From f1396e17ed714a91a96e40f447de3e3d04f538b9 Mon Sep 17 00:00:00 2001 From: 0xJeff Date: Thu, 16 Apr 2026 19:30:03 +0800 Subject: [PATCH] add paths --- skills/agentguard/SKILL.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/skills/agentguard/SKILL.md b/skills/agentguard/SKILL.md index dec1189..4867e59 100644 --- a/skills/agentguard/SKILL.md +++ b/skills/agentguard/SKILL.md @@ -614,7 +614,14 @@ Run a comprehensive agent health checkup across 6 security dimensions. Generates Run these checks in parallel where possible. These are **universal agent security checks** — they apply to any Claude Code or OpenClaw environment, regardless of whether AgentGuard is installed. -1. **[REQUIRED] Discover & scan installed skills** (→ feeds Dimension 1: Code Safety): Glob `~/.claude/skills/*/SKILL.md` and `~/.openclaw/skills/*/SKILL.md`. For each discovered skill, **run `/agentguard scan `** using the scan subcommand logic (24 detection rules). Collect the scan results (risk level, findings count, risk tags) for each skill. +1. **[REQUIRED] Discover & scan installed skills** (→ feeds Dimension 1: Code Safety): Glob ALL of the following paths for `*/SKILL.md`: + - `~/.claude/skills/*/SKILL.md` + - `~/.openclaw/skills/*/SKILL.md` + - `~/.openclaw/workspace/skills/*/SKILL.md` + - `~/.qclaw/skills/*/SKILL.md` + - `~/.qclaw/workspace/skills/*/SKILL.md` + + For **every** discovered skill, **run `/agentguard scan `** using the scan subcommand logic (24 detection rules). Do NOT skip any skill regardless of how many are found. Collect the scan results (risk level, findings count, risk tags) for each skill. 2. **[REQUIRED] Credential file permissions** (→ feeds Dimension 2: Credential Safety): Platform-aware check — behavior differs by OS: - **macOS/Linux**: Run `stat -f '%Lp' 2>/dev/null || stat -c '%a' 2>/dev/null` on `~/.ssh/`, `~/.gnupg/`, and if OpenClaw: on `$OC/openclaw.json`, `$OC/devices/paired.json`. **If the command returns empty output, the directory does not exist — treat as N/A (award full points), do NOT flag as a failure.** - **Windows**: `stat` is not available. Use `icacls ` to check ACLs instead. If the directory does not exist, treat as N/A (award full points). If it exists, check that the ACL grants access only to the current user (no `Everyone`, `Users`, or `Authenticated Users` with write/read access). Flag as FAIL only if the directory exists AND the ACL is overly permissive.