e47d1e2d69
fix(clawsec-suite): reduce moderation false positives in publish payload ( #195 )
2026-04-17 02:43:57 +03:00
e6a1765a7f
fix(openclaw-audit-watchdog): avoid dangerous-exec gate false positives ( #194 )
...
* fix(openclaw-audit-watchdog): avoid dangerous-exec gate false positives
* fix(openclaw-audit-watchdog): align frontmatter runtime metadata
* fix(openclaw-audit-watchdog): normalize release version to 0.1.3
2026-04-17 02:34:45 +03:00
600c945fe2
feat(hermes-attestation-guardian): harden attestation verification and drift controls ( #192 )
...
* feat(hermes-attestation-guardian): harden attestation verification and drift controls
* docs(wiki): add human-friendly claim mapping for hermes attestation guardian
* docs(wiki): expand hermes attestation claim narratives and archive draft
* fix(attestation): address Baz review findings for schema and verifier
* fix(attestation): reject broken symlink output paths
* docs(attestation): pass clean community install guard without force
* fix(attestation): harden writes and fail-closed config parsing
* feat(ui): add Hermes to rotating platform text
* test(attestation): add sandboxed Hermes regression runner script
---------
Co-authored-by: David Abutbul <David.a@prompt.security >
2026-04-16 17:59:18 +03:00
caad6f698c
chore(skills): harden openclaw skill metadata ( #191 )
...
* chore(skills): harden openclaw skill metadata
* fix(openclaw-audit-watchdog): add dated release note heading
* chore(skills): normalize openclaw naming
* fix(soul-guardian): preserve legacy launchd state dir
* fix(soul-guardian): clean up legacy launchd labels
2026-04-14 15:43:04 +03:00
6c33384947
chore: CVE advisories - 0 new, 29 updated ( #190 )
...
Automated update from NVD CVE feed.
Keywords: OpenClaw clawdbot Moltbot NanoClaw WhatsApp-bot baileys
Poll window: 2026-04-12T06:30:25Z to 2026-04-14T06:33:41.000Z
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-04-14 14:09:51 +03:00
a11314faa9
chore: CVE advisories - 58 new, 0 updated ( #178 )
...
Automated update from NVD CVE feed.
Keywords: OpenClaw clawdbot Moltbot NanoClaw WhatsApp-bot baileys
Poll window: 2026-04-09T07:33:03Z to 2026-04-12T06:29:44.000Z
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-04-12 13:22:37 +03:00
969a902fa6
chore: CVE advisories - 1 new, 0 updated ( #176 )
...
Automated update from NVD CVE feed.
Keywords: OpenClaw clawdbot Moltbot NanoClaw WhatsApp-bot baileys
Poll window: 2026-04-08T20:59:34Z to 2026-04-09T07:32:24.000Z
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-04-09 10:47:15 +03:00
c72f366354
fix(ci): harden nvd/scorecard dependency guardrails ( #177 )
...
* fix(ci): harden nvd/scorecard dependency guardrails
* fix(ci): upsert nvd advisory PRs and dedupe stale branches
* fix(ci): paginate NVD PR lookup and expand scorecard triggers
2026-04-09 10:30:20 +03:00
6c17509c80
chore(deps): bump actions/setup-python from 5.4.0 to 6.2.0 ( #108 )
...
Bumps [actions/setup-python](https://github.com/actions/setup-python ) from 5.4.0 to 6.2.0.
- [Release notes](https://github.com/actions/setup-python/releases )
- [Commits](https://github.com/actions/setup-python/compare/v5.4.0...a309ff8b426b58ec0e2a45f0f869d46889d02405 )
---
updated-dependencies:
- dependency-name: actions/setup-python
dependency-version: 6.2.0
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-09 00:22:37 +03:00
b28fd02841
chore(deps-dev): bump @eslint/js from 9.28.0 to 9.39.4 ( #124 )
...
Bumps [@eslint/js](https://github.com/eslint/eslint/tree/HEAD/packages/js ) from 9.28.0 to 9.39.4.
- [Release notes](https://github.com/eslint/eslint/releases )
- [Commits](https://github.com/eslint/eslint/commits/v9.39.4/packages/js )
---
updated-dependencies:
- dependency-name: "@eslint/js"
dependency-version: 9.39.4
dependency-type: direct:development
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-09 00:13:46 +03:00
0373a137ee
chore(deps-dev): bump eslint from 9.39.3 to 9.39.4 ( #122 )
...
Bumps [eslint](https://github.com/eslint/eslint ) from 9.39.3 to 9.39.4.
- [Release notes](https://github.com/eslint/eslint/releases )
- [Commits](https://github.com/eslint/eslint/compare/v9.39.3...v9.39.4 )
---
updated-dependencies:
- dependency-name: eslint
dependency-version: 9.39.4
dependency-type: direct:development
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-09 00:10:50 +03:00
e2f4303fcc
chore(deps-dev): bump @typescript-eslint/parser from 8.56.1 to 8.57.1 ( #137 )
...
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser ) from 8.56.1 to 8.57.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases )
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md )
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.57.1/packages/parser )
---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
dependency-version: 8.57.1
dependency-type: direct:development
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-09 00:04:39 +03:00
0cfb9b4784
chore: CVE advisories - 0 new, 4 updated ( #175 )
...
Automated update from NVD CVE feed.
Keywords: OpenClaw clawdbot Moltbot NanoClaw WhatsApp-bot baileys
Poll window: 2026-04-05T06:25:01Z to 2026-04-08T20:58:56.000Z
Co-authored-by: davida-ps <232346510+davida-ps@users.noreply.github.com >
2026-04-09 00:00:14 +03:00
eeb1a5d632
chore(deps): bump softprops/action-gh-release from 2.5.0 to 2.6.1 ( #135 )
...
Bumps [softprops/action-gh-release](https://github.com/softprops/action-gh-release ) from 2.5.0 to 2.6.1.
- [Release notes](https://github.com/softprops/action-gh-release/releases )
- [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md )
- [Commits](https://github.com/softprops/action-gh-release/compare/a06a81a03ee405af7f2048a818ed3f03bbf83c7b...153bb8e04406b158c6c84fc1615b65b24149a1fe )
---
updated-dependencies:
- dependency-name: softprops/action-gh-release
dependency-version: 2.6.1
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-08 23:58:19 +03:00
b39fe73e45
chore(deps): bump actions/deploy-pages from 4.0.5 to 5.0.0 ( #159 )
...
Bumps [actions/deploy-pages](https://github.com/actions/deploy-pages ) from 4.0.5 to 5.0.0.
- [Release notes](https://github.com/actions/deploy-pages/releases )
- [Commits](https://github.com/actions/deploy-pages/compare/d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e...cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 )
---
updated-dependencies:
- dependency-name: actions/deploy-pages
dependency-version: 5.0.0
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-08 23:53:52 +03:00
7cafbd7d77
chore(deps): bump github/codeql-action from 4.32.4 to 4.35.1 ( #160 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 4.32.4 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](https://github.com/github/codeql-action/compare/89a39a4e59826350b863aa6b6252a07ad50cf83e...c10b8064de6f491fea524254123dbe5e09572f13 )
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-version: 4.35.1
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-08 23:50:56 +03:00
a7a0993029
chore(deps): bump ruff from 0.15.6 to 0.15.9 in /.github ( #169 )
...
Bumps [ruff](https://github.com/astral-sh/ruff ) from 0.15.6 to 0.15.9.
- [Release notes](https://github.com/astral-sh/ruff/releases )
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md )
- [Commits](https://github.com/astral-sh/ruff/compare/0.15.6...0.15.9 )
---
updated-dependencies:
- dependency-name: ruff
dependency-version: 0.15.9
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-08 23:41:52 +03:00
9827f08769
chore(clawsec-suite): add 0.1.5 changelog entry ( #174 )
...
* chore(clawsec-suite): add 0.1.5 changelog release notes
* fix(ci): enforce release notes for bumped skills
2026-04-08 23:35:16 +03:00
b996cff4bd
fix(clawsec-suite): use release metadata for heartbeat version check ( #173 )
...
* fix(clawsec-suite): stop false heartbeat update alerts
* chore(deps): remediate npm audit vulnerabilities
* docs(heartbeats): harden release lookup and fallback behavior
* chore(skills): remove prompt-agent
* chore(clawsec-suite): bump version to 0.1.5
* fix(ci): skip removed skills in skill-release validation
2026-04-08 23:18:58 +03:00
bd6e9e284a
chore: CVE advisories - 24 new, 20 updated ( #167 )
...
Automated update from NVD CVE feed.
Keywords: OpenClaw clawdbot Moltbot NanoClaw WhatsApp-bot baileys
Poll window: 2026-03-30T06:34:41Z to 2026-04-05T06:24:22.000Z
Co-authored-by: davida-ps <232346510+davida-ps@users.noreply.github.com >
2026-04-05 12:16:06 +03:00
e0083353cf
chore: CVE advisories - 19 new, 0 updated ( #157 )
...
Automated update from NVD CVE feed.
Keywords: OpenClaw clawdbot Moltbot NanoClaw WhatsApp-bot baileys
Poll window: 2026-03-29T06:22:49Z to 2026-03-30T06:34:03.000Z
Co-authored-by: davida-ps <232346510+davida-ps@users.noreply.github.com >
2026-03-30 10:13:00 +03:00
01f651d6aa
chore: CVE advisories - 1 new, 32 updated ( #155 )
...
Automated update from NVD CVE feed.
Keywords: OpenClaw clawdbot Moltbot NanoClaw WhatsApp-bot baileys
Poll window: 2026-03-25T06:21:11Z to 2026-03-29T06:22:11.000Z
Co-authored-by: davida-ps <232346510+davida-ps@users.noreply.github.com >
2026-03-29 11:20:51 +03:00
bd17103892
chore: CVE advisories - 0 new, 25 updated ( #150 )
...
Automated update from NVD CVE feed.
Keywords: OpenClaw clawdbot Moltbot NanoClaw WhatsApp-bot baileys
Poll window: 2026-03-24T06:21:41Z to 2026-03-25T06:20:32.000Z
Co-authored-by: davida-ps <232346510+davida-ps@users.noreply.github.com >
2026-03-25 11:12:02 +02:00
eedcb8b85c
chore(deps-dev): bump flatted from 3.4.1 to 3.4.2 ( #144 )
...
Bumps [flatted](https://github.com/WebReflection/flatted ) from 3.4.1 to 3.4.2.
- [Commits](https://github.com/WebReflection/flatted/compare/v3.4.1...v3.4.2 )
---
updated-dependencies:
- dependency-name: flatted
dependency-version: 3.4.2
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-24 14:51:03 +02:00
28bf775d47
chore: CVE advisories - 28 new, 34 updated ( #149 )
...
Automated update from NVD CVE feed.
Keywords: OpenClaw clawdbot Moltbot NanoClaw WhatsApp-bot baileys
Poll window: 2026-03-20T06:16:32Z to 2026-03-24T06:21:01.000Z
Co-authored-by: davida-ps <232346510+davida-ps@users.noreply.github.com >
2026-03-24 13:57:22 +02:00
30bcb96a23
chore: CVE advisories - 60 new, 14 updated ( #143 )
...
Automated update from NVD CVE feed.
Keywords: OpenClaw clawdbot Moltbot NanoClaw WhatsApp-bot baileys
Poll window: 2026-03-18T06:21:47Z to 2026-03-20T06:15:50.000Z
Co-authored-by: davida-ps <232346510+davida-ps@users.noreply.github.com >
2026-03-23 00:39:24 +02:00
0a320d18d4
chore: CVE advisories - 16 new, 13 updated ( #141 )
...
Automated update from NVD CVE feed.
Keywords: OpenClaw clawdbot Moltbot NanoClaw WhatsApp-bot baileys
Poll window: 2026-03-15T06:18:51Z to 2026-03-18T06:21:06.000Z
Co-authored-by: davida-ps <232346510+davida-ps@users.noreply.github.com >
2026-03-18 12:56:05 +02:00
989ea41198
chore(deps): bump ruff from 0.15.2 to 0.15.5 in /.github ( #121 )
...
* chore(deps): bump ruff from 0.15.2 to 0.15.5 in /.github
Bumps [ruff](https://github.com/astral-sh/ruff ) from 0.15.2 to 0.15.5.
- [Release notes](https://github.com/astral-sh/ruff/releases )
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md )
- [Commits](https://github.com/astral-sh/ruff/compare/0.15.2...0.15.5 )
---
updated-dependencies:
- dependency-name: ruff
dependency-version: 0.15.5
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
* fix(ci): update flatted lockfile resolution for npm audit
---------
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: David Abutbul <David.a@prompt.security >
2026-03-15 13:11:08 +02:00
eb124b5f11
chore: CVE advisories - 3 new, 1 updated ( #133 )
...
Automated update from NVD CVE feed.
Keywords: OpenClaw clawdbot Moltbot NanoClaw WhatsApp-bot baileys
Poll window: 2026-03-12T06:16:01Z to 2026-03-15T06:18:13.000Z
Co-authored-by: davida-ps <232346510+davida-ps@users.noreply.github.com >
2026-03-15 12:23:09 +02:00
277c0abe17
chore: CVE advisories - 6 new, 20 updated ( #130 )
...
Automated update from NVD CVE feed.
Keywords: OpenClaw clawdbot Moltbot NanoClaw WhatsApp-bot baileys
Poll window: 2026-03-10T06:12:56Z to 2026-03-12T06:15:22.000Z
Co-authored-by: davida-ps <232346510+davida-ps@users.noreply.github.com >
2026-03-12 14:03:19 +02:00
f0f0f1db97
fix(clawsec-scanner): release 0.0.2 with real OpenClaw DAST harness ( #128 )
...
* fix(clawsec-scanner): ship real openclaw dast harness in 0.0.2
* fix(clawsec-scanner): classify ts harness limits as info coverage
* docs(wiki): add clawsec-scanner module documentation
* docs(release): add clawsec-suite install guidance to quick install text
* docs(readme): clarify standalone installs and suite optionality
* docs(readme): remove standalone quick-install block
* docs(readme): rename skill section and clarify suite start point
2026-03-10 19:27:22 +02:00
687822b6cb
chore(deps-dev): bump typescript from 5.8.3 to 5.9.3 ( #109 )
...
Bumps [typescript](https://github.com/microsoft/TypeScript ) from 5.8.3 to 5.9.3.
- [Release notes](https://github.com/microsoft/TypeScript/releases )
- [Commits](https://github.com/microsoft/TypeScript/compare/v5.8.3...v5.9.3 )
---
updated-dependencies:
- dependency-name: typescript
dependency-version: 5.9.3
dependency-type: direct:development
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-10 17:10:33 +02:00
e715c8a625
chore(deps): bump actions/setup-node from 6.2.0 to 6.3.0 ( #120 )
...
Bumps [actions/setup-node](https://github.com/actions/setup-node ) from 6.2.0 to 6.3.0.
- [Release notes](https://github.com/actions/setup-node/releases )
- [Commits](https://github.com/actions/setup-node/compare/6044e13b5dc448c55e2357c09f80417699197238...53b83947a5a98c8d113130e565377fae1a50d02f )
---
updated-dependencies:
- dependency-name: actions/setup-node
dependency-version: 6.3.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-10 16:51:09 +02:00
bd54393ed4
chore(deps-dev): bump @types/node from 25.2.3 to 25.4.0 ( #125 )
...
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node ) from 25.2.3 to 25.4.0.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases )
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node )
---
updated-dependencies:
- dependency-name: "@types/node"
dependency-version: 25.4.0
dependency-type: direct:development
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-10 13:59:08 +02:00
0fcc6e6b6d
chore(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0 ( #107 )
...
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact ) from 6.0.0 to 7.0.0.
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](https://github.com/actions/upload-artifact/compare/b7c566a772e6b6bfb58ed0dc250532a479d7789f...bbbca2ddaa5d8feaa63e36b76fdaad77386f024f )
---
updated-dependencies:
- dependency-name: actions/upload-artifact
dependency-version: 7.0.0
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-10 13:55:23 +02:00
8d292457fb
chore(deps): bump bandit from 1.9.3 to 1.9.4 in /.github ( #103 )
...
Bumps [bandit](https://github.com/PyCQA/bandit ) from 1.9.3 to 1.9.4.
- [Release notes](https://github.com/PyCQA/bandit/releases )
- [Commits](https://github.com/PyCQA/bandit/compare/1.9.3...1.9.4 )
---
updated-dependencies:
- dependency-name: bandit
dependency-version: 1.9.4
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-10 13:52:00 +02:00
1cced651a0
chore: CVE advisories - 0 new, 20 updated ( #127 )
...
Automated update from NVD CVE feed.
Keywords: OpenClaw clawdbot Moltbot NanoClaw WhatsApp-bot baileys
Poll window: 2026-03-09T06:19:31Z to 2026-03-10T06:12:16.000Z
Co-authored-by: davida-ps <232346510+davida-ps@users.noreply.github.com >
2026-03-10 09:07:06 +02:00
83ce1d0bf5
fix(release): enforce changelog match for tagged skill releases ( #118 )
2026-03-09 21:30:52 +02:00
f9a7565d6f
Automated Vulnerability Scanner Skill (clawsec-scanner) ( #101 )
...
* auto-claude: subtask-1-1 - Create skill.json with SBOM, OpenClaw config, and required binaries
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com >
* auto-claude: subtask-1-2 - Create SKILL.md with YAML frontmatter and documentation
* auto-claude: subtask-1-3 - Create CHANGELOG.md starting at version 0.1.0
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com >
* auto-claude: subtask-1-4 - Create directory structure (scripts/, lib/, hooks/, test/)
* auto-claude: subtask-2-1 - Create lib/types.ts with Vulnerability and ScanReport interfaces
- Defined VulnerabilitySource type with 7 possible sources (npm-audit, pip-audit, osv, nvd, github, sast, dast)
- Defined SeverityLevel type with 5 severity levels (critical, high, medium, low, info)
- Created Vulnerability interface with all required fields: id, source, severity, package, version, title, description, references, discovered_at, and optional fixed_version
- Created ScanReport interface with scan_id, timestamp, target, vulnerabilities array, and summary counts
- Added HookEvent and HookContext types for OpenClaw hook integration
- Follows patterns from clawsec-suite advisory-guardian types
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com >
* auto-claude: subtask-2-2 - Create lib/utils.mjs with subprocess execution and JSON parsing helpers
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com >
* auto-claude: subtask-2-3 - Create lib/report.mjs for unified vulnerability re
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com >
* auto-claude: subtask-3-1 - Create scripts/scan_dependencies.mjs for npm audit and pip-audit integration
- Implements npm audit JSON output parsing with non-zero exit handling
- Implements pip-audit JSON output parsing with -f json flag
- Handles missing package-lock.json/requirements.txt gracefully
- Checks for command availability (npm, pip-audit) before running
- Converts audit outputs to unified Vulnerability schema
- Generates ScanReport with UUID scan_id and timestamp
- Supports --target and --format (json|text) CLI flags
- Edge cases: missing files, unavailable commands, malformed JSON
- Verification passes: UUID scan_id matches pattern ^[0-9a-f-]{36}$
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com >
* auto-claude: subtask-4-1 - Create scripts/query_cve_databases.mjs with OSV pr
Implemented CVE database integration with:
- queryOSV(): Primary CVE source using OSV API (free, no auth)
- queryNVD(): Fallback NVD API with 6s rate limiting (gated by CLAWSEC_NVD_API_KEY)
- queryGitHub(): Placeholder for future GitHub Advisory Database integration
- enrichVulnerability(): Multi-database enrichment pipeline
- Normalization to unified Vulnerability schema with severity, references, fixed versions
- Graceful error handling for network failures and API errors
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com >
* auto-claude: subtask-5-1 - Create scripts/sast_analyzer.mjs to run Semgrep and Bandit
Implemented static analysis engine following scan_dependencies.mjs pattern:
- Runs Semgrep for JS/TS with --config auto and --json output
- Runs Bandit for Python with -r <path> -f json -c pyproject.toml
- Handles non-zero exit codes gracefully (tools exit 1 on findings)
- Parses JSON output and converts to unified Vulnerability schema
- Supports --target and --format CLI flags
- Gracefully handles missing tools (semgrep, bandit)
- Generates ScanReport with UUID scan_id and severity summary
Verification passed: JSON output with valid vulnerabilities array
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com >
* auto-claude: subtask-6-1 - Create scripts/dast_runner.mjs with basic security test framework
- Implemented DAST framework with 4 security test cases:
- DAST-001: Hook handler malicious input test (XSS, command injection, path traversal)
- DAST-002: Hook handler timeout enforcement (30s default)
- DAST-003: Hook handler resource limits (memory/CPU)
- DAST-004: Hook handler event mutation safety
- Supports --target, --format (json|text), --timeout CLI flags
- Returns unified ScanReport with vulnerability schema
- Executes all test cases with configurable timeout
- Tests malicious input patterns: XSS, SQL injection, command injection, path traversal, null bytes, large payloads
- v1 scope: basic test framework for hook security testing (full agent workflow DAST is future work)
Verification:
- ✅ Framework loads and executes 4 test cases
- ✅ Timeout enforcement working (30s default, configurable via --timeout)
- ✅ JSON output with valid scan_id
- ✅ Text format output working
- ✅ Help output displays usage information
* auto-claude: subtask-7-1 - Create scripts/runner.sh as main entry point with CLI flag parsing
- Orchestrates all scanning engines (dependency, SAST, DAST, CVE)
- Supports --target (required), --output, --format flags
- Merges reports from all scanners using jq
- Provides --help documentation
- Follows openclaw-audit-watchdog/scripts/runner.sh pattern
- Includes skip flags for selective scanning
- Verification: --help shows --target flag
* auto-claude: subtask-8-1 - Create hooks/clawsec-scanner-hook/HOOK.md with hook metadata
- Added YAML frontmatter with hook name, description, and OpenClaw events
- Documented hook purpose: periodic vulnerability scanning on agent:bootstrap and command:new
- Described four scanning engines: dependency, SAST, DAST, CVE lookup
- Added safety contract (non-blocking, read-only, configurable interval)
- Documented all environment variables (core config, CVE integration, selective scanning, advanced options)
- Listed required binaries (node, npm, python3, pip-audit, semgrep, bandit, jq, curl)
- Follows clawsec-advisory-guardian/HOOK.md pattern
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com >
* auto-claude: subtask-8-2 - Create hooks/clawsec-scanner-hook/handler.ts with event.messages mutation
- Implement hook handler following clawsec-advisory-guardian pattern
- Add rate-limited scanning with configurable interval (default 24h)
- Support event types: agent:bootstrap and command:new
- Integrate with runner.sh for vulnerability scanning
- Deduplicate vulnerabilities using state file persistence
- Filter findings by minimum severity (default: medium)
- Push scan results to event.messages array
- Support selective scanning via environment variables
- Handle failures gracefully with partial results
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com >
* auto-claude: subtask-8-3 - Create scripts/setup_scanner_hook.mjs for hook installation
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com >
* auto-claude: subtask-9-1 - Create test/dependency_scanner.test.mjs for dependency scanning tests
- Created test harness (test/lib/test_harness.mjs) with test utilities
- Created comprehensive test suite with 20 tests covering:
- normalizeSeverity function (all severity levels)
- safeJsonParse function (valid, invalid, empty inputs)
- getTimestamp and generateUuid functions
- commandExists function (found and not found cases)
- generateReport function (empty and with vulnerabilities)
- formatReportJson and formatReportText functions
- Report structure validation
- Temp directory creation and cleanup
- All tests pass successfully (20/20)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com >
* auto-claude: subtask-9-2 - Create test/cve_integration.test.mjs for CVE database API tests
Added comprehensive CVE integration tests covering:
- OSV API query and normalization
- NVD API query with rate limiting
- GitHub Advisory Database placeholder
- Multi-source enrichment
- Error handling and network failures
- Vulnerability structure validation
- Multiple ecosystem support (npm, PyPI)
Tests gracefully handle network unavailability and skip API key-dependent tests.
All 20 tests passing.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com >
* auto-claude: subtask-9-3 - Create test/sast_engine.test.mjs for static analysis tests
- Added comprehensive test suite for SAST engine functionality
- Tests cover Semgrep and Bandit output parsing
- Validates severity normalization and vulnerability data structures
- Includes edge case handling for malformed JSON and missing fields
- All 16 tests passing
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com >
* auto-claude: subtask-10-2 - Run ESLint with zero warnings
- Add no-unused-vars rule with argsIgnorePattern to .mjs files in ESLint config
- Prefix unused parameters with underscore in handler.ts, dast_runner.mjs, query_cve_databases.mjs
- Remove unused error binding in handler.ts catch block
- Remove unused result variable in cve_integration.test.mjs
- Remove unused SAMPLE_OSV_VULN and SAMPLE_NVD_CVE constants
- Remove unused safeJsonParse import from query_cve_databases.mjs
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com >
* fix(clawsec-scanner): resolve baz logical scanner findings
* fix(clawsec-scanner): make scanner state parsing type-safe
* chore(clawsec-scanner): bump version to 0.0.1
---------
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com >
2026-03-09 21:16:22 +02:00
81c2e60513
fix(ci): temporary clawhub publish workaround for MIT-0 consent ( #117 )
...
* fix(ci): patch clawhub publish payload for temporary MIT-0 consent workaround
* fix(ci): make clawhub publish patch self-contained for tag republish
* fix(clawsec-nanoclaw): harden signature verification boundaries
* chore(clawsec-nanoclaw): bump version to 0.0.3
* fix(clawsec-nanoclaw): normalize integrity policy and baseline paths
2026-03-09 19:30:22 +02:00
19b53609c1
chore: CVE advisories - 46 new, 0 updated ( #116 )
...
Automated update from NVD CVE feed.
Keywords: OpenClaw clawdbot Moltbot NanoClaw WhatsApp-bot baileys
Poll window: 2026-03-01T18:07:41Z to 2026-03-09T06:18:51.000Z
Co-authored-by: davida-ps <232346510+davida-ps@users.noreply.github.com >
2026-03-09 10:10:59 +02:00
79c303fa3f
fix(ci): restore github token flow for skill release ( #99 )
2026-03-02 09:47:42 +02:00
e0eae65586
refactor(ci): extract shared exploitability enrichment helper ( #95 )
...
* refactor(ci): share exploitability enrichment script
* refactor(scripts): reuse shared exploitability enricher in local feed
2026-03-01 21:50:10 +02:00
56a36b7e52
chore: CVE advisories - 35 new, 0 updated ( #97 )
...
Automated update from NVD CVE feed.
Keywords: OpenClaw clawdbot Moltbot NanoClaw WhatsApp-bot baileys
Poll window: 2025-11-01T18:07:01.000Z to 2026-03-01T18:07:01.000Z
Co-authored-by: davida-ps <232346510+davida-ps@users.noreply.github.com >
2026-03-01 20:14:58 +02:00
8ad38dfdc6
feat(ci): add full-scan rebuild mode to NVD polling ( #96 )
2026-03-01 20:00:42 +02:00
3c336021d7
fix(ci): use valid setup-python pin in advisory workflows ( #92 )
2026-03-01 18:54:32 +02:00
073e771b73
Exploitability Context for CVE Advisories ( #89 )
...
* feat(advisories): add exploitability context for CVE advisories
* fix(ci): align exploitability workflow with signing model
* docs(skills): add patch release changelog entries
* chore(clawsec-feed): bump version to 0.0.5
* chore(clawsec-suite): bump version to 0.1.4
* fix(clawsec-nanoclaw): align exploitability handling and nanoclaw integration
* chore(clawsec-nanoclaw): bump version to 0.0.2
* refactor(scripts): share feed path and mirror sync helpers
* refactor(utils): unify cvss vector parsing flow
* refactor(clawsec-nanoclaw): centralize advisory risk evaluation
* docs(exploitability): refresh release metadata dates
* fix(review): align feed signing and advisory dedupe
* chore(clawsec-feed): bump version to 0.0.6
* chore(clawsec-nanoclaw): bump version to 0.0.3
* fix(backfill): limit signing to target feed only
* fix(review): keep skill runtime verify-only and dedupe matching
* chore(clawsec-nanoclaw): bump version to 0.0.4
* chore(skills): align versions with published tags
* feat(feed): enrich local population with exploitability analysis
* docs(exploitability): mark backfill as historical flow
2026-03-01 18:43:24 +02:00
382db82483
Add Severity Filter Tabs to Advisory Feed Page ( #87 )
...
* feat: add severity filter tabs to advisory feed page
Add horizontal severity filter tabs (All, Critical, High, Medium, Low)
to the advisory feed page. Advisories are filtered by CVSS score ranges
matching NVD conventions. Tab counts update dynamically.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
* refactor: extract severity filter tabs into data-driven map
Replace five duplicated button blocks with a SEVERITY_TABS metadata
array and a single .map() loop. Class strings are kept as full literals
for Tailwind purge compatibility.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
* refactor: replace filteredAdvisories state with useMemo
filteredAdvisories is derived from advisories + selectedSeverity and
should not be independent state. Replace useState + filtering useEffect
with a single useMemo. Keep a minimal useEffect that only resets
currentPage on dependency changes.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
* feat: add platform filter tabs (OpenClaw / NanoClaw) to advisory feed
Add a second row of filter tabs for platform selection using the clawd
color palette. Add platforms field to Advisory type to match feed data.
Both severity and platform filters compose via useMemo.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
* fix: extract shared FilterTabs component and treat missing platforms as universal
Extract a reusable FilterTabs component so severity and platform tab
rows share identical markup. Fix platform filter to treat advisories
with missing or empty platforms as matching all platforms, preventing
legacy entries from being silently dropped.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com >
2026-02-27 20:14:08 +02:00
c9a66d5c99
Extract Shared Test Harness Module from 9 Test Files ( #85 )
...
* refactor: extract shared test harness module from 9 test files
Extract duplicated test utilities into a reusable test_harness.mjs module
to eliminate ~200-250 lines of boilerplate code across test files.
Changes:
- Create skills/clawsec-suite/test/lib/test_harness.mjs with:
- Test reporting: pass(), fail(), report(), exitWithResults()
- Crypto utilities: generateEd25519KeyPair(), signPayload()
- Temp directory: createTempDir() with cleanup
- Environment helpers: withEnv() for isolated env vars
- Test runner factory: createTestRunner() for isolated counters
- Refactor 9 test files to use shared harness:
- feed_verification.test.mjs
- guarded_install.test.mjs
- skill_catalog_discovery.test.mjs
- advisory_suppression.test.mjs
- advisory_application_scope.test.mjs
- path_resolution.test.mjs
- fuzz_properties.test.mjs
- suppression_config.test.mjs
- render_report_suppression.test.mjs
Benefits:
- Single source of truth for test utilities
- Consistent test reporting across all files
- Easier to add new test files
- Reduced maintenance burden
Verification:
- All 80 tests pass (15+8+3+15+4+6+1+17+11)
- Zero ESLint warnings
- No behavior changes - only code deduplication
- Cross-skill module sharing works (openclaw-audit-watchdog → clawsec-suite)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com >
* fix: update minimatch override to 10.2.4 to resolve ReDoS vulnerabilities
Bump minimatch from 10.2.1 to 10.2.4 in overrides to fix 10 high-severity
ReDoS vulnerabilities (GHSA-7r86-cg39-jmmj, GHSA-23c5-xmqv-rm74).
Also add .venv/ to ESLint ignores to prevent linting Python venv files.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
---------
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com >
2026-02-27 09:20:36 +02:00
e4ca378603
Codex/fix poll nvd pr auth ( #86 )
...
* chore(gitignore): ignore auto-claude workspace dir
* fix(ci): restore github token auth for poll-nvd workflow
2026-02-27 09:00:17 +02:00
davida-ps
David Abutbul
github-actions[bot]
dependabot[bot]