v0.4.0: hook error handling, update notifications, remote vuln DB

Major changes:
- Add createSafeApi() wrapper: try-catch on all 8 defense layer hooks,
  fail-safe (block on security hooks, pass on others)
- Add non-blocking version update check with notification dedup
  (same version only notified once, 24h check interval)
- Add remote vulnerability database (17 real CVEs/GHSAs + 1 supply chain alert)
  with 24h cache and local fallback
- Fix ReDoS in email regex (333x speedup on 200KB text)
- Fix fork bomb regex broken by splitCommands
- Fix injection gaps: expand zh_new_role/zh_no_restriction rules,
  add zh_mixed_lang_injection rule (26 total injection rules)
- Add defensive type conversion for non-string toolName/params
- Fix scan-plugins regex global flag state pollution
- 100 tests passing (37 integration + 42 edge cases + 21 update check)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: jnMetaCode

README.md

@@ -30,7 +30,7 @@ ShellWard protects your OpenClaw agent with 8 defense layers:
 - **Bilingual** — all messages, rules, and prompts in English and Chinese
 - **Chinese PII detection** — ID card (with checksum validation), phone number, bank card (Luhn)
 - **Global PII detection** — API keys, JWT, passwords, US SSN, credit cards, emails
-- **25 injection rules** — 13 Chinese + 12 English patterns with risk scoring
+- **26 injection rules** — 14 Chinese + 12 English patterns with risk scoring
 - **15 dangerous command rules** — fork bombs, reverse shells, disk formatting, etc. (all case-insensitive)
 - **12 protected path rules** — .env, .ssh, private keys, cloud credentials
 - **Dual mode** — `enforce` (block + log) or `audit` (log only)
@@ -230,7 +230,7 @@ ShellWard 通过 8 层防御保护你的 OpenClaw 智能体：
 - **中英双语** — 所有消息、规则、提示均支持中英文
 - **中国 PII 检测** — 身份证号（含校验位验证）、手机号、银行卡号（Luhn 校验）
 - **国际 PII 检测** — API Key、JWT、密码、美国 SSN、信用卡、邮箱
-- **25 条注入规则** — 13 条中文 + 12 条英文，带风险评分
+- **26 条注入规则** — 14 条中文 + 12 条英文，带风险评分
 - **双模式** — `enforce`（拦截+记录）或 `audit`（仅记录）
 - **JSONL 审计日志** — 零依赖、支持 grep/jq 查询、100MB 自动轮转
 

openclaw.plugin.json

@@ -2,7 +2,7 @@
   "id": "shellward",
   "name": "ShellWard",
   "description": "First bilingual (EN/ZH) security plugin for OpenClaw — injection detection, dangerous operation blocking, PII/secret redaction (incl. Chinese ID card, phone, bank card), audit logging",
-  "version": "0.3.4",
+  "version": "0.4.0",
   "skills": ["./skills"],
   "configSchema": {
     "type": "object",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "shellward",
-  "version": "0.3.4",
+  "version": "0.4.0",
   "description": "First bilingual (EN/ZH) security plugin for OpenClaw — Chinese PII detection (ID card/phone/bank card), prompt injection detection (13 ZH + 12 EN rules), dangerous command blocking, audit logging. Zero dependencies.",
   "keywords": [
     "shellward",
@@ -31,6 +31,7 @@
     "src/",
     "skills/",
     "openclaw.plugin.json",
+    "vuln-db.json",
     "install.sh",
     "install.ps1",
     "LICENSE",

src/commands/check-updates.ts

@@ -1,34 +1,35 @@
-// src/commands/check-updates.ts — /check-updates: check OpenClaw version and known vulnerabilities
+// src/commands/check-updates.ts — /check-updates: check versions + remote vulnerability DB
 
 import { execSync } from 'child_process'
 import { existsSync, readFileSync } from 'fs'
 import { join } from 'path'
 import type { ShellWardConfig } from '../types'
 import { resolveLocale } from '../types'
+import { checkForUpdate, fetchVulnDB, compareVersions } from '../update-check'
 
-// Known vulnerability database (hardcoded, updated with plugin releases)
-// Format: { version_range, severity, cve, description_zh, description_en }
-const KNOWN_VULNS = [
+// Local fallback vulnerability database (used when remote fetch fails)
+// Contains only CVE-assigned vulnerabilities as minimum baseline
+const LOCAL_VULNS = [
   {
-    affectedBelow: '2026.3.6',
-    severity: 'HIGH',
-    id: 'CG-2026-001',
-    description_zh: 'tool_result_persist hook 可被绕过泄露敏感数据',
-    description_en: 'tool_result_persist hook bypass may leak sensitive data',
+    affectedBelow: '1.0.111',
+    severity: 'HIGH' as const,
+    id: 'CVE-2025-59536',
+    description_zh: '远程代码执行：恶意仓库通过 Hooks 和 MCP Server 在信任提示前执行任意命令 (CVSS 8.7)',
+    description_en: 'RCE via Hooks and MCP Server bypass — arbitrary shell execution before trust dialog (CVSS 8.7)',
   },
   {
-    affectedBelow: '2026.3.4',
-    severity: 'CRITICAL',
-    id: 'CG-2026-002',
-    description_zh: '插件系统缺少签名验证，可加载恶意插件',
-    description_en: 'Plugin system lacks signature verification, allows malicious plugins',
+    affectedBelow: '2.0.65',
+    severity: 'MEDIUM' as const,
+    id: 'CVE-2026-21852',
+    description_zh: 'API 密钥泄露：恶意仓库通过 settings.json 设置 ANTHROPIC_BASE_URL 窃取用户 API Key (CVSS 5.3)',
+    description_en: 'API key exfiltration via ANTHROPIC_BASE_URL in settings.json before trust prompt (CVSS 5.3)',
   },
   {
-    affectedBelow: '2026.3.2',
-    severity: 'HIGH',
-    id: 'CG-2026-003',
-    description_zh: 'Gateway 默认绑定 0.0.0.0，未认证即可远程执行',
-    description_en: 'Gateway binds 0.0.0.0 by default, allows unauthenticated remote execution',
+    affectedBelow: '2026.2.7',
+    severity: 'HIGH' as const,
+    id: 'GHSA-ff64-7w26-62rf',
+    description_zh: '沙箱逃逸：通过 settings.json 持久化配置注入',
+    description_en: 'Sandbox escape via persistent configuration injection in settings.json',
   },
 ]
 
@@ -38,31 +39,30 @@ export function registerCheckUpdatesCommand(api: any, config: ShellWardConfig) {
   api.registerCommand({
     name: 'check-updates',
     description: locale === 'zh'
-      ? '🔄 检查 OpenClaw 版本和已知漏洞'
-      : '🔄 Check OpenClaw version and known vulnerabilities',
+      ? '🔄 检查版本更新和已知漏洞（支持远程漏洞库）'
+      : '🔄 Check for updates and known vulnerabilities (remote vuln DB)',
     acceptsArgs: false,
-    handler: () => {
+    handler: async () => {
       const zh = locale === 'zh'
       const lines: string[] = []
 
       lines.push(zh ? '🔄 **版本与漏洞检查**' : '🔄 **Version & Vulnerability Check**')
       lines.push('')
 
       // 1. Get OpenClaw version
-      let currentVersion = 'unknown'
+      let openclawVersion = 'unknown'
       try {
         const out = execSync('openclaw --version 2>&1', { timeout: 5000 }).toString().trim()
-        // Extract version like "2026.3.8"
         const match = out.match(/(\d{4}\.\d+\.\d+)/)
-        if (match) currentVersion = match[1]
+        if (match) openclawVersion = match[1]
       } catch { /* skip */ }
 
       lines.push(zh
-        ? `### OpenClaw 版本: ${currentVersion}`
-        : `### OpenClaw Version: ${currentVersion}`)
+        ? `### OpenClaw 版本: ${openclawVersion}`
+        : `### OpenClaw Version: ${openclawVersion}`)
       lines.push('')
 
-      // 2. Check ShellWard version
+      // 2. Check ShellWard version + available update
       let shellwardVersion = 'unknown'
       try {
         const pkgPath = join(__dirname, '../../package.json')
@@ -75,17 +75,45 @@ export function registerCheckUpdatesCommand(api: any, config: ShellWardConfig) {
       lines.push(zh
         ? `### ShellWard 版本: ${shellwardVersion}`
         : `### ShellWard Version: ${shellwardVersion}`)
+
+      // Check for ShellWard update from npm
+      try {
+        const updateInfo = await checkForUpdate(shellwardVersion)
+        if (updateInfo?.updateAvailable) {
+          lines.push(zh
+            ? `  🆕 **新版本 v${updateInfo.latest} 可用！** 运行 \`openclaw plugins update shellward\` 更新`
+            : `  🆕 **v${updateInfo.latest} available!** Run \`openclaw plugins update shellward\` to update`)
+        } else if (updateInfo) {
+          lines.push(zh ? '  ✅ 已是最新版本' : '  ✅ Up to date')
+        }
+      } catch { /* skip */ }
       lines.push('')
 
-      // 3. Check known vulnerabilities
+      // 3. Check known vulnerabilities (remote DB with local fallback)
       lines.push(zh ? '### 已知漏洞检查' : '### Known Vulnerability Check')
 
-      if (currentVersion === 'unknown') {
+      let vulnDB = LOCAL_VULNS
+      let alerts: { id: string; severity: string; date: string; description_zh: string; description_en: string }[] = []
+      let dbSource = 'local'
+      try {
+        const remote = await fetchVulnDB()
+        if (remote.vulns.length > 0) {
+          vulnDB = remote.vulns
+          dbSource = 'remote'
+        }
+        alerts = remote.alerts || []
+      } catch { /* use local */ }
+
+      lines.push(zh
+        ? `  数据源: ${dbSource === 'remote' ? `远程漏洞库 (GitHub) — ${vulnDB.length} 条记录` : '本地内置数据库'}`
+        : `  Source: ${dbSource === 'remote' ? `Remote vuln DB (GitHub) — ${vulnDB.length} entries` : 'Local built-in database'}`)
+
+      if (openclawVersion === 'unknown') {
         lines.push(zh
           ? '  ⚠️ 无法确定 OpenClaw 版本，请手动检查'
           : '  ⚠️ Cannot determine OpenClaw version, please check manually')
       } else {
-        const affected = KNOWN_VULNS.filter(v => compareVersions(currentVersion, v.affectedBelow) < 0)
+        const affected = vulnDB.filter(v => compareVersions(openclawVersion, v.affectedBelow) < 0)
         if (affected.length === 0) {
           lines.push(zh
             ? '  ✅ 当前版本未发现已知漏洞'
@@ -96,11 +124,22 @@ export function registerCheckUpdatesCommand(api: any, config: ShellWardConfig) {
             const desc = zh ? vuln.description_zh : vuln.description_en
             lines.push(`  ${icon} **${vuln.id}** [${vuln.severity}]: ${desc}`)
             lines.push(zh
-              ? `     影响版本: < ${vuln.affectedBelow} — 请升级 OpenClaw`
-              : `     Affected: < ${vuln.affectedBelow} — please upgrade OpenClaw`)
+              ? `     影响版本: < ${vuln.affectedBelow} — 请升级`
+              : `     Affected: < ${vuln.affectedBelow} — please upgrade`)
           }
         }
       }
+
+      // Supply chain alerts
+      if (alerts.length > 0) {
+        lines.push('')
+        lines.push(zh ? '### 供应链安全警告' : '### Supply Chain Alerts')
+        for (const alert of alerts) {
+          const icon = alert.severity === 'CRITICAL' ? '🔴' : '🟡'
+          const desc = zh ? alert.description_zh : alert.description_en
+          lines.push(`  ${icon} **${alert.id}** [${alert.date}]: ${desc}`)
+        }
+      }
       lines.push('')
 
       // 4. Check Node.js version
@@ -135,17 +174,3 @@ export function registerCheckUpdatesCommand(api: any, config: ShellWardConfig) {
     },
   })
 }
-
-/**
- * Compare two version strings like "2026.3.8" vs "2026.3.6"
- * Returns: negative if a < b, 0 if equal, positive if a > b
- */
-function compareVersions(a: string, b: string): number {
-  const pa = a.split('.').map(Number)
-  const pb = b.split('.').map(Number)
-  for (let i = 0; i < Math.max(pa.length, pb.length); i++) {
-    const diff = (pa[i] || 0) - (pb[i] || 0)
-    if (diff !== 0) return diff
-  }
-  return 0
-}

src/commands/scan-plugins.ts

@@ -113,9 +113,9 @@ export function registerScanPluginsCommand(api: any, config: ShellWardConfig) {
           try {
             const content = readFileSync(file, 'utf-8')
             for (const rule of SUSPICIOUS_PATTERNS) {
-              if (rule.pattern.test(content)) {
-                // Reset lastIndex for global regexes
-                rule.pattern.lastIndex = 0
+              // Use fresh regex to avoid lastIndex state issues with global patterns
+              const regex = new RegExp(rule.pattern.source, rule.pattern.flags)
+              if (regex.test(content)) {
                 const relPath = file.replace(plugin.path + '/', '')
                 risks.push(zh
                   ? `⚠️ ${relPath}: ${rule.name} (${rule.risk})`

src/index.ts

@@ -1,4 +1,4 @@
-// src/index.ts — ShellWard plugin entry point (v0.3.1)
+// src/index.ts — ShellWard plugin entry point (v0.4.0)
 // 8 defense layers + 6 slash commands + 1 security skill
 
 import { AuditLog } from './audit-log'
@@ -12,8 +12,46 @@ import { setupDataFlowGuard } from './layers/data-flow-guard'
 import { setupSessionGuard } from './layers/session-guard'
 import { registerAllCommands } from './commands/index'
 import { DEFAULT_CONFIG, resolveLocale } from './types'
+import { checkForUpdate } from './update-check'
 import type { ShellWardConfig } from './types'
 
+const CURRENT_VERSION = '0.4.0'
+
+/**
+ * Wrap api.on so every hook handler gets try-catch protection.
+ * If a security hook throws, we log the error and fail-safe:
+ * - before_tool_call: block (deny on error, safer than allow)
+ * - other hooks: return undefined (don't break the chain)
+ */
+function createSafeApi(api: any, log: AuditLog): any {
+  return {
+    ...api,
+    on(hookName: string, handler: Function, opts?: any) {
+      const isBlockHook = hookName === 'before_tool_call'
+      const wrappedHandler = (event: any) => {
+        try {
+          return handler(event)
+        } catch (err: any) {
+          const msg = err?.message || String(err)
+          log.write({
+            level: 'CRITICAL',
+            layer: 'L0',
+            action: 'error',
+            detail: `Hook ${opts?.name || hookName} threw: ${msg.slice(0, 200)}`,
+          })
+          try { api.logger.warn(`[ShellWard] Hook error in ${opts?.name || hookName}: ${msg}`) } catch {}
+          // Fail-safe: block on security hooks, pass on others
+          if (isBlockHook) {
+            return { block: true, blockReason: `⚠️ [ShellWard] Internal error in security check — operation blocked for safety` }
+          }
+          return undefined
+        }
+      }
+      api.on(hookName, wrappedHandler, opts)
+    },
+  }
+}
+
 function mergeConfig(userConfig: Partial<ShellWardConfig> | undefined): ShellWardConfig {
   if (!userConfig) return { ...DEFAULT_CONFIG }
 
@@ -49,52 +87,54 @@ export default {
     const log = new AuditLog(config)
     const enforce = config.mode === 'enforce'
     const locale = resolveLocale(config)
+    const safe = createSafeApi(api, log)
 
     const modeLabel = locale === 'zh'
       ? `模式: ${config.mode}`
       : `mode: ${config.mode}`
     api.logger.info(`[ShellWard] Security plugin started (${modeLabel})`)
 
     // === Defense Layers (L1-L8) ===
+    // All layers use `safe` wrapper — hooks get automatic try-catch + fail-safe
 
     // L1: Prompt Guard (before_prompt_build — prependSystemContext for caching)
     if (config.layers.promptGuard) {
-      setupPromptGuard(api, config, log)
+      setupPromptGuard(safe, config, log)
     }
 
     // L2: Output Scanner (tool_result_persist — redact PII in tool results)
     if (config.layers.outputScanner) {
-      setupOutputScanner(api, config, log, enforce)
+      setupOutputScanner(safe, config, log, enforce)
     }
 
     // L3: Tool Blocker (before_tool_call — block dangerous commands/paths)
     if (config.layers.toolBlocker) {
-      setupToolBlocker(api, config, log, enforce)
+      setupToolBlocker(safe, config, log, enforce)
     }
 
     // L4: Input Auditor (before_tool_call + message_received — injection detection)
     if (config.layers.inputAuditor) {
-      setupInputAuditor(api, config, log, enforce)
+      setupInputAuditor(safe, config, log, enforce)
     }
 
-    // L5: Security Gate (registerTool — defense in depth)
+    // L5: Security Gate (registerTool — defense in depth, uses raw api for registerTool)
     if (config.layers.securityGate) {
       setupSecurityGate(api, config, log, enforce)
     }
 
     // L6: Outbound Guard (message_sending — redact PII in LLM responses + canary detection)
     if (config.layers.outboundGuard) {
-      setupOutboundGuard(api, config, log, enforce)
+      setupOutboundGuard(safe, config, log, enforce)
     }
 
     // L7: Data Flow Guard (after_tool_call + before_tool_call — anti-exfiltration)
     if (config.layers.dataFlowGuard) {
-      setupDataFlowGuard(api, config, log, enforce)
+      setupDataFlowGuard(safe, config, log, enforce)
     }
 
     // L8: Session Guard (session_end + subagent_spawning — lifecycle security)
     if (config.layers.sessionGuard) {
-      setupSessionGuard(api, config, log, enforce)
+      setupSessionGuard(safe, config, log, enforce)
     }
 
     // === Slash Commands ===
@@ -113,7 +153,18 @@ export default {
       level: 'INFO',
       layer: 'L1',
       action: 'allow',
-      detail: `ShellWard v0.3.4 started with ${enabledCount} layers`,
+      detail: `ShellWard v${CURRENT_VERSION} started with ${enabledCount} layers`,
     })
+
+    // === Non-blocking update check (async, won't delay startup) ===
+    // Only notifies ONCE per new version — won't repeat after user has seen it
+    checkForUpdate(CURRENT_VERSION).then(result => {
+      if (result?.shouldNotify) {
+        const msg = locale === 'zh'
+          ? `[ShellWard] 新版本 v${result.latest} 可用 (当前 v${result.current})。运行 \`openclaw plugins update shellward\` 更新`
+          : `[ShellWard] Update available: v${result.latest} (current v${result.current}). Run \`openclaw plugins update shellward\` to update`
+        api.logger.warn(msg)
+      }
+    }).catch(() => { /* silently ignore network errors */ })
   },
 }