- Provide multi-layer vulnerability scanning for OpenClaw-oriented skill repositories.
- Orchestrate dependency, SAST, and DAST engines into a single report contract.
- Execute real OpenClaw hook handlers in an isolated DAST harness to validate runtime security behavior.
- Support periodic scan execution through an OpenClaw hook integration.
- Normalize findings into severity buckets for downstream triage and automation.
skills/clawsec-scanner/skill.json: skill metadata, SBOM paths, trigger phrases.skills/clawsec-scanner/scripts/runner.sh: main orchestrator for dependency/SAST/DAST scans.skills/clawsec-scanner/scripts/scan_dependencies.mjs: npm audit + pip-audit parsing.skills/clawsec-scanner/scripts/sast_analyzer.mjs: Semgrep and Bandit execution/parsing.skills/clawsec-scanner/scripts/dast_runner.mjs: hook discovery + real harness DAST evaluation.skills/clawsec-scanner/scripts/dast_hook_executor.mjs: isolated per-hook runtime executor.skills/clawsec-scanner/hooks/clawsec-scanner-hook/handler.ts: periodic OpenClaw event hook.skills/clawsec-scanner/lib/report.mjs: unified report generation and text/JSON formatting.
| Interface | Consumer | Behavior |
|---|
runner.sh CLI | Operators/automation | Runs all enabled scan engines and emits merged report output. |
dast_runner.mjs CLI | Operators/CI/hooks | Discovers hooks and runs isolated runtime DAST checks. |
| OpenClaw scanner hook default export | OpenClaw runtime | Handles agent:bootstrap and command:new scanner trigger events. |
ScanReport JSON output | Humans and automation | Provides normalized severity summary + finding list. |
Inputs/outputs are summarized in the table below.
| Type | Name | Location | Description |
|---|
| Input | Scan target path | --target CLI arg | Root directory where skills/hooks are scanned. |
| Input | Dependency manifests | package-lock.json, requirements.txt, pyproject.toml | Drives dependency vulnerability checks. |
| Input | Hook metadata and handlers | **/HOOK.md, handler.{js,mjs,cjs,ts} | DAST harness discovers and executes these handlers. |
| Input | Env configuration | CLAWSEC_*, GITHUB_TOKEN | Controls engine behavior, severity filtering, and output paths. |
| Output | Unified scan report | stdout or --output file | JSON/text report with severity summary and finding details. |
| Output | Runtime hook alerts | OpenClaw event.messages | New vulnerability alerts pushed into conversations. |
| Output | Scanner state file | ~/.openclaw/clawsec-scanner-state.json by default | De-duplication memory for reported finding IDs. |
| Variable | Default | Module Effect |
|---|
CLAWSEC_SCANNER_INTERVAL | 86400 | Minimum interval between periodic hook-triggered scans. |
CLAWSEC_SCANNER_MIN_SEVERITY | medium | Threshold for findings pushed to conversation alerts. |
CLAWSEC_SCANNER_FORMAT | text | Hook alert serialization format (text or json). |
CLAWSEC_SKIP_DEPENDENCY_SCAN | 0 | Disables dependency scanner when set to 1. |
CLAWSEC_SKIP_SAST | 0 | Disables Semgrep/Bandit scanner when set to 1. |
CLAWSEC_SKIP_DAST | 0 | Disables runtime hook DAST checks when set to 1. |
CLAWSEC_SKIP_CVE_LOOKUP | 0 | Disables CVE enrichment stage when set to 1. |
CLAWSEC_DAST_HARNESS | unset | Internal guard to avoid recursive scans during harness execution. |
CLAWSEC_DAST_DISABLE_TYPESCRIPT | unset | Test/debug switch forcing TypeScript harness coverage fallback mode. |
- Hook discovery walks the target tree for
HOOK.md and resolves adjacent handler files.
- Each declared event key is executed in a separate Node subprocess via
dast_hook_executor.mjs.
- Findings are generated from real runtime behavior:
- Baseline execution crash or timeout.
- Malicious-input crash or timeout.
- Output amplification beyond message/character thresholds.
- Core event identity mutation (
type, action, sessionKey).
- Harness capability gaps (for example missing TypeScript compiler for
.ts handlers) are reported as info coverage findings, not high-severity vulnerabilities.
# run scanner end-to-end
bash skills/clawsec-scanner/scripts/runner.sh --target ./skills --format json
# run DAST harness directly
node skills/clawsec-scanner/scripts/dast_runner.mjs --target ./skills --format text --timeout 30000
| Test File | Focus |
|---|
skills/clawsec-scanner/test/dast_harness.test.mjs | Real hook execution path, malicious crash detection, TypeScript coverage fallback semantics. |
skills/clawsec-scanner/test/reviewer_regressions.test.mjs | Runner behavior around non-zero DAST exit and merged reporting. |
skills/clawsec-scanner/test/dependency_scanner.test.mjs | Dependency scanner utility/report contracts. |
skills/clawsec-scanner/test/sast_engine.test.mjs | SAST parser/normalization behavior. |
skills/clawsec-scanner/test/cve_integration.test.mjs | OSV/NVD/GitHub enrichment integration checks. |
- 2026-03-10: Added module page for
clawsec-scanner and documented the 0.0.2 real OpenClaw DAST harness execution model.
- skills/clawsec-scanner/skill.json
- skills/clawsec-scanner/SKILL.md
- skills/clawsec-scanner/CHANGELOG.md
- skills/clawsec-scanner/scripts/runner.sh
- skills/clawsec-scanner/scripts/scan_dependencies.mjs
- skills/clawsec-scanner/scripts/sast_analyzer.mjs
- skills/clawsec-scanner/scripts/dast_runner.mjs
- skills/clawsec-scanner/scripts/dast_hook_executor.mjs
- skills/clawsec-scanner/scripts/setup_scanner_hook.mjs
- skills/clawsec-scanner/hooks/clawsec-scanner-hook/HOOK.md
- skills/clawsec-scanner/hooks/clawsec-scanner-hook/handler.ts
- skills/clawsec-scanner/lib/report.mjs
- skills/clawsec-scanner/lib/utils.mjs
- skills/clawsec-scanner/test/dast_harness.test.mjs
- skills/clawsec-scanner/test/reviewer_regressions.test.mjs