi
+
+if [ "$SESSION_SCOPE_ISSUES" -eq 0 ]; then
+    result_clean "Session DM scope isolation acceptable"
+fi

package/scripts/check/credential_storage.sh

@@ -0,0 +1,222 @@
+# shellcheck shell=bash
+
+# ------------------------------------------------------------
+# Shared helpers
+# ------------------------------------------------------------
+
+get_perm() {
+    local target="$1"
+
+    [ -e "$target" ] || {
+        echo "unknown"
+        return
+    }
+
+    case "$(uname -s)" in
+        Darwin|FreeBSD|OpenBSD|NetBSD)
+            stat -f '%Lp' "$target" 2>/dev/null || echo "unknown"
+            ;;
+        Linux)
+            stat -c '%a' "$target" 2>/dev/null || echo "unknown"
+            ;;
+        *)
+            stat -c '%a' "$target" 2>/dev/null || stat -f '%Lp' "$target" 2>/dev/null || echo "unknown"
+            ;;
+    esac
+}
+
+has_api_key_patterns() {
+    # Return 0 if file contains suspicious API key patterns
+    local target="$1"
+    [ -f "$target" ] || return 1
+
+    if grep -E -q \
+        'sk-ant-[A-Za-z0-9_-]{20,}|sk-proj-[A-Za-z0-9_-]{20,}|sk-[A-Za-z0-9_-]{20,}|xoxb-[A-Za-z0-9_-]{20,}|xoxp-[A-Za-z0-9_-]{20,}' \
+        "$target" 2>/dev/null; then
+        return 0
+    fi
+    return 1
+}
+
+# ============================================================
+# CHECK 1 (origin 21 + CRED-001/002/004/005): Session & Credential Permissions
+# ============================================================
+header 1 "Auditing session and credential file permissions..."
+
+CRED_ISSUES=0
+
+# ---- Check OpenClaw home directory itself
+if [ -d "$OPENCLAW_DIR" ]; then
+    HOME_PERMS="$(get_perm "$OPENCLAW_DIR")"
+    if [ "$HOME_PERMS" != "700" ] && [ "$HOME_PERMS" != "unknown" ]; then
+        result_warn "OpenClaw home dir has permissions $HOME_PERMS (recommended: 700)"
+        CRED_ISSUES=$((CRED_ISSUES + 1))
+    fi
+else
+    result_clean "OpenClaw home directory not found; credential permission check skipped"
+fi
+
+# ---- Check main config file
+CONFIG_FILE="$OPENCLAW_DIR/openclaw.json"
+if [ -f "$CONFIG_FILE" ]; then
+    CONFIG_PERMS="$(get_perm "$CONFIG_FILE")"
+    if [ "$CONFIG_PERMS" != "600" ] && [ "$CONFIG_PERMS" != "unknown" ]; then
+        result_warn "openclaw.json has permissions $CONFIG_PERMS (recommended: 600)"
+        CRED_ISSUES=$((CRED_ISSUES + 1))
+    fi
+fi
+
+# ---- Check credentials directory
+CRED_DIR="$OPENCLAW_DIR/credentials"
+if [ -d "$CRED_DIR" ]; then
+    DIR_PERMS="$(get_perm "$CRED_DIR")"
+    if [ "$DIR_PERMS" != "700" ] && [ "$DIR_PERMS" != "unknown" ]; then
+        result_warn "Credentials dir has permissions $DIR_PERMS (recommended: 700)"
+        CRED_ISSUES=$((CRED_ISSUES + 1))
+    fi
+
+    while IFS= read -r cred_file; do
+        [ -z "$cred_file" ] && continue
+        FPERMS="$(get_perm "$cred_file")"
+        if [ "$FPERMS" != "600" ] && [ "$FPERMS" != "unknown" ]; then
+            result_warn "$(basename "$cred_file") has permissions $FPERMS (recommended: 600)"
+            CRED_ISSUES=$((CRED_ISSUES + 1))
+        fi
+    done < <(find "$CRED_DIR" -type f -name "*.json" 2>/dev/null)
+fi
+
+# ---- Check session directories under agents/*
+AGENTS_DIR="$OPENCLAW_DIR/agents"
+if [ -d "$AGENTS_DIR" ]; then
+    while IFS= read -r agent_dir; do
+        [ -z "$agent_dir" ] && continue
+
+        # ---- sessions/
+        SESSION_DIR="$agent_dir/sessions"
+        if [ -d "$SESSION_DIR" ]; then
+            SDIR_PERMS="$(get_perm "$SESSION_DIR")"
+            if [ "$SDIR_PERMS" != "700" ] && [ "$SDIR_PERMS" != "unknown" ]; then
+                result_warn "Session dir $(basename "$agent_dir")/sessions has permissions $SDIR_PERMS (recommended: 700)"
+                CRED_ISSUES=$((CRED_ISSUES + 1))
+            fi
+
+            while IFS= read -r session_file; do
+                [ -z "$session_file" ] && continue
+                SFPERMS="$(get_perm "$session_file")"
+                if [ "$SFPERMS" != "600" ] && [ "$SFPERMS" != "unknown" ]; then
+                    result_warn "Session file $(basename "$agent_dir")/sessions/$(basename "$session_file") has permissions $SFPERMS (recommended: 600)"
+                    CRED_ISSUES=$((CRED_ISSUES + 1))
+                fi
+            done < <(find "$SESSION_DIR" -type f 2>/dev/null)
+        fi
+
+        # ---- agent/auth-profiles.json
+        AUTH_PROFILE_FILE="$agent_dir/agent/auth-profiles.json"
+        if [ -f "$AUTH_PROFILE_FILE" ]; then
+            APERMS="$(get_perm "$AUTH_PROFILE_FILE")"
+            if [ "$APERMS" != "600" ] && [ "$APERMS" != "unknown" ]; then
+                result_warn "Auth profiles for agent '$(basename "$agent_dir")' have permissions $APERMS (recommended: 600)"
+                CRED_ISSUES=$((CRED_ISSUES + 1))
+            fi
+        fi
+    done < <(find "$AGENTS_DIR" -mindepth 1 -maxdepth 1 -type d 2>/dev/null)
+fi
+
+if [ "$CRED_ISSUES" -eq 0 ] && [ -d "$OPENCLAW_DIR" ]; then
+    result_clean "Session and credential permissions correct"
+fi
+
+# ============================================================
+# CHECK 2 (new / CRED-007): API keys in memory files
+# ============================================================
+header 2 "Scanning memory files for leaked API keys... "
+
+MEMKEY_ISSUES=0
+
+# if [ -d "$AGENTS_DIR" ]; then
+#     while IFS= read -r agent_dir; do
+#         [ -z "$agent_dir" ] && continue
+
+#         for mem_name in soul.md MEMORY.md SOUL.md; do
+#             MEM_FILE="$agent_dir/$mem_name"
+#             if [ -f "$MEM_FILE" ]; then
+#                 if has_api_key_patterns "$MEM_FILE"; then
+#                     result_critical "API keys found in memory file '$mem_name' for agent '$(basename "$agent_dir")'"
+#                     log "  Evidence: $MEM_FILE contains API key patterns"
+#                     MEMKEY_ISSUES=$((MEMKEY_ISSUES + 1))
+#                 fi
+#             fi
+#         done
+#     done < <(find "$AGENTS_DIR" -mindepth 1 -maxdepth 1 -type d 2>/dev/null)
+# fi
+
+list_memory_files() {
+    # Enumerate workspace-level and agent-level memory files
+    local f
+    for f in \
+        "$WORKSPACE_DIR/SOUL.md" \
+        "$WORKSPACE_DIR/soul.md" \
+        "$WORKSPACE_DIR/MEMORY.md"
+    do
+        [ -f "$f" ] && echo "$f"
+    done
+
+    if [ -d "$OPENCLAW_DIR/agents" ]; then
+        find "$OPENCLAW_DIR/agents" -mindepth 2 -maxdepth 2 -type f \
+            \( -name 'soul.md' -o -name 'SOUL.md' -o -name 'MEMORY.md' -o -name 'soul.md' \) \
+            2>/dev/null || true
+    fi
+}
+
+# 在 workspace 根目录下
+MEM_SEARCH_DIR="$OPENCLAW_DIR/workspace"
+
+while IFS= read -r MEM_FILE; do
+    [ -z "$MEM_FILE" ] && continue
+    [ -f "$MEM_FILE" ] || continue
+
+    if has_api_key_patterns "$MEM_FILE"; then
+        result_critical "API keys found in memory file '$(basename "$MEM_FILE")'"
+        log "  Evidence: $MEM_FILE"
+        MEMKEY_ISSUES=$((MEMKEY_ISSUES + 1))
+    fi
+done <<EOF
+$(list_memory_files)
+EOF
+
+if [ "$MEMKEY_ISSUES" -eq 0 ]; then
+    result_clean "No API keys found in memory files"
+fi
+
+# ============================================================
+# CHECK 3 (new / CRED-008): Scan state dir .md/.json files for API keys
+# ============================================================
+header 3 "Scanning state files for leaked API keys... "
+
+STATEKEY_ISSUES=0
+
+if [ -d "$OPENCLAW_DIR" ]; then
+    while IFS= read -r scan_file; do
+        [ -z "$scan_file" ] && continue
+
+        case "$scan_file" in
+            *.env)
+                continue
+                ;;
+            */soul.md|*/MEMORY.md|*/SOUL.md)
+                # Already covered by CHECK 2
+                continue
+                ;;
+        esac
+
+        if has_api_key_patterns "$scan_file"; then
+            result_warn "API key pattern found in configuration/state file '$(basename "$scan_file")'"
+            log "  Evidence: $scan_file"
+            STATEKEY_ISSUES=$((STATEKEY_ISSUES + 1))
+        fi
+    done < <(find "$OPENCLAW_DIR" \( -name "*.md" -o -name "*.json" \) -type f 2>/dev/null)
+fi
+
+if [ "$STATEKEY_ISSUES" -eq 0 ]; then
+    result_clean "No API keys found in scanned state files"
+fi