From 40f3d22d603d14bac64a6f5137d6de37ee79ce23 Mon Sep 17 00:00:00 2001
From: 0xJeff <jeff@gopluslabs.io>
Date: Wed, 15 Apr 2026 14:02:06 +0800
Subject: [PATCH 1/3] fix: add Action Items section to checkup terminal summary
 with concrete fix commands (#25)

After checkup, the terminal summary only showed a generic top recommendation
with no actionable guidance. Users seeing HIGH/CRITICAL findings (especially
"no security hooks installed") had no idea what to do next.

Add an Action Items section to Step 5 that lists each HIGH/CRITICAL finding
with an exact fix command, including the JSON snippet to add guard-hook.js
to settings.json for Claude Code / OpenClaw / QClaw.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 skills/agentguard/SKILL.md | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/skills/agentguard/SKILL.md b/skills/agentguard/SKILL.md
index 902ffc4..0c464b1 100644
--- a/skills/agentguard/SKILL.md
+++ b/skills/agentguard/SKILL.md
@@ -804,6 +804,30 @@ The script outputs the HTML file path to stdout (e.g. `/tmp/agentguard-checkup-1
 **Full visual report**: <path> (opened in browser)
 
 💡 Top recommendation: <first recommendation text>
+
+### Action Items
+(Only include this section if there are HIGH or CRITICAL findings. List each one with a concrete fix command.)
+
+For each HIGH or CRITICAL finding, output a numbered action item in this format:
+```
+🔴 [CRITICAL] / 🟠 [HIGH] <finding description>
+   → <exact command or step to fix it>
+```
+
+Common fix commands to use when applicable:
+- No security hooks installed → show the exact JSON snippet to add to `~/.claude/settings.json` (for Claude Code) or `~/.openclaw/openclaw.json` / `~/.qclaw/openclaw.json` (for OpenClaw/QClaw):
+  ```json
+  // Add to the "hooks" > "PreToolUse" array in settings.json:
+  {
+    "matcher": "Bash|Write|Edit|WebFetch|WebSearch",
+    "hooks": [{ "type": "command", "command": "node \"<skill_dir>/scripts/guard-hook.js\"", "timeout": 10 }]
+  }
+  ```
+  where `<skill_dir>` is the absolute path to the installed agentguard skill directory.
+- Skill not attested in trust registry → show the exact `node scripts/trust-cli.ts attest ...` command with the correct `--source` path
+- `~/.ssh/` permissions too open → `chmod 700 ~/.ssh/`
+- `~/.gnupg/` permissions too open → `chmod 700 ~/.gnupg/`
+- Plaintext credential found → specify the exact file and line where it was found
 ```
 
 ### Step 6: Deliver the Report to the User

From f8f8f3d767b3f3a52e394929bf311feffea621f4 Mon Sep 17 00:00:00 2001
From: 0xJeff <jeff@gopluslabs.io>
Date: Wed, 15 Apr 2026 14:21:20 +0800
Subject: [PATCH 2/3] fix: replace technical Action Items with plain-language
 Next Steps in checkup summary (#25)

The previous Action Items section showed JSON snippets and CLI commands
which are too technical for most users and not actionable without terminal
access. Replace with a plain-language Next Steps section that describes
each HIGH/CRITICAL issue in one sentence and asks the user to confirm
which ones they want help with.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 skills/agentguard/SKILL.md | 42 +++++++++++++++++---------------------
 1 file changed, 19 insertions(+), 23 deletions(-)

diff --git a/skills/agentguard/SKILL.md b/skills/agentguard/SKILL.md
index 0c464b1..c779889 100644
--- a/skills/agentguard/SKILL.md
+++ b/skills/agentguard/SKILL.md
@@ -805,30 +805,26 @@ The script outputs the HTML file path to stdout (e.g. `/tmp/agentguard-checkup-1
 
 💡 Top recommendation: <first recommendation text>
 
-### Action Items
-(Only include this section if there are HIGH or CRITICAL findings. List each one with a concrete fix command.)
-
-For each HIGH or CRITICAL finding, output a numbered action item in this format:
-```
-🔴 [CRITICAL] / 🟠 [HIGH] <finding description>
-   → <exact command or step to fix it>
-```
-
-Common fix commands to use when applicable:
-- No security hooks installed → show the exact JSON snippet to add to `~/.claude/settings.json` (for Claude Code) or `~/.openclaw/openclaw.json` / `~/.qclaw/openclaw.json` (for OpenClaw/QClaw):
-  ```json
-  // Add to the "hooks" > "PreToolUse" array in settings.json:
-  {
-    "matcher": "Bash|Write|Edit|WebFetch|WebSearch",
-    "hooks": [{ "type": "command", "command": "node \"<skill_dir>/scripts/guard-hook.js\"", "timeout": 10 }]
-  }
-  ```
-  where `<skill_dir>` is the absolute path to the installed agentguard skill directory.
-- Skill not attested in trust registry → show the exact `node scripts/trust-cli.ts attest ...` command with the correct `--source` path
-- `~/.ssh/` permissions too open → `chmod 700 ~/.ssh/`
-- `~/.gnupg/` permissions too open → `chmod 700 ~/.gnupg/`
-- Plaintext credential found → specify the exact file and line where it was found
+### Next Steps
+(Only include this section if there are HIGH or CRITICAL findings.)
+
+List each HIGH or CRITICAL finding as a plain-language suggestion — no commands, no JSON, no technical details. One sentence per item. Ask the user to confirm if they'd like help with any of them.
+
+Format:
 ```
+⚠️ A few things need your attention:
+1. 🔴 <plain description of critical issue and why it matters>
+2. 🟠 <plain description of high issue and why it matters>
+...
+
+Reply with the number(s) you'd like help with and I'll walk you through it.
+```
+
+Examples of plain-language descriptions:
+- No hooks: "Security monitoring isn't active — AgentGuard can't block threats in real-time until hooks are configured."
+- Unregistered skills: "10 installed skills haven't been security-reviewed — they're running with no trust level assigned."
+- SSH permissions: "Your SSH key folder has loose permissions — other processes on this machine could potentially read your private keys."
+- Plaintext credential: "A private key or API token was found in plain text in a file — it should be removed and rotated."
 
 ### Step 6: Deliver the Report to the User
 

From 6f0403505daa2601312ad1b54f24e95cce72f0c3 Mon Sep 17 00:00:00 2001
From: 0xJeff <jeff@gopluslabs.io>
Date: Wed, 15 Apr 2026 16:46:14 +0800
Subject: [PATCH 3/3] fix UI bug

---
 skills/agentguard/scripts/checkup-report.js | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/skills/agentguard/scripts/checkup-report.js b/skills/agentguard/scripts/checkup-report.js
index da21b4a..04380e6 100644
--- a/skills/agentguard/scripts/checkup-report.js
+++ b/skills/agentguard/scripts/checkup-report.js
@@ -764,11 +764,10 @@ function generateReport(data) {
       const sc = sevColor(sev);
       const zhText = r.zh || r.text;
       return `
-      <div class="flex items-center gap-3 px-4 py-3 rounded-lg hover:bg-[#262a31]/30 transition-colors group">
+      <div class="flex items-center gap-3 px-4 py-3 rounded-lg">
         <span class="w-5 text-xs font-headline font-bold text-[#849588]/60">${i+1}</span>
         <span class="px-2 py-0.5 rounded text-[9px] font-bold uppercase tracking-wide text-white shrink-0" style="background:${sc}">${sev}</span>
         <span class="text-sm text-[#b9cbbd] leading-snug rec-text" data-en="${esc(r.text)}" data-zh="${esc(zhText)}">${esc(r.text)}</span>
-        <span class="material-symbols-outlined text-sm text-[#849588]/0 group-hover:text-[#849588]/50 transition-colors ml-auto shrink-0">chevron_right</span>
       </div>`;
     }).join('')}</div>`
     : '<div class="text-center py-12 text-[#849588]" data-i18n="no_recs">No recommendations.</div>';
@@ -776,12 +775,7 @@ function generateReport(data) {
   // ── AI Analysis report ──
   const analysisText = data.analysis || '';
   const analysisHtml = analysisText
-    ? `<div class="relative group">
-        <div class="bg-[#0a0e14] border border-[#3a4a3f]/10 rounded-xl p-5 text-sm text-[#b9cbbd] leading-relaxed whitespace-pre-line" id="analysisText">${esc(analysisText)}</div>
-        <button onclick="copyReport()" id="copyBtn" class="absolute top-3 right-3 flex items-center gap-1.5 px-3 py-1.5 bg-[#262a31] border border-[#3a4a3f]/30 rounded-lg text-[11px] font-semibold text-[#849588] hover:text-[#dfe2eb] hover:border-[#849588]/50 transition-all opacity-0 group-hover:opacity-100">
-          <span class="material-symbols-outlined text-sm" id="copyIcon">content_copy</span><span id="copyLabel" data-i18n="copy_report">Copy Report</span>
-        </button>
-      </div>`
+    ? `<div class="bg-[#0a0e14] border border-[#3a4a3f]/10 rounded-xl p-5 text-sm text-[#b9cbbd] leading-relaxed whitespace-pre-line" id="analysisText">${esc(analysisText)}</div>`
     : '';
 
   // ── Health status label ──
@@ -936,6 +930,9 @@ body{background:#0a0e14;color:#dfe2eb;font-family:'Inter',sans-serif}
             <p class="text-[10px] font-label uppercase tracking-[0.2em] text-[#849588] mb-1" data-i18n="sec_analysis">Security Analysis</p>
             <h1 class="text-2xl font-headline font-bold text-[#f5fff5] tracking-tight flex items-center gap-3">
               <span class="material-symbols-outlined" style="color:${tier.color}">analytics</span><span data-i18n="diag_report">Diagnostic Report</span>
+              <button onclick="copyReport()" id="copyBtn" class="flex items-center gap-1 px-2 py-1 bg-[#262a31] border border-[#3a4a3f]/30 rounded-lg text-[11px] font-semibold text-[#849588] hover:text-[#dfe2eb] hover:border-[#849588]/50 transition-all ml-1">
+                <span class="material-symbols-outlined text-sm" id="copyIcon">content_copy</span><span id="copyLabel" class="hidden sm:inline" data-i18n="copy_report">Copy Report</span>
+              </button>
             </h1>
           </div>
           <div class="bg-[#262a31] border border-[#3a4a3f]/15 rounded-lg px-4 py-2 flex items-center gap-2">