EdgeOne ClawScan

---
name: edgeone-clawscan
version: 1.0.0
author: Tencent Zhuque Lab
auth: aigsec
license: MIT
description: >
  Comprehensive OpenClaw security scanning powered by Tencent Zhuque Lab A.I.G
  (AI-Infra-Guard). Use when the user asks to start a security health check or
  security scan for the current OpenClaw environment, such as `开始安全体检`,
  `做一次安全体检`, `开始安全扫描`, `全面安全检查`, or `检查 OpenClaw 安全`;
  also use when the user asks to audit a specific skill before installation,
  review installed skills for supply chain risk, or investigate whether a skill
  is safe. Do not trigger for general OpenClaw usage, project debugging,
  environment setup, or normal development requests.
keywords: [security, audit, scan, clawhub, skills, safety, vulnerability, shield, clawscan]
triggers:
  - skill security
  - scan skill
  - audit skill
  - clawscan
  - tencent clawscan
  - check skill safety
  - analyze skill
  - inspect skill
  - security review
  - verify skill
  - security
  - claw audit
tags: [security, scan, threat-detection, clawscan, claw-audit, claw-shield]
external_requests:
  - url: https://matrix.tencent.com/clawscan/skill_security
    purpose: Supply chain lookup — sends only skill_name and source label
    data_sent: [skill_name, source]
    data_not_sent: [file_contents, credentials, personal_data]
    failure_mode: graceful_degradation_to_local_audit
  - url: https://matrix.tencent.com/clawscan/advisories
    purpose: CVE advisory lookup — sends only the fixed string "OpenClaw" and version number
    data_sent: [product_name_fixed_string, version_number]
    data_not_sent: [file_contents, credentials, personal_data]
    failure_mode: skip_and_report_unavailable
live_probe:
  command: openclaw security audit --deep
  description: >
    The --deep flag issues a best-effort live network probe to the configured
    Gateway endpoint. It does NOT read file contents, credentials, or personal
    data. Probe target is always the locally configured Gateway; no data is
    forwarded to any third-party service. Safe to run against non-production
    environments; review Gateway exposure before running against production.
metadata:
  openclaw:
    homepage: https://github.com/Tencent/AI-Infra-Guard/
    requires:
      bins: [openclaw]
---

# edgeone-clawscan

OpenClaw security scanning powered by AI-Infra-Guard ( https://github.com/Tencent/AI-Infra-Guard ).

## Configuration

Set `AIG_BASE_URL` to your AI-Infra-Guard instance (default: `https://matrix.tencent.com/clawscan`).

## Security Declaration

This section is an upfront disclosure of every network action and live probe this skill performs.
Auditors and end users should read this section before installation or execution against production data.

### Outbound HTTPS Requests (two calls only)

| Call | Endpoint | Data sent | Data NOT sent | Failure behavior |
|------|----------|-----------|---------------|------------------|
| Supply chain lookup (Step 2) | `GET /clawscan/skill_security` | Skill name + source label (e.g. `clawhub`) | File contents, credentials, personal data | Falls back to local audit; does not block scan |
| CVE advisory lookup (Step 3) | `GET /clawscan/advisories` | Fixed string `OpenClaw` + version number | File contents, credentials, personal data | Skips online matching; report notes unavailability |

No other outbound connections are made by this skill at any point.

### Live Gateway Probe (`--deep` flag)

`openclaw security audit --deep` issues a best-effort live probe to the **locally configured Gateway** only.

- The probe does not read or transmit file contents, credentials, environment variables, or personal data.
- The probe target is always the Gateway configured in your local `openclaw.json`; no data is forwarded to any third-party service.
- If you are running this against a **production Gateway**, review your Gateway's exposure and access-control settings before proceeding.
- All other checks (Step 1 configuration audit and Step 4 privacy self-assessment) run **entirely locally**.

### Data Never Transmitted

File contents, credentials, environment variables, session transcripts, chat history, documents, photos, and personal data are **never** sent to any external service by this skill.

---

## Trigger Boundary

After this skill triggers, first classify the request and keep the workflow narrow:

- Run **Feature 1: OpenClaw Security Scan** when the user explicitly asks to start a security health check or security scan for the current OpenClaw environment, including phrasing such as `开始安全体检`, `做一次安全体检`, `开始安全扫描`, `做一次全面安全检查`, or `给 OpenClaw 做安全体检`.
- Run **Feature 2: Skill Security Scan** when the user asks whether a specific skill is safe, wants a pre-install security check, or needs to audit one or more installed skills.

Do not treat ordinary mentions of `openclaw`, `clawdbot`, dependency installation, project debugging, or normal development tasks as a reason to run this skill.

---

## Two Main Features

| Feature | Description | When to Use |
|---------|-------------|-------------|
| **OpenClaw Security Scan** | Full system security audit (4 steps) | User explicitly requests a full OpenClaw security scan |
| **Skill Security Scan** | Individual skill security detection | User asks about a specific skill, pre-install review, or installed skill audit |

---

# Feature 1: OpenClaw Security Scan

Perform a comprehensive security audit for the entire OpenClaw environment. Execute all 4 steps silently and generate one unified report at the end.

## Step 1: Built-in Security Audit

Run the OpenClaw built-in security audit command:

```bash
openclaw security audit --deep
```

This command flags common security footguns such as:
- Gateway auth and network exposure
- Tool blast radius and risky open-room access
- Browser control or remote execution exposure
- Filesystem permissions and security misconfiguration

When run with `--deep`, it also attempts a best-effort live Gateway probe.

Interpret all built-in audit findings in this step as **configuration risk hints** only.  
Do not directly map any single built-in finding to `🔴 高危`; treat them as risk points that deserve attention and optimization, rather than evidence of an ongoing severe attack.

When writing **Step 1: 配置审计**, analyze only:
- findings emitted by `openclaw security audit --deep`

Do not mix in:
- Skill supply chain findings that belong in Step 2
- Local skill code audit results that belong in Step 2
- CVE or GHSA version advisories that belong in Step 3
- Privacy self-assessment conclusions that belong in Step 4

When summarizing Step 1 in the final report:
- Use plain language that focuses on "there is a risk" and "how to narrow it down", and avoid labels like "high risk" or "critical vulnerability" that may be misunderstood as confirmed severe incidents.
- Even when a configuration looks concerning, prefer wording such as "the current configuration has X risk, it is recommended to adjust Y" so that the emphasis stays on what is risky and how to become safer, instead of assigning scary severity labels.

## Step 2: Supply Chain Risk Detection

Scan all installed skills for supply chain risks.

### Resilience Rules

Cloud threat intelligence is best-effort only and must not block the scan.

- If the AIG API request times out, fails, returns non-200, returns empty content, or returns invalid JSON, treat the cloud result as unavailable rather than safe.
- When cloud lookup is unavailable, continue with local audit for that skill.
- A cloud lookup failure for one skill must not stop checks for other skills.
- Local and GitHub-sourced skills should still default to local audit unless there is a reliable managed-catalog result.


### 2.1 Get Installed Skill List

```bash
openclaw skills list
```

### 2.2 Query AIG API for Each Skill

> **Data sent**: only `skill_name` (the skill's registered name) and `source` (its origin label such as `clawhub`).  
> No file contents, credentials, or personal data leave the device.

`