mirror of
https://github.com/prompt-security/clawsec.git
synced 2026-06-13 05:28:02 +03:00
Aldo Delgado
7cdb4ab7e2
* docs: add agent collaboration and git safety rules to AGENTS.md
* fix(portability): harden cross-platform path handling and install workflows
- add shared path resolution utility for advisory guardian components
- expand and normalize home-path tokens: ~, $HOME, ${HOME}, %USERPROFILE%, $env:USERPROFILE
- reject unresolved/escaped home tokens to prevent literal "$HOME" directory creation
- fix install/runtime path handling in:
- openclaw-audit-watchdog setup_cron and suppression config loader
- clawsec-suite advisory hook handler, suppression loader, and guarded installer
- remove hardcoded Homebrew binary assumptions in watchdog scripts/tests
- add LF enforcement via .gitattributes to reduce CRLF script breakage
- expand CI Node checks to linux/macos/windows matrix
- add cross-platform test coverage for path expansion and token rejection
- update README and SKILL docs with bash/zsh/PowerShell-safe path guidance
- add compatibility deliverables:
- docs/COMPATIBILITY_REPORT.md
- docs/REMEDIATION_PLAN.md
- docs/PLATFORM_VERIFICATION.md
Validation:
- node skills/clawsec-suite/test/path_resolution.test.mjs
- node skills/clawsec-suite/test/guarded_install.test.mjs
- node skills/clawsec-suite/test/advisory_suppression.test.mjs
- node skills/openclaw-audit-watchdog/test/suppression_config.test.mjs
- node skills/openclaw-audit-watchdog/test/render_report_suppression.test.mjs
* fix(advisory): avoid fail-open on invalid path vars and cover watchdog tests
* docs: move signing runbooks into docs folder
* docs: remove root-level signing runbooks after move
* chore(clawsec-suite): bump version to 0.1.3
* chore(openclaw-audit-watchdog): bump version to 0.1.1
* docs(changelog): add entries for clawsec-suite 0.1.3 and watchdog 0.1.1
* docs(changelog): credit @aldodelgado for PR #62 contributions
* feat(clawsec-suite): scope advisories to openclaw application
* fix(ci): run advisory scope tests without TypeScript loader
---------
Co-authored-by: David Abutbul <David.a@prompt.security>
26 lines
1.0 KiB
Bash
Executable File
26 lines
1.0 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
# Run a Codex CLI code review for this skill.
|
|
# Safe by default: read-only sandbox.
|
|
|
|
ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
|
|
|
|
if [[ -n "${CODEX_BIN:-}" ]]; then
|
|
RESOLVED_CODEX_BIN="$CODEX_BIN"
|
|
elif command -v codex >/dev/null 2>&1; then
|
|
RESOLVED_CODEX_BIN="$(command -v codex)"
|
|
elif [[ -x "/opt/homebrew/bin/codex" ]]; then
|
|
RESOLVED_CODEX_BIN="/opt/homebrew/bin/codex"
|
|
else
|
|
echo "codex CLI not found. Install Codex CLI and ensure 'codex' is in PATH." >&2
|
|
exit 127
|
|
fi
|
|
|
|
# Use GPT-5.1 Codex Max (high reasoning). Note: some models (e.g. o3) may be blocked
|
|
# depending on the account type.
|
|
exec "$RESOLVED_CODEX_BIN" review -s read-only -m gpt-5.1-codex-max \
|
|
"Review this skill for security/reliability issues. Focus on: shell quoting, command injection, sendmail header injection, dependency checks, cron payload safety, and failure modes. Provide concrete patch suggestions (with diffs if possible)." \
|
|
-c "workdir=\"$ROOT_DIR\"" \
|
|
-c "reasoning_effort=\"xhigh\""
|