clawsec/skills/clawsec-suite/scripts/setup_advisory_cron.mjs

#!/usr/bin/env node

import { spawnSync } from "node:child_process";

const JOB_NAME = process.env.CLAWSEC_ADVISORY_CRON_NAME?.trim() || "ClawSec Advisory Scan";
const JOB_EVERY = process.env.CLAWSEC_ADVISORY_CRON_EVERY?.trim() || "6h";
const JOB_DESCRIPTION =
  "Trigger a periodic ClawSec advisory scan in the main session and ask for approval before removing flagged skills.";
const SYSTEM_EVENT =
  "Run ClawSec advisory scan. If installed skills are flagged as malicious or removal is recommended, notify the user and request explicit approval before any removal.";

function sh(cmd, args) {
  const result = spawnSync(cmd, args, {
    encoding: "utf8",
    stdio: ["ignore", "pipe", "pipe"],
  });

  if (result.error) {
    throw result.error;
  }
  if (result.status !== 0) {
    const details = (result.stderr || result.stdout || "").trim();
    throw new Error(`${cmd} ${args.join(" ")} failed${details ? `: ${details}` : ""}`);
  }

  return result.stdout;
}

function requireOpenClawCli() {
  try {
    sh("openclaw", ["--version"]);
  } catch (error) {
    throw new Error(
      "openclaw CLI is required. Install OpenClaw and ensure `openclaw` is available in PATH. " +
        `Original error: ${String(error)}`,
      { cause: error },
    );
  }
}

function findExistingJobId(jobsPayload) {
  if (!jobsPayload || !Array.isArray(jobsPayload.jobs)) return null;
  const existing = jobsPayload.jobs.find((job) => job && job.name === JOB_NAME);
  return existing?.id ?? null;
}

function addJob() {
  const out = sh("openclaw", [
    "cron",
    "add",
    "--name",
    JOB_NAME,
    "--description",
    JOB_DESCRIPTION,
    "--every",
    JOB_EVERY,
    "--session",
    "main",
    "--system-event",
    SYSTEM_EVENT,
    "--wake",
    "now",
    "--json",
  ]);

  try {
    const payload = JSON.parse(out);
    return payload?.id ?? null;
  } catch {
    return null;
  }
}

function editJob(jobId) {
  sh("openclaw", [
    "cron",
    "edit",
    jobId,
    "--name",
    JOB_NAME,
    "--description",
    JOB_DESCRIPTION,
    "--enable",
    "--every",
    JOB_EVERY,
    "--session",
    "main",
    "--system-event",
    SYSTEM_EVENT,
    "--wake",
    "now",
  ]);
}

function main() {
  requireOpenClawCli();

  const jobsOut = sh("openclaw", ["cron", "list", "--json"]);
  const jobsPayload = JSON.parse(jobsOut);
  const existingJobId = findExistingJobId(jobsPayload);

  if (existingJobId) {
    editJob(existingJobId);
    process.stdout.write(`Updated cron job ${existingJobId}: ${JOB_NAME}\n`);
  } else {
    const createdId = addJob();
    if (createdId) {
      process.stdout.write(`Created cron job ${createdId}: ${JOB_NAME}\n`);
    } else {
      process.stdout.write(`Created cron job: ${JOB_NAME}\n`);
    }
  }

  process.stdout.write(`Schedule: every ${JOB_EVERY}\n`);
  process.stdout.write("Session target: main (system event + wake now)\n");
}

try {
  main();
} catch (error) {
  process.stderr.write(`${String(error)}\n`);
  process.exit(1);
}