文件内容
scripts/security-audit.sh
#!/bin/bash
# Proactive Agent Security Audit
# Run periodically to check for security issues
# Don't exit on error - we want to complete all checks
set +e
echo "🔒 Proactive Agent Security Audit"
echo "=================================="
echo ""
ISSUES=0
WARNINGS=0
# Colors
RED='\033[0;31m'
YELLOW='\033[1;33m'
GREEN='\033[0;32m'
NC='\033[0m' # No Color
warn() {
echo -e "${YELLOW}⚠️ WARNING: $1${NC}"
((WARNINGS++))
}
fail() {
echo -e "${RED}❌ ISSUE: $1${NC}"
((ISSUES++))
}
pass() {
echo -e "${GREEN}✅ $1${NC}"
}
# 1. Check credential file permissions
echo "📁 Checking credential files..."
if [ -d ".credentials" ]; then
for f in .credentials/*; do
if [ -f "$f" ]; then
perms=$(stat -f "%Lp" "$f" 2>/dev/null || stat -c "%a" "$f" 2>/dev/null)
if [ "$perms" != "600" ]; then
fail "$f has permissions $perms (should be 600)"
else
pass "$f permissions OK (600)"
fi
fi
done
else
echo " No .credentials directory found"
fi
echo ""
# 2. Check for exposed secrets in common files
echo "🔍 Scanning for exposed secrets..."
SECRET_PATTERNS="(api[_-]?key|apikey|secret|password|token|auth).*[=:].{10,}"
for f in $(ls *.md *.json *.yaml *.yml .env* 2>/dev/null || true); do
if [ -f "$f" ]; then
matches=$(grep -iE "$SECRET_PATTERNS" "$f" 2>/dev/null | grep -v "example\|template\|placeholder\|your-\|<\|TODO" || true)
if [ -n "$matches" ]; then
warn "Possible secret in $f - review manually"
fi
fi
done
pass "Secret scan complete"
echo ""
# 3. Check gateway security (if clawdbot config exists)
echo "🌐 Checking gateway configuration..."
CONFIG_FILE="$HOME/.clawdbot/clawdbot.json"
if [ -f "$CONFIG_FILE" ]; then
# Check if gateway is bound to loopback
if grep -q '"bind".*"loopback"' "$CONFIG_FILE"; then
pass "Gateway bound to loopback (not exposed)"
else
warn "Gateway may not be bound to loopback - check config"
fi
# Check if Telegram uses pairing
if grep -q '"dmPolicy".*"pairing"' "$CONFIG_FILE"; then
pass "Telegram DM policy uses pairing"
fi
else
echo " No clawdbot config found"
fi
echo ""
# 4. Check AGENTS.md for security rules
echo "📋 Checking AGENTS.md for security rules..."
if [ -f "AGENTS.md" ]; then
if grep -qi "injection\|external content\|never execute" "AGENTS.md"; then
pass "AGENTS.md contains injection defense rules"
else
warn "AGENTS.md may be missing prompt injection defense"
fi
if grep -qi "deletion\|confirm.*delet\|trash" "AGENTS.md"; then
pass "AGENTS.md contains deletion confirmation rules"
else
warn "AGENTS.md may be missing deletion confirmation rules"
fi
else
warn "No AGENTS.md found"
fi
echo ""
# 5. Check for skills from untrusted sources
echo "📦 Checking installed skills..."
SKILL_DIR="skills"
if [ -d "$SKILL_DIR" ]; then
skill_count=$(find "$SKILL_DIR" -maxdepth 1 -type d | wc -l)
echo " Found $((skill_count - 1)) installed skills"
pass "Review skills manually for trustworthiness"
else
echo " No skills directory found"
fi
echo ""
# 6. Check .gitignore
echo "📄 Checking .gitignore..."
if [ -f ".gitignore" ]; then
if grep -q "\.credentials" ".gitignore"; then
pass ".credentials is gitignored"
else
fail ".credentials is NOT in .gitignore"
fi
if grep -q "\.env" ".gitignore"; then
pass ".env files are gitignored"
else
warn ".env files may not be gitignored"
fi
else
warn "No .gitignore found"
fi
echo ""
# Summary
echo "=================================="
echo "📊 Summary"
echo "=================================="
if [ $ISSUES -eq 0 ] && [ $WARNINGS -eq 0 ]; then
echo -e "${GREEN}All checks passed!${NC}"
elif [ $ISSUES -eq 0 ]; then
echo -e "${YELLOW}$WARNINGS warning(s), 0 issues${NC}"
else
echo -e "${RED}$ISSUES issue(s), $WARNINGS warning(s)${NC}"
fi
echo ""
echo "Run this audit periodically to maintain security."