将安全扫描
融入工作流

name: ClawSafe Security Scan

on:
  pull_request:
    paths:
      - 'skills/**'

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Scan skill with ClawSafe
        run: |
          RESULT=$(curl -s -X POST https://clawsafe.dev/api/scan \
            -H "Content-Type: application/json" \
            -d '{"url": "${{ github.server_url }}/${{ github.repository }}/tree/${{ github.sha }}/skills"}')

          VERDICT=$(echo $RESULT | jq -r '.verdict')
          SCORE=$(echo $RESULT | jq -r '.risk_score')

          echo "Verdict: $VERDICT, Risk Score: $SCORE"

          if [ "$VERDICT" = "dangerous" ]; then
            echo "::error::ClawSafe: Dangerous skill detected (score: $SCORE)"
            exit 1
          fi

#!/bin/bash
# clawsafe-scan.sh - 扫描本地技能目录

SKILL_DIR="$1"
API_BASE="https://clawsafe.dev/api"

if [ -z "$SKILL_DIR" ]; then
  echo "用法: ./clawsafe-scan.sh <skill-dir>"
  exit 1
fi

echo "正在扫描: $SKILL_DIR"

RESPONSE=$(curl -s -X POST "$API_BASE/scan" \
  -F "files=@$SKILL_DIR" \
  -F "locale=zh")

VERDICT=$(echo "$RESPONSE" | jq -r '.verdict')
SCORE=$(echo "$RESPONSE" | jq -r '.risk_score')
URL=$(echo "$RESPONSE" | jq -r '.report_url')

echo "Verdict: $VERDICT | Risk Score: $SCORE"
echo "报告: $URL"

[ "$VERDICT" = "safe" ] && exit 0 || exit 1