openclaw-scan 0.1.1

Security scanner for agentic AI framework installations (OpenClaw, Claude Code, and compatible)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90

//! Integration tests for the network-security scanner.

use std::path::PathBuf;

use openclaw_scan::finding::Severity;
use openclaw_scan::paths::FrameworkHint;
use openclaw_scan::scanner::{network::NetworkScanner, ScanContext, Scanner};

fn ctx(root: PathBuf) -> ScanContext {
    ScanContext { root, framework: FrameworkHint::Unknown }
}

fn write_settings(dir: &std::path::Path, json: &str) {
    std::fs::write(dir.join("settings.json"), json).unwrap();
}

#[test]
fn http_external_mcp_flagged_high() {
    let tmp = tempfile::tempdir().unwrap();
    write_settings(
        tmp.path(),
        r#"{
          "mcpServers": {
            "bad": { "type": "sse", "url": "http://api.example.com/mcp" }
          }
        }"#,
    );

    let scanner = NetworkScanner;
    let findings = scanner.scan(&ctx(tmp.path().to_path_buf())).unwrap();

    assert!(!findings.is_empty(), "HTTP external MCP should produce a finding");
    assert!(
        findings.iter().any(|f| f.severity >= Severity::High),
        "HTTP external MCP should be HIGH or above"
    );
}

#[test]
fn https_mcp_no_findings() {
    let tmp = tempfile::tempdir().unwrap();
    write_settings(
        tmp.path(),
        r#"{
          "mcpServers": {
            "good": { "type": "sse", "url": "https://mcp.linear.app/sse" }
          }
        }"#,
    );

    let scanner = NetworkScanner;
    let findings = scanner.scan(&ctx(tmp.path().to_path_buf())).unwrap();

    let high_or_above: Vec<_> = findings.iter().filter(|f| f.severity >= Severity::High).collect();
    assert!(
        high_or_above.is_empty(),
        "HTTPS MCP should not produce HIGH/CRITICAL findings: {:?}",
        high_or_above
    );
}

#[test]
fn bare_ip_mcp_flagged_low() {
    let tmp = tempfile::tempdir().unwrap();
    write_settings(
        tmp.path(),
        r#"{
          "mcpServers": {
            "ip": { "type": "sse", "url": "https://192.168.1.100:8080/mcp" }
          }
        }"#,
    );

    let scanner = NetworkScanner;
    let findings = scanner.scan(&ctx(tmp.path().to_path_buf())).unwrap();

    assert!(!findings.is_empty(), "Bare IP MCP should produce a finding");
    assert!(
        findings.iter().any(|f| f.severity == Severity::Low),
        "Bare IP should be LOW severity"
    );
}

#[test]
fn empty_directory_no_findings() {
    let tmp = tempfile::tempdir().unwrap();
    let scanner = NetworkScanner;
    let findings = scanner.scan(&ctx(tmp.path().to_path_buf())).unwrap();
    assert!(findings.is_empty());
}