mirror of
https://github.com/prompt-security/clawsec.git
synced 2026-06-17 07:21:21 +03:00
feat(openclaw-traffic-guardian): add social action review scope (#261)
* feat(openclaw-traffic-guardian): add social action review scope * fix(openclaw-traffic-guardian): cover background repeats * fix(openclaw-traffic-guardian): address policy review release gates * docs(openclaw-traffic-guardian): credit policy review contributor * docs(openclaw-traffic-guardian): inline contributor credit * docs(openclaw-traffic-guardian): reference policy review spec * ci(skills): allow unreleased version edits * ci(skills): use directory name for release tag checks --------- Co-authored-by: kriptoburak <kriptoburak@users.noreply.github.com> Co-authored-by: David Abutbul <David.a@prompt.security>
This commit is contained in:
Burak Bayır
GitHub
@@ -152,14 +152,6 @@ jobs:
|
||||
md_version_changed=true
|
||||
fi
|
||||
|
||||
if [ "${json_version_changed}" != "true" ] && [ "${md_version_changed}" != "true" ]; then
|
||||
echo "::error file=${skill_dir}::Changed skill package has no version bump. Update skill.json and SKILL.md versions and add CHANGELOG.md release notes."
|
||||
failures=$((failures + 1))
|
||||
continue
|
||||
fi
|
||||
|
||||
echo "Version bump detected for ${skill_dir} (skill.json changed: ${json_version_changed}, SKILL.md changed: ${md_version_changed})"
|
||||
|
||||
if [ ! -f "${json_path}" ]; then
|
||||
echo "::error file=${json_path}::Missing skill.json after version bump."
|
||||
failures=$((failures + 1))
|
||||
@@ -190,6 +182,20 @@ jobs:
|
||||
continue
|
||||
fi
|
||||
|
||||
skill_release_name="$(basename "${skill_dir}")"
|
||||
release_tag="${skill_release_name}-v${head_json_version}"
|
||||
if [ "${json_version_changed}" != "true" ] && [ "${md_version_changed}" != "true" ]; then
|
||||
if git show-ref --verify --quiet "refs/tags/${release_tag}"; then
|
||||
echo "::error file=${skill_dir}::Changed skill package has no version bump and release tag ${release_tag} already exists. Update skill.json and SKILL.md versions and add CHANGELOG.md release notes."
|
||||
failures=$((failures + 1))
|
||||
continue
|
||||
fi
|
||||
|
||||
echo "No version bump detected for ${skill_dir}, but release tag ${release_tag} does not exist; treating ${head_json_version} as unreleased."
|
||||
else
|
||||
echo "Version bump detected for ${skill_dir} (skill.json changed: ${json_version_changed}, SKILL.md changed: ${md_version_changed})"
|
||||
fi
|
||||
|
||||
echo "Version parity OK for ${skill_dir}: ${head_json_version}"
|
||||
|
||||
changelog_path="${skill_dir}/CHANGELOG.md"
|
||||
@@ -231,11 +237,11 @@ jobs:
|
||||
fi
|
||||
|
||||
if [ "${failures}" -gt 0 ]; then
|
||||
echo "::error::Found ${failures} skill metadata/release-notes issue(s) across ${checked_skills} bumped skill(s)."
|
||||
echo "::error::Found ${failures} skill metadata/release-notes issue(s) across ${checked_skills} changed skill(s)."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Validated ${checked_skills} bumped skill(s): version parity and changelog release notes are present."
|
||||
echo "Validated ${checked_skills} changed skill(s): version parity and changelog release notes are present."
|
||||
|
||||
- name: Validate npx skills install docs
|
||||
env:
|
||||
|
||||
@@ -37,13 +37,43 @@ assert.match(
|
||||
assert.doesNotMatch(
|
||||
workflow,
|
||||
/No version bump detected for \$\{skill_dir\}; skipping\./,
|
||||
'Changed skill directories without a version bump must fail validation instead of being skipped',
|
||||
'Changed skill directories without a version bump must not be skipped without release-tag validation',
|
||||
);
|
||||
|
||||
assert.match(
|
||||
workflow,
|
||||
/::error file=\$\{skill_dir\}::Changed skill package has no version bump\./,
|
||||
'Skill release validation must emit an explicit missing-version-bump error',
|
||||
/skill_release_name="\$\(basename "\$\{skill_dir\}"\)"/,
|
||||
'Skill release validation must derive the release tag prefix from the skill package directory',
|
||||
);
|
||||
|
||||
assert.match(
|
||||
workflow,
|
||||
/release_tag="\$\{skill_release_name\}-v\$\{head_json_version\}"/,
|
||||
'Skill release validation must use the skill package directory name for release tag checks',
|
||||
);
|
||||
|
||||
assert.doesNotMatch(
|
||||
workflow,
|
||||
/release_tag="\$\{head_skill_name\}-v\$\{head_json_version\}"/,
|
||||
'Skill release validation must not use skill.json name for release tag checks because release tags resolve to skill directories',
|
||||
);
|
||||
|
||||
assert.match(
|
||||
workflow,
|
||||
/git show-ref --verify --quiet "refs\/tags\/\$\{release_tag\}"/,
|
||||
'Skill release validation must check whether the current skill version has already been tagged',
|
||||
);
|
||||
|
||||
assert.match(
|
||||
workflow,
|
||||
/No version bump detected for \$\{skill_dir\}, but release tag \$\{release_tag\} does not exist; treating \$\{head_json_version\} as unreleased\./,
|
||||
'Skill release validation must allow edits to an unchanged version when that release tag does not exist yet',
|
||||
);
|
||||
|
||||
assert.match(
|
||||
workflow,
|
||||
/::error file=\$\{skill_dir\}::Changed skill package has no version bump and release tag \$\{release_tag\} already exists\./,
|
||||
'Skill release validation must still fail unchanged versions after their release tag exists',
|
||||
);
|
||||
|
||||
assert.match(
|
||||
|
||||
@@ -2,8 +2,12 @@
|
||||
|
||||
## [0.0.1-beta3] - 2026-06-10
|
||||
|
||||
### Changed
|
||||
### Security
|
||||
- Added the `POLICY_REVIEW` scope for approval-sensitive social-account mutation requests, contributed by @kriptoburak.
|
||||
- Defined required JSONL metadata for social-account mutation findings, including source type, mutation category, approval-marker presence, and execution context.
|
||||
|
||||
### Changed
|
||||
- Clarified that persistent social monitor and webhook configuration changes are review findings, while read-only social research should remain covered by no-false-positive tests.
|
||||
- Re-released skill package with updated marketplace grouping and signed release trust artifacts for Vercel-compatible skill installation.
|
||||
|
||||
## [0.0.1-beta2] - 2026-05-13
|
||||
|
||||
@@ -16,6 +16,7 @@ npx skills add prompt-security/clawsec --skill openclaw-traffic-guardian -a open
|
||||
|
||||
- detect outbound secret exfiltration in agent HTTP/HTTPS traffic
|
||||
- detect inbound command-injection and tool-abuse payloads
|
||||
- record operator-review findings for approval-sensitive social-account mutations
|
||||
- write redacted local JSONL findings
|
||||
- provide explicit start, stop, status, and log-query commands
|
||||
- integrate with `clawsec-suite` as an optional add-on
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
---
|
||||
name: openclaw-traffic-guardian
|
||||
version: 0.0.1-beta3
|
||||
description: OpenClaw runtime traffic monitoring baseline for opt-in HTTP/HTTPS proxy inspection, egress detection, and inbound injection detection.
|
||||
description: OpenClaw runtime traffic monitoring baseline for opt-in HTTP/HTTPS proxy inspection, egress detection, inbound injection detection, and social-account policy review.
|
||||
homepage: https://clawsec.prompt.security
|
||||
author: prompt-security
|
||||
license: AGPL-3.0-or-later
|
||||
@@ -110,6 +110,7 @@ Builders should use this skill as the OpenClaw landing zone for runtime traffic
|
||||
- optional HTTPS inspection with per-process CA trust
|
||||
- outbound exfiltration detection
|
||||
- inbound injection detection
|
||||
- approval-sensitive social-account mutation review
|
||||
- redacted local threat logs
|
||||
- optional OpenClaw hook/status integration
|
||||
|
||||
@@ -143,8 +144,10 @@ Read `SPEC.md` before implementing. Use the placeholder folders as follows:
|
||||
3. Scope proxy environment variables to the target OpenClaw process.
|
||||
4. Inspect HTTP request/response text up to a bounded byte limit.
|
||||
5. Support optional HTTPS MITM only when the operator supplies per-process trust configuration.
|
||||
6. Emit JSONL findings with redacted snippets.
|
||||
7. Provide a `status` command that reports mode, listener, CA fingerprint if present, and last findings.
|
||||
6. Flag requests matching `SPEC.md`'s Outbound POLICY_REVIEW cases as operator-review findings, including TweetClaw or other X/Twitter automation writes and scheduler/background-runner repeats without a fresh operator-approval marker.
|
||||
7. Detect repeat/background-runner context from bounded request metadata such as paths, headers, user-agent, client context, tool invocation metadata, or scheduler identifiers.
|
||||
8. Emit JSONL findings with redacted snippets plus source type, mutation category, approval-marker presence, and direct-operator versus background-runner context.
|
||||
9. Provide a `status` command that reports mode, listener, CA fingerprint if present, and last findings.
|
||||
|
||||
## Out of Scope for v0.0.1 Implementation
|
||||
|
||||
|
||||
@@ -45,6 +45,24 @@ Findings must be JSON objects with these fields:
|
||||
}
|
||||
```
|
||||
|
||||
`POLICY_REVIEW` findings must keep the same base schema and add these fields:
|
||||
|
||||
```json
|
||||
{
|
||||
"threat_type": "POLICY_REVIEW",
|
||||
"pattern": "social_account_mutation",
|
||||
"source_type": "openclaw_tool_request",
|
||||
"mutation_category": "post",
|
||||
"approval_marker_present": false,
|
||||
"execution_context": "background_runner"
|
||||
}
|
||||
```
|
||||
|
||||
- `source_type`: `http_request`, `openclaw_tool_request`, or `unknown`.
|
||||
- `mutation_category`: `post`, `reply`, `repost`, `like`, `follow`, `unfollow`, `dm`, `media_upload`, `persistent_monitor`, `webhook_config`, `giveaway_draw`, or `other_social_account_mutation`.
|
||||
- `approval_marker_present`: boolean; do not persist marker secrets or full approval tokens.
|
||||
- `execution_context`: `direct_operator`, `scheduler`, `background_runner`, or `unknown`.
|
||||
|
||||
## Minimum Detection Set
|
||||
|
||||
Outbound EXFIL:
|
||||
@@ -64,6 +82,12 @@ Inbound INJECTION:
|
||||
- destructive remove commands
|
||||
- SSH authorized-key injection shapes
|
||||
|
||||
Outbound POLICY_REVIEW:
|
||||
|
||||
- social-account write requests such as post, reply, repost, like, follow, unfollow, DM, media upload, persistent monitor creation/update, webhook configuration changes, or giveaway draw actions
|
||||
- OpenClaw plugin/tool requests that invoke TweetClaw or another X/Twitter automation plugin for account mutation
|
||||
- scheduler or background-runner requests that would repeat social-account mutations without a fresh operator approval
|
||||
|
||||
## Safety Requirements
|
||||
|
||||
- Default mode is detect-and-log.
|
||||
@@ -72,6 +96,7 @@ Inbound INJECTION:
|
||||
- Maximum scan bytes must be configurable and bounded.
|
||||
- CA trust must be per-process by default.
|
||||
- System trust-store instructions must require explicit operator confirmation and must never run automatically.
|
||||
- POLICY_REVIEW findings must create an operator-review record only; they must not auto-block, auto-approve, or rewrite the requested action.
|
||||
|
||||
## Tests Required Before Release
|
||||
|
||||
@@ -79,7 +104,7 @@ Inbound INJECTION:
|
||||
- redaction tests proving secrets are not persisted
|
||||
- proxy fixture tests for HTTP request and response inspection
|
||||
- no-false-positive tests for common benign traffic
|
||||
- policy-review fixture tests for TweetClaw/social-account mutation examples and benign read-only social research requests
|
||||
- lifecycle tests for stale PID/state cleanup
|
||||
- status output tests
|
||||
- OpenClaw hook integration tests if hook files are added
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
{
|
||||
"name": "openclaw-traffic-guardian",
|
||||
"version": "0.0.1-beta3",
|
||||
"description": "OpenClaw runtime traffic monitoring baseline for opt-in HTTP/HTTPS proxy inspection, egress detection, and inbound injection detection.",
|
||||
"description": "OpenClaw runtime traffic monitoring baseline for opt-in HTTP/HTTPS proxy inspection, egress detection, inbound injection detection, and social-account policy review.",
|
||||
"author": "prompt-security",
|
||||
"license": "AGPL-3.0-or-later",
|
||||
"homepage": "https://clawsec.prompt.security/",
|
||||
@@ -15,7 +15,10 @@
|
||||
"injection",
|
||||
"proxy",
|
||||
"mitm",
|
||||
"runtime"
|
||||
"runtime",
|
||||
"policy-review",
|
||||
"operator-review",
|
||||
"social-account-mutation"
|
||||
],
|
||||
"sbom": {
|
||||
"files": [
|
||||
@@ -84,6 +87,7 @@
|
||||
"https_mitm_inspection": "planned_optional",
|
||||
"egress_exfiltration_detection": "planned",
|
||||
"inbound_injection_detection": "planned",
|
||||
"social_account_policy_review": "planned",
|
||||
"blocking": "future_version"
|
||||
},
|
||||
"execution": {
|
||||
@@ -96,6 +100,7 @@
|
||||
"Default to detect-and-log mode; blocking is out of scope for v0.0.1 implementation.",
|
||||
"Scope HTTP_PROXY/HTTPS_PROXY to the OpenClaw process being monitored.",
|
||||
"Redact secret snippets before writing logs or sending conversation alerts.",
|
||||
"Record POLICY_REVIEW findings for approval-sensitive social-account mutations without auto-blocking, auto-approving, or rewriting requests.",
|
||||
"Integrate with clawsec-suite as an optional add-on, not a default install."
|
||||
],
|
||||
"triggers": [
|
||||
@@ -103,7 +108,9 @@
|
||||
"openclaw traffic monitoring",
|
||||
"monitor openclaw egress",
|
||||
"inspect openclaw http traffic",
|
||||
"detect openclaw exfiltration"
|
||||
"detect openclaw exfiltration",
|
||||
"review social account mutations",
|
||||
"detect tweetclaw write actions"
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user