Initial commit with translated description

scripts/security-audit.sh

@@ -0,0 +1,149 @@
+#!/bin/bash
+# Proactive Agent Security Audit
+# Run periodically to check for security issues
+
+# Don't exit on error - we want to complete all checks
+set +e
+
+echo "🔒 Proactive Agent Security Audit"
+echo "=================================="
+echo ""
+
+ISSUES=0
+WARNINGS=0
+
+# Colors
+RED='\033[0;31m'
+YELLOW='\033[1;33m'
+GREEN='\033[0;32m'
+NC='\033[0m' # No Color
+
+warn() {
+    echo -e "${YELLOW}⚠️  WARNING: $1${NC}"
+    ((WARNINGS++))
+}
+
+fail() {
+    echo -e "${RED}❌ ISSUE: $1${NC}"
+    ((ISSUES++))
+}
+
+pass() {
+    echo -e "${GREEN}✅ $1${NC}"
+}
+
+# 1. Check credential file permissions
+echo "📁 Checking credential files..."
+if [ -d ".credentials" ]; then
+    for f in .credentials/*; do
+        if [ -f "$f" ]; then
+            perms=$(stat -f "%Lp" "$f" 2>/dev/null || stat -c "%a" "$f" 2>/dev/null)
+            if [ "$perms" != "600" ]; then
+                fail "$f has permissions $perms (should be 600)"
+            else
+                pass "$f permissions OK (600)"
+            fi
+        fi
+    done
+else
+    echo "   No .credentials directory found"
+fi
+echo ""
+
+# 2. Check for exposed secrets in common files
+echo "🔍 Scanning for exposed secrets..."
+SECRET_PATTERNS="(api[_-]?key|apikey|secret|password|token|auth).*[=:].{10,}"
+for f in $(ls *.md *.json *.yaml *.yml .env* 2>/dev/null || true); do
+    if [ -f "$f" ]; then
+        matches=$(grep -iE "$SECRET_PATTERNS" "$f" 2>/dev/null | grep -v "example\|template\|placeholder\|your-\|<\|TODO" || true)
+        if [ -n "$matches" ]; then
+            warn "Possible secret in $f - review manually"
+        fi
+    fi
+done
+pass "Secret scan complete"
+echo ""
+
+# 3. Check gateway security (if clawdbot config exists)
+echo "🌐 Checking gateway configuration..."
+CONFIG_FILE="$HOME/.clawdbot/clawdbot.json"
+if [ -f "$CONFIG_FILE" ]; then
+    # Check if gateway is bound to loopback
+    if grep -q '"bind".*"loopback"' "$CONFIG_FILE"; then
+        pass "Gateway bound to loopback (not exposed)"
+    else
+        warn "Gateway may not be bound to loopback - check config"
+    fi
+    
+    # Check if Telegram uses pairing
+    if grep -q '"dmPolicy".*"pairing"' "$CONFIG_FILE"; then
+        pass "Telegram DM policy uses pairing"
+    fi
+else
+    echo "   No clawdbot config found"
+fi
+echo ""
+
+# 4. Check AGENTS.md for security rules
+echo "📋 Checking AGENTS.md for security rules..."
+if [ -f "AGENTS.md" ]; then
+    if grep -qi "injection\|external content\|never execute" "AGENTS.md"; then
+        pass "AGENTS.md contains injection defense rules"
+    else
+        warn "AGENTS.md may be missing prompt injection defense"
+    fi
+    
+    if grep -qi "deletion\|confirm.*delet\|trash" "AGENTS.md"; then
+        pass "AGENTS.md contains deletion confirmation rules"
+    else
+        warn "AGENTS.md may be missing deletion confirmation rules"
+    fi
+else
+    warn "No AGENTS.md found"
+fi
+echo ""
+
+# 5. Check for skills from untrusted sources
+echo "📦 Checking installed skills..."
+SKILL_DIR="skills"
+if [ -d "$SKILL_DIR" ]; then
+    skill_count=$(find "$SKILL_DIR" -maxdepth 1 -type d | wc -l)
+    echo "   Found $((skill_count - 1)) installed skills"
+    pass "Review skills manually for trustworthiness"
+else
+    echo "   No skills directory found"
+fi
+echo ""
+
+# 6. Check .gitignore
+echo "📄 Checking .gitignore..."
+if [ -f ".gitignore" ]; then
+    if grep -q "\.credentials" ".gitignore"; then
+        pass ".credentials is gitignored"
+    else
+        fail ".credentials is NOT in .gitignore"
+    fi
+    
+    if grep -q "\.env" ".gitignore"; then
+        pass ".env files are gitignored"
+    else
+        warn ".env files may not be gitignored"
+    fi
+else
+    warn "No .gitignore found"
+fi
+echo ""
+
+# Summary
+echo "=================================="
+echo "📊 Summary"
+echo "=================================="
+if [ $ISSUES -eq 0 ] && [ $WARNINGS -eq 0 ]; then
+    echo -e "${GREEN}All checks passed!${NC}"
+elif [ $ISSUES -eq 0 ]; then
+    echo -e "${YELLOW}$WARNINGS warning(s), 0 issues${NC}"
+else
+    echo -e "${RED}$ISSUES issue(s), $WARNINGS warning(s)${NC}"
+fi
+echo ""
+echo "Run this audit periodically to maintain security."