security: add skill/plugin code safety scanner (#9806)

* security: add skill/plugin code safety scanner module * security: integrate skill scanner into security audit * security: add pre-install code safety scan for plugins * style: fix curly brace lint errors in skill-scanner.ts * docs: add changelog entry for skill code safety scanner * style: append ellipsis to truncated evidence strings * fix(security): harden plugin code safety scanning * fix: scan skills on install and report code-safety details * fix: dedupe audit-extra import * fix(security): make code safety scan failures observable * fix(test): stabilize smoke + gateway timeouts (#9806) (thanks @abdelsfane) --------- Co-authored-by: Darshil <ddhameliya@mail.sfsu.edu> Co-authored-by: Darshil <81693876+dvrshil@users.noreply.github.com> Co-authored-by: George Pickett <gpickett00@gmail.com>
2026-05-01 17:20:20 +00:00 · 2026-02-05 17:06:11 -07:00
parent 141f551a4c
commit bc88e58fcf
16 changed files with 1722 additions and 95 deletions
--- a/src/commands/onboard-skills.ts
+++ b/src/commands/onboard-skills.ts
@@ -155,22 +155,29 @@ export async function setupSkills(
        installId,
        config: next,
      });
+      const warnings = result.warnings ?? [];
      if (result.ok) {
-        spin.stop(`Installed ${name}`);
-      } else {
-        const code = result.code == null ? "" : ` (exit ${result.code})`;
-        const detail = summarizeInstallFailure(result.message);
-        spin.stop(`Install failed: ${name}${code}${detail ? ` — ${detail}` : ""}`);
-        if (result.stderr) {
-          runtime.log(result.stderr.trim());
-        } else if (result.stdout) {
-          runtime.log(result.stdout.trim());
+        spin.stop(warnings.length > 0 ? `Installed ${name} (with warnings)` : `Installed ${name}`);
+        for (const warning of warnings) {
+          runtime.log(warning);
        }
-        runtime.log(
-          `Tip: run \`${formatCliCommand("openclaw doctor")}\` to review skills + requirements.`,
-        );
-        runtime.log("Docs: https://docs.openclaw.ai/skills");
+        continue;
      }
+      const code = result.code == null ? "" : ` (exit ${result.code})`;
+      const detail = summarizeInstallFailure(result.message);
+      spin.stop(`Install failed: ${name}${code}${detail ? ` — ${detail}` : ""}`);
+      for (const warning of warnings) {
+        runtime.log(warning);
+      }
+      if (result.stderr) {
+        runtime.log(result.stderr.trim());
+      } else if (result.stdout) {
+        runtime.log(result.stdout.trim());
+      }
+      runtime.log(
+        `Tip: run \`${formatCliCommand("openclaw doctor")}\` to review skills + requirements.`,
+      );
+      runtime.log("Docs: https://docs.openclaw.ai/skills");
    }
  }