- Updated SKILL.md documentation to use placeholder format that doesn't trigger secret scanners
- Modified error messages in claude-client to avoid secret detection patterns
- Changed from quoted 'sk-ant-...' format to unquoted 'your-key-here' with comment
- All hardcoded secret patterns removed while maintaining clear documentation
Verified: No hardcoded API keys found in security scan
- Added ESLint globals for Node.js in skills/**/*.js files
- Fixed NodeJS.ErrnoException type declarations (changed from namespace to interface)
- Removed unused eslint-disable-next-line directives
- Fixed unused variables in test files (using optional catch binding where appropriate)
- Changed @ts-ignore to @ts-expect-error in feed-reader.ts
- All TypeScript compilation and ESLint checks now pass with zero warnings
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Created comprehensive integration test for risk assessment workflow in
clawsec-analyst covering:
- End-to-end risk assessment workflow (skill.json parse -> feed load ->
match -> analyze -> score)
- Multiple skills batch processing with different risk levels (critical,
low, clean)
- Advisory matching against both dependencies and skill names
- Fallback assessment when Claude API is unavailable with proper risk
score calculation
- Feed signature verification in workflow context (rejects tampered feeds)
- Risk score calculation with multiple severities and CVSS weighting
- Wildcard version matching for vulnerable packages
Test includes 7 comprehensive test cases covering all critical paths
through the risk assessment workflow. All tests pass with proper
signature verification, mock Claude client, and temporary test data.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Created comprehensive integration test covering end-to-end triage workflow
- Tests feed load -> analyze -> filter -> cache -> persist pipeline
- Includes batch processing with fallback analysis for failures
- Tests cache integration and offline resilience
- Tests state persistence for analysis history
- Tests priority filtering with multiple thresholds
- Tests feed signature verification in workflow context
- All 7 tests passing with proper test isolation
- Added validateEnvironment() function to check ANTHROPIC_API_KEY and other env vars
- Added CLI entry point supporting --dry-run flag for environment validation
- Validates CLAWSEC_HOOK_INTERVAL_SECONDS is a positive integer if set
- Outputs clear error messages on validation failure
- Exits with proper status codes (0=success, 1=failure)
- Compiled TypeScript to JavaScript for runtime execution
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Created cache.ts with getCachedAnalysis/setCachedAnalysis functions
- Cache directory: ~/.openclaw/clawsec-analyst-cache/
- Cache expiry: 7 days with stale cache warnings
- Includes clearStaleCache() and getCacheStats() utilities
- Proper error handling for non-critical cache operations
- TypeScript compiles without errors
- Created TypeScript implementation based on clawsec-suite feed.mjs pattern
- Implements Ed25519 signature verification with Ed25519 public key
- Enforces TLS 1.2+ with secure HTTPS agent and domain validation
- Supports both local filesystem and remote URL feed loading
- Includes checksum manifest verification for integrity
- Follows fail-closed security model for all verification steps
- Compiles successfully with TypeScript strict mode
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Created claude-client.ts with ClaudeClient class
- Implemented exponential backoff retry logic (1s, 2s, 4s delays)
- Max 3 retries for rate limits (429) and server errors (5xx)
- Fail fast on auth errors (401) and bad requests (400)
- Added specialized methods: analyzeAdvisory, assessSkillRisk, parsePolicy
- Proper TypeScript error handling with AnalystError types
- Environment-based API key configuration with clear error messages
- Compiles successfully with no TypeScript errors
- Created comprehensive skill.json with metadata following clawsec-suite pattern
- Defined complete SBOM listing all 22 files to be created (required + optional)
- Added OpenClaw configuration (emoji: 🔍, triggers, environment variables)
- Specified Claude API integration details (model, retry strategy, cache TTL)
- Version 0.1.0 matches package.json
- Includes capabilities, compatibility, and integration sections
Verification:
- JSON structure is valid
- All required fields present (name, version, description, author, license, sbom)
- Version consistency verified between skill.json and package.json
- Ready for subsequent subtasks to create SBOM files
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* feat: add severity filter tabs to advisory feed page
Add horizontal severity filter tabs (All, Critical, High, Medium, Low)
to the advisory feed page. Advisories are filtered by CVSS score ranges
matching NVD conventions. Tab counts update dynamically.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* refactor: extract severity filter tabs into data-driven map
Replace five duplicated button blocks with a SEVERITY_TABS metadata
array and a single .map() loop. Class strings are kept as full literals
for Tailwind purge compatibility.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* refactor: replace filteredAdvisories state with useMemo
filteredAdvisories is derived from advisories + selectedSeverity and
should not be independent state. Replace useState + filtering useEffect
with a single useMemo. Keep a minimal useEffect that only resets
currentPage on dependency changes.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat: add platform filter tabs (OpenClaw / NanoClaw) to advisory feed
Add a second row of filter tabs for platform selection using the clawd
color palette. Add platforms field to Advisory type to match feed data.
Both severity and platform filters compose via useMemo.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: extract shared FilterTabs component and treat missing platforms as universal
Extract a reusable FilterTabs component so severity and platform tab
rows share identical markup. Fix platform filter to treat advisories
with missing or empty platforms as matching all platforms, preventing
legacy entries from being silently dropped.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* refactor: extract shared test harness module from 9 test files
Extract duplicated test utilities into a reusable test_harness.mjs module
to eliminate ~200-250 lines of boilerplate code across test files.
Changes:
- Create skills/clawsec-suite/test/lib/test_harness.mjs with:
- Test reporting: pass(), fail(), report(), exitWithResults()
- Crypto utilities: generateEd25519KeyPair(), signPayload()
- Temp directory: createTempDir() with cleanup
- Environment helpers: withEnv() for isolated env vars
- Test runner factory: createTestRunner() for isolated counters
- Refactor 9 test files to use shared harness:
- feed_verification.test.mjs
- guarded_install.test.mjs
- skill_catalog_discovery.test.mjs
- advisory_suppression.test.mjs
- advisory_application_scope.test.mjs
- path_resolution.test.mjs
- fuzz_properties.test.mjs
- suppression_config.test.mjs
- render_report_suppression.test.mjs
Benefits:
- Single source of truth for test utilities
- Consistent test reporting across all files
- Easier to add new test files
- Reduced maintenance burden
Verification:
- All 80 tests pass (15+8+3+15+4+6+1+17+11)
- Zero ESLint warnings
- No behavior changes - only code deduplication
- Cross-skill module sharing works (openclaw-audit-watchdog → clawsec-suite)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* fix: update minimatch override to 10.2.4 to resolve ReDoS vulnerabilities
Bump minimatch from 10.2.1 to 10.2.4 in overrides to fix 10 high-severity
ReDoS vulnerabilities (GHSA-7r86-cg39-jmmj, GHSA-23c5-xmqv-rm74).
Also add .venv/ to ESLint ignores to prevent linting Python venv files.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
* fix(readme): use github-safe demo previews and links
* fix(readme): use only github-hosted demo links
* fix(wiki): map wiki root to index
* feat(readme): add lightweight animated gif demo previews
* refactor(wiki): generate Home from INDEX during sync
* fix(ci): remove github token write scopes in workflows
* chore(ci): use existing poll token for write automation
- Introduced glossary for key terms and definitions related to security advisories, skill packaging, and CI/CD processes.
- Documented the Automation and Release Pipelines module, detailing responsibilities, key files, public interfaces, and configuration.
- Added ClawSec Suite Core module documentation, outlining its responsibilities, key files, public interfaces, and configuration.
- Created Frontend Web App module documentation, covering responsibilities, key files, public interfaces, and configuration.
- Added Local Validation and Packaging Tools module documentation, detailing responsibilities, key files, public interfaces, and configuration.
- Documented NanoClaw Integration module, including responsibilities, key files, public interfaces, and configuration.
- Introduced an overview of ClawSec, including purpose, repo layout, entry points, key artifacts, and workflows.
- Added a Security section outlining the security model, cryptographic controls, runtime enforcement, and incident playbooks.
- Created a Testing section detailing the testing strategy, verification layers, CI workflow coverage, and local testing commands.
- Documented the Workflow section, covering the end-to-end lifecycle, primary workflow map, local operator workflow, and operational risks.
davida-ps
github-actions[bot]