🚀 Socket Launch Week Day 5:Introducing Repository Access Permissions and Custom Roles.Learn more →
@kilocode/openclaw-security-advisor
Advanced tools
@kilocode/openclaw-security-advisor - npm Package Compare versions
+5
-0
@@ -19,2 +19,7 @@ # Changelog | ||
| - README `Usage` section now documents slash-command channel compatibility: `/security-checkup` works in the OpenClaw native control UI chat and in Telegram but not in Kilo Chat or Slack. Kilo Chat and Slack users should invoke the plugin via natural language so the agent calls the `kilocode_security_advisor` tool directly. | ||
| - `kilocode_security_advisor` tool description now hints the agent to invoke the tool directly (rather than suggesting the slash command) in channels that don't route OpenClaw slash commands, namely Kilo Chat and Slack. | ||
| - Security checkup reports now occasionally append an inline "stay current" footer with the `npm view @kilocode/openclaw-security-advisor version` check and the `openclaw plugins install … && openclaw gateway restart` upgrade commands. The footer fires on roughly 20% of successful reports and is path-agnostic — applied at the markdown layer in `doCheckup`, so it surfaces on both the `/security-checkup` slash command path (which bypasses the LLM) and the natural-language `kilocode_security_advisor` tool path. | ||
| - README has a new `Staying up to date` section documenting the version-check and upgrade commands, plus a note that the report itself will periodically include this tip on either invocation path. | ||
| - RELEASING.md: added a prominent top-of-document banner describing the current state — `github-actions[bot]` is not on the `main` ruleset's bypass list, so every stable publish will fail at the post-publish push step. The banner documents the typical outcome (tag lands on origin, commit on `main` is rejected, GitHub release is not created) and gives the one-command recovery: `gh release create vX.Y.Z --verify-tag --generate-notes`. `--verify-tag` makes `gh` fail fast if the tag is missing rather than silently minting one at current `main` HEAD. The rare case where the tag is also missing points at Scenario 4 for the full reconstruct-and-push flow. Expanded the `Branch protection` section with the two durable fix options (add bot to bypass list vs refactor stable path to tag-only). | ||
| - README install section leads with the plain install command (no `@dev` suffix) now that a stable release is shipping. The dev channel is documented as a prerelease option under `Channels`. | ||
@@ -21,0 +26,0 @@ - README `Contributing` links to `AGENTS.md`, `RELEASING.md`, and `CHANGELOG.md` are now absolute GitHub URLs, so they resolve correctly on the npm package page (those docs were never shipped in the tarball). |
+29
-1
@@ -21,2 +21,25 @@ import { definePluginEntry } from "openclaw/plugin-sdk/plugin-entry"; | ||
| // Roughly 1-in-5 successful checkups append an update-check footer. This is | ||
| // intentionally path-agnostic — applied at the markdown layer in doCheckup — | ||
| // so both the LLM-driven `kilocode_security_advisor` tool and the | ||
| // LLM-bypassing `/security-checkup` slash command surface the reminder at the | ||
| // same cadence. Random rather than stateful because the plugin has no | ||
| // cross-invocation counter to key off. | ||
| const UPDATE_REMINDER_PROBABILITY = 0.2; | ||
| function maybeAppendUpdateReminder(reportMarkdown: string): string { | ||
| if (Math.random() >= UPDATE_REMINDER_PROBABILITY) { | ||
| return reportMarkdown; | ||
| } | ||
| return ( | ||
| reportMarkdown + | ||
| "\n\n---\n\n" + | ||
| "**Tip — stay current:** check the latest plugin version with " + | ||
| "`npm view @kilocode/openclaw-security-advisor version` and compare " + | ||
| "against the `pluginVersion` shown above. If you're behind, upgrade " + | ||
| "with `openclaw plugins install @kilocode/openclaw-security-advisor` " + | ||
| "followed by `openclaw gateway restart`." | ||
| ); | ||
| } | ||
| type ToolResult = { | ||
@@ -294,3 +317,3 @@ content: Array<{ type: "text"; text: string }>; | ||
| }); | ||
| return response.report.markdown; | ||
| return maybeAppendUpdateReminder(response.report.markdown); | ||
| } | ||
@@ -351,2 +374,7 @@ | ||
| "tool is the canonical entry point and returns a much more useful report. " + | ||
| "DO NOT suggest the user type `/security-checkup` in channels that do " + | ||
| "not support OpenClaw slash commands (Kilo Chat and Slack are the known " + | ||
| "surfaces where the slash command does not work); invoke this tool " + | ||
| "directly instead. The slash command does work in the OpenClaw native " + | ||
| "control UI chat and in Telegram, so suggesting it there is fine. " + | ||
| "IMPORTANT: Display the returned report exactly as is without rewriting, " + | ||
@@ -353,0 +381,0 @@ "summarizing, or reformatting.", |
+1
-1
| { | ||
| "name": "@kilocode/openclaw-security-advisor", | ||
| "version": "0.1.1", | ||
| "version": "0.1.2", | ||
| "type": "module", | ||
@@ -5,0 +5,0 @@ "license": "MIT", |
+34
-2
@@ -49,2 +49,26 @@ # @kilocode/openclaw-security-advisor | ||
| ### Staying up to date | ||
| New versions ship regularly. To check the latest published stable: | ||
| ```bash | ||
| npm view @kilocode/openclaw-security-advisor version | ||
| ``` | ||
| Compare that against the `pluginVersion` line at the end of any security | ||
| checkup report. To upgrade: | ||
| ```bash | ||
| openclaw plugins install @kilocode/openclaw-security-advisor | ||
| openclaw gateway restart | ||
| ``` | ||
| Your security checkup report will occasionally include an inline | ||
| "stay current" tip at the bottom with these same commands — a gentle | ||
| periodic nudge, not every run. The reminder is appended to the report | ||
| markdown itself, so it appears on both invocation paths (the | ||
| `/security-checkup` slash command and the natural-language | ||
| `kilocode_security_advisor` tool). Security advice improves as the | ||
| plugin ships new audit signals, so staying current is worthwhile. | ||
| --- | ||
@@ -69,2 +93,9 @@ | ||
| > **Channel compatibility:** `/security-checkup` works in the OpenClaw | ||
| > native control UI chat and in Telegram. It does **not** currently work | ||
| > in Kilo Chat or Slack — those surfaces don't route slash commands to | ||
| > OpenClaw plugins. In Kilo Chat and Slack, use the natural-language | ||
| > invocation below instead; the agent will call the | ||
| > `kilocode_security_advisor` tool directly. | ||
| ### Natural language | ||
@@ -89,4 +120,5 @@ | ||
| you're running a small or summarizing model, use the | ||
| `/security-checkup` slash command instead.** It renders the full | ||
| report regardless of which model is configured. | ||
| `/security-checkup` slash command instead** (where supported — see | ||
| channel compatibility above). It renders the full report regardless of | ||
| which model is configured. | ||
@@ -93,0 +125,0 @@ --- |
New alerts
URL strings
Supply chain riskPackage contains fragments of external URLs or IP addresses, which the package may be accessing at runtime.
Found 1 instance in 1 package
Fixed alerts
AI-detected potential code anomaly
Supply chain riskAI has identified unusual behaviors that may pose a security risk.
Found 1 instance in 1 package
URL strings
Supply chain riskPackage contains fragments of external URLs or IP addresses, which the package may be accessing at runtime.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
60528
8.54%- Lines of code
1111
2.4%- Number of lines in readme file
251
14.61%- Number of low supply chain risk alerts
7
-12.5%No dependency changes