
























@@ -153,6 +153,54 @@ description: test skill
153153expect(findings.some((f) => f.checkId === "plugins.code_safety.entry_escape")).toBe(true);
154154});
155155156+it("ignores install backup and debris dirs when scanning installed plugin roots", async () => {
157+const scanSpy = vi
158+.spyOn(skillScanner, "scanDirectoryWithSummary")
159+.mockImplementation(async (dirPath) => ({
160+scannedFiles: 1,
161+critical: dirPath.includes(`${path.sep}demo`) ? 1 : 0,
162+warn: 0,
163+info: 0,
164+findings: dirPath.includes(`${path.sep}demo`)
165+ ? [
166+{
167+ruleId: "dangerous-exec",
168+severity: "critical",
169+file: path.join(dirPath, "index.js"),
170+line: 1,
171+message: "dangerous exec",
172+evidence: "exec(...)",
173+},
174+]
175+ : [],
176+}));
177+178+try {
179+const tmpDir = await makeTmpDir("audit-scanner-install-debris");
180+for (const name of [
181+"demo",
182+".openclaw-install-backups",
183+"node_modules",
184+"old-plugin.backup-20260502",
185+"old-plugin.disabled.20260502",
186+"old-plugin.bak",
187+]) {
188+const pluginDir = path.join(tmpDir, "extensions", name);
189+await fs.mkdir(pluginDir, { recursive: true });
190+await fs.writeFile(path.join(pluginDir, "index.js"), "eval('1+1');");
191+}
192+193+const findings = await collectPluginsCodeSafetyFindings({ stateDir: tmpDir });
194+195+expect(scanSpy.mock.calls.map(([dirPath]) => path.basename(dirPath))).toEqual(["demo"]);
196+const codeSafetyFinding = findings.find((f) => f.checkId === "plugins.code_safety");
197+expect(codeSafetyFinding?.title).toContain('Plugin "demo"');
198+expect(findings.map((f) => f.title).join("\n")).not.toContain(".openclaw-install-backups");
199+} finally {
200+scanSpy.mockRestore();
201+}
202+});
203+156204it("surfaces manifest_parse_error finding when plugin package.json is malformed JSON", async () => {
157205const tmpDir = await makeTmpDir("audit-manifest-parse-error");
158206const pluginDir = path.join(tmpDir, "extensions", "broken-plugin");
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。