Add skills hardening: dependency graph, capability monitor, context analysis, auto-fix#54
Conversation
- Skill dependency graph (SKILL-010/011/012): parses SKILL.md frontmatter, builds adjacency-list dependency graph, detects circular deps, phantom deps, and unpinned versions - Runtime capability monitor (SKILL-013/014): tracks file access, network calls, tool invocations, and credential usage against declared capabilities, emits violations through ARP event engine - 42 tests covering parsing, graph construction, cycle detection, phantom deps, version pinning, capability violation tracking, and monitor lifecycle
…LL-015/016/017 SKILL-010/011/012 were already used by the hardening scanner for Env File Exfiltration, Browser Data Access, and Crypto Wallet Access. The new dependency graph module reused those IDs for circular deps, phantom deps, and unpinned versions. Renumbered to SKILL-015/016/017 to avoid ambiguity.
- Restore scan-count-based contribution prompt (ask after 3 scans, TTY only) - Update success message: "Contributed anonymized scan summary to OpenA2A Registry (--no-contribute to opt out)" - Fix AttackCategory type and all Record references to include 4 new categories (memory-weaponization, context-window, supply-chain, tool-shadow)
…auto-fix, signature freshness - Context-aware pattern analysis (skill-context.ts): classifies skill sections (frontmatter/prose/codeblock/command) to reduce false positives for SKILL-010, SKILL-011, SKILL-012. Prose mentions of "chrome" or ".env" no longer trigger false alarms. - Declared-vs-actual capability validation (skill-capability-validator.ts): SKILL-018 detects undeclared capabilities by comparing frontmatter declarations against inferred usage in the skill body. - Auto-fix for SKILL-001 (unsigned skills): appends SHA-256 signature block. Auto-fix for SKILL-004 (filesystem wildcard): restricts to sandbox scope. - SKILL-019 (stale signature): detects hash mismatch when content changes after signing, auto-fixes by re-computing hash. - HEARTBEAT-007 (expired heartbeat): detects expired expires_at in signature block, auto-fixes with 7-day renewal. - Updated taxonomy mappings and exports for all new check IDs. - 33 new tests (skill-context: 17, skill-capability-validator: 16). - Updated 3 existing scanner tests to use code blocks instead of prose for context-sensitive checks.
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Claude Code Review
VERDICT: APPROVE
SUMMARY: This PR adds substantial hardening features for OpenClaw skills including capability validation, context-aware false positive reduction, and auto-fix for common issues. The implementation follows secure coding practices with proper input validation, no shell injection vectors (spawn/exec are not used with user-controlled input), and appropriate boundary checks. All new functionality is well-tested with 75+ new tests. No CRITICAL or HIGH severity security issues were identified after verification of mitigations.
FINDINGS:
-
[MEDIUM] src/hardening/scanner.ts:4404 — Regex injection potential in
filesystemWildcardPattern. Mitigation check: The pattern/filesystem:\s*\*|filesystem:\s*~\/|filesystem:\s*\//gicontains no nested quantifiers and is linear-time, but it operates on untrusted file content line-by-line. However, lines are pre-split from file content, limiting input length per iteration. The pattern itself is fixed (not constructed from user input), so this is not exploitable for ReDoS. -
[MEDIUM] src/hardening/skill-capability-validator.ts:89-146 — Multiple regex patterns compiled within loops over untrusted content. Mitigation check: All patterns in
sensitivePathPatterns,networkOutboundPatterns,shellPatterns,networkInboundPatterns, andfilesystemWildcardPatternsare fixed (not user-supplied) and linear-time. ThelastIndexreset on line 132 prevents cross-iteration state pollution. Patterns like/~\/\.ssh/gand/\bfetch\s*\(/ghave no nested quantifiers, making ReDoS impossible.
NOTE: All three test files (tests/hardening/*) and the index.ts export file contain only test code or type exports—no executable security boundaries to review.
Reviewed 9 files changed (41697 bytes)
1 participant
Summary
Test plan