Merged
Conversation
Renames the plugin's identity from OpenClaw Security Advisor /
@kilocode/openclaw-security-advisor to ShellSecurity /
@kilocode/shell-security, to match the renamed repo
(Kilo-Org/openclaw-security-advisor → Kilo-Org/shell-security).
- package.json: name → @kilocode/shell-rity; repo URL.
- openclaw.plugin.json: id → shell-security; display name → ShellSecurity.
- index.ts: plugin id, display name, tool name (kilocode_shell_security),
reload noop prefix, log tags, and user-facing config-path references.
- src/auth/token-store.ts: PLUGIN_ID, PROVIDER_ID (kilocode_shell_security)
→ changes install dir, secret file, and pending-code file paths.
- src/auth/device-auth.ts: debug log tag.
- .github/workflows/publish.yml: repo guard + registry probe + recovery
copy point at Kilo-Org/shell-security / @kilocode/shell-security.
- script/publish.ts, script/version.ts: NPM_PACKAGE and log copy.
- README.md: rename banner, migration block from old plugin, install
commands, tool name, config path, package name, doc links.
- CHANGELOG.md: [0.2.0] rename entry; [0.1.5] stub entry; retro-dated
[0.1.4] for the channel-forwarding changes; updated compare links.
- RELEASING.md: bulk replace to new package / repo names.
- AGENTS.md: package name banner, @dev install, code-layout section.
- test/token-store.test.ts: updated hardcoded secret path + key names.
Server API route URL (/api/security-advisor/analyze) is intentionally
unchanged so this publish does not require coordinated server changes.
/security-checkup slash command name is also unchanged.
St0rmz1
changed the title
![kilo-code-bot[bot]](https://avatars.githubusercontent.com/in/2193792?s=60&v=4){kind=small}
Code Review SummaryStatus: No Issues Found | Recommendation: Merge Files Reviewed (2 files)
Reviewed by gpt-5.4-2026-03-05 · 1,015,388 tokens |
1. Plugin-managed authToken now falls through to file-based auto re-auth
instead of dead-ending at a 'update your openclaw.json' message on
401. Added isPluginManagedAuthToken() in token-store; Path 0 in
runShellSecurityFlow now skips when the raw config's authToken is a
SecretRef pointing at our own provider (the shape writeStoredToken()
always writes). Covered by 5 new unit tests in token-store.test.ts.
2. getPublicIp() now clears its 5s abort timer in a finally block so
dangling timeouts don't accumulate across failed checkups.
3. Device-auth poll requests now carry a per-request 10s AbortController
so a hung HTTP call can't outlive the overall 30s POLL_TIMEOUT_MS.
Cleared in finally so every loop iteration is interruptible.
4. CHANGELOG regained its '## [Unreleased]' heading per the release
workflow documented in AGENTS.md + RELEASING.md, and the three fixes
above are logged under it.
pandemicsyn
approved these changes
Apr 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Completes the rename of the plugin from
@kilocode/openclaw-security-advisorto@kilocode/shell-security. Restores the audit logic that the 0.1.5 stub release removed, applies the new name across code and docs, adds a new/shell-securityslash command alongside the existing/security-checkup(kept as a legacy alias), and bumpspackage.jsonto0.2.0ready for the one time manual bootstrap publish under the new npm slug.Changes
shell-security), display name (ShellSecurity), and tool name (kilocode_shell_security).PLUGIN_IDandPROVIDER_IDconstants insrc/auth/token-store.ts. Install directory moves to~/.openclaw/extensions/shell-security/and the secret file to~/.openclaw/secrets/shell-security-auth-token./shell-security(canonical, matches the plugin id) and/security-checkup(legacy alias for users migrating from the old plugin).publish.ymlrepo guard, registry probe, and recovery copy updated to the new repo slug.script/publish.tsandscript/version.tsupdated to the new npm package name.tools.alsoAllowif the old tool was pinned there. RELEASING has a new section documenting the one time OIDC bootstrap required for the first publish of a freshly named npm package.Test plan
Post merge