惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Security Archives - TechRepublic
Security Archives - TechRepublic
T
The Exploit Database - CXSecurity.com
P
Proofpoint News Feed
Scott Helme
Scott Helme
NISL@THU
NISL@THU
Cisco Talos Blog
Cisco Talos Blog
C
Cybersecurity and Infrastructure Security Agency CISA
AWS News Blog
AWS News Blog
V
Vulnerabilities – Threatpost
J
Java Code Geeks
U
Unit 42
The GitHub Blog
The GitHub Blog
H
Help Net Security
T
Tenable Blog
aimingoo的专栏
aimingoo的专栏
Jina AI
Jina AI
Spread Privacy
Spread Privacy
Apple Machine Learning Research
Apple Machine Learning Research
人人都是产品经理
人人都是产品经理
L
Lohrmann on Cybersecurity
T
Threatpost
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Engineering at Meta
Engineering at Meta
A
About on SuperTechFans
I
InfoQ
Microsoft Azure Blog
Microsoft Azure Blog
B
Blog
L
LINUX DO - 最新话题
K
Kaspersky official blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
T
Threat Research - Cisco Blogs
C
Check Point Blog
T
The Blog of Author Tim Ferriss
有赞技术团队
有赞技术团队
宝玉的分享
宝玉的分享
Help Net Security
Help Net Security
Google DeepMind News
Google DeepMind News
A
Arctic Wolf
Y
Y Combinator Blog
N
News | PayPal Newsroom
M
MIT News - Artificial intelligence
Latest news
Latest news
H
Hacker News: Front Page
Blog — PlanetScale
Blog — PlanetScale
腾讯CDC
I
Intezer
爱范儿
爱范儿
F
Fortinet All Blogs
P
Palo Alto Networks Blog
C
CERT Recently Published Vulnerability Notes

Recent Commits to openclaw:main

test: merge chat side-result checks · openclaw/openclaw@ddd2c2a test: merge cron history checks · openclaw/openclaw@f7eb746 test: merge responsive navigation shell checks · openclaw/openclaw@c2e4b47 docs(changelog): add codex oauth fixes · openclaw/openclaw@628e6cd test: merge navigation routing cases · openclaw/openclaw@5d8cecb Tests: mock channel registry bundled fallback · openclaw/openclaw@2b08233 Secrets: avoid broad web search discovery for single plugin config · openclaw/openclaw@a464f59 test: merge config view browser checks · openclaw/openclaw@20cf511 fix(status): align oauth health with runtime · openclaw/openclaw@eed7116 feat: add macOS screen snapshots for monitor preview (#67954) thanks … · openclaw/openclaw@f377db1 fix: report shared auth scopes in hello-ok (#67810) thanks @BunsDev · openclaw/openclaw@0b6c39b Auto-reply: avoid eager bundled route fallback · openclaw/openclaw@3ea1bf4 Tests: narrow session binding contract setup · openclaw/openclaw@54e4e16 fix(macOS): enable undo/redo in webchat composer text input (#34962) · openclaw/openclaw@00951dc Tests: speed up channel setup promotion · openclaw/openclaw@82b529a Docs: refresh agent instructions · openclaw/openclaw@5775fe2 fix(auth): serialize OAuth refresh across agents to fix #26322 (#67876) · openclaw/openclaw@8e79080 test: allow ollama public surface boundary test · openclaw/openclaw@7d4f1a6 Docs: add test performance guardrails · openclaw/openclaw@89706d3 Tests: restore context-engine usage proof · openclaw/openclaw@e4c4f95 Tests: slim context engine runtime coverage · openclaw/openclaw@74c198f ci: retry failed custom checkouts · openclaw/openclaw@0ee5baf test: trim duplicate provider auth onboarding cases · openclaw/openclaw@1ffc02e matrix: fix sessions_spawn --thread subagent session spawning (#67643) · openclaw/openclaw@1ce2596 test: reduce auth choice fixture churn · openclaw/openclaw@857b9cd test: mock health status config boundaries · openclaw/openclaw@9d5ab4a test: mock onboard config io boundary · openclaw/openclaw@299694d test: mock legacy state plugin boundaries · openclaw/openclaw@2713089 test: mock channel install boundaries · openclaw/openclaw@b945248 test: mock doctor preview channel boundaries · openclaw/openclaw@b1a3ad4 test: trim doctor command hotspots · openclaw/openclaw@c66f16a test: isolate agent auth and spawn hotspots · openclaw/openclaw@9285935 test: stabilize MCP startup disposal race · openclaw/openclaw@dd9d2eb test: merge browser contract server suites · openclaw/openclaw@5817a76 test: narrow ollama provider discovery setup · openclaw/openclaw@a0d9598 build: declare qa-lab aimock runtime dependency · openclaw/openclaw@24431e5 test: speed up safe-bins exec harness · openclaw/openclaw@ee856ab test: preserve tool helpers in embedded runner mocks · openclaw/openclaw@acd86a0 refactor: move memory embeddings into provider plugins · openclaw/openclaw@77e6e4c test: reuse system-run temp fixtures · openclaw/openclaw@7e9ff0f test: trim hotspot wait overhead · openclaw/openclaw@12a59b0 Check: avoid duplicate boundary prep · openclaw/openclaw@baf11b8 test: reduce hotspot fixture overhead · openclaw/openclaw@3a59edd feat(ui): overhaul settings and slash command UX (#67819) thanks @Bun… · openclaw/openclaw@2cfb660 QA Matrix: exit cleanly on failure · openclaw/openclaw@42805d2 QA Matrix: isolate scenario coverage · openclaw/openclaw@7e659e1 Matrix: refresh crypto bootstrap state · openclaw/openclaw@94081d8 QA Lab: add provider registry · openclaw/openclaw@bb7e982 Matrix: add plugin changelog · openclaw/openclaw@4acab55 test: trim more hotspot overhead · openclaw/openclaw@f485311 test: trim remaining hotspot tests · openclaw/openclaw@6ba8626 test: narrow hotspot mocks · openclaw/openclaw@dbc8179 test: isolate gemini embedding request helpers · openclaw/openclaw@cd330f5 test: trim memory and mcp hotspots · openclaw/openclaw@fd48dfa test: slim provider registry mocks · openclaw/openclaw@2e08c77 test: harden Parallels update smoke · openclaw/openclaw@1a98090 feat: default Anthropic to Opus 4.7 · openclaw/openclaw@628b454 fix: harden node-host shell payload mutability checks · openclaw/openclaw@75c551e fix: land node-host approval binding for native binaries (#66731) (th… · openclaw/openclaw@29919bb CI: add daily schedule to CodeQL workflow (#67645) · openclaw/openclaw@69d25f5 fix(gateway): capture config hash after plugin auto-enable to prevent… · openclaw/openclaw@8c11210 fix: repair sanitized replay tool results before send (#67620) (thank… · openclaw/openclaw@c3c7a99 fix: restrict HTML timeout short-circuit to transient statuses · openclaw/openclaw@de129a6 fix: keep TUI watchdog bound to active run (#67401) (thanks @xantorres) · openclaw/openclaw@3525273 Gateway/skills: dedupe skills prefix-match + drop dead fallback on log · openclaw/openclaw@d7f489f Extensions/lmstudio: back off inference preload after consecutive fai… · openclaw/openclaw@b555214 TUI/streaming: add watchdog that resets the activity indicator after … · openclaw/openclaw@f44ab20 Agents/tool-loop: enable unknown-tool stream guard by default · openclaw/openclaw@36ed367 Gateway/skills: invalidate session skills snapshot on config write · openclaw/openclaw@b23d59a fix: classify HTML provider error pages correctly (#67642) (thanks @s… · openclaw/openclaw@e588e90 fix(skills): remove unused model-usage import (#67641) · openclaw/openclaw@55f05df docs(changelog): credit codex fix superseded PRs · openclaw/openclaw@e485f24 fix(openai-codex): normalize stale transport metadata in resolution a… · openclaw/openclaw@90801ba CI: pin Docker-related GitHub Actions (#67632) · openclaw/openclaw@f697b01 Android: modernize WebView and discovery API usage (#67627) · openclaw/openclaw@44a6e50 fix(deps): bump hono to 4.12.14 and @hono/node-server to 1.19.14 (GHS… · openclaw/openclaw@fbccc18 fix(deps): bump dompurify to 3.4.0 (#67614) · openclaw/openclaw@2c2dc00 CI: add explicit permissions to all workflow jobs (fixes code-scannin… · openclaw/openclaw@01b7516 fix: register bundled TTS providers and route overrides correctly (#6… · openclaw/openclaw@6ea3cdd fix: align host tilde paths with OS home (#62804) (thanks @stainlu) · openclaw/openclaw@ecfaf64 fix: flush creds queue before reconnect socket open (#67464) (thanks … · openclaw/openclaw@405c63f fix: strip standalone <function> tool call tags from visible text (#6… · openclaw/openclaw@78df859 fix(agents): preserve cli session metadata before transcript persist … · openclaw/openclaw@898fd04 docs(changelog): move cli transcript entry · openclaw/openclaw@c1817c6 fix(agents): normalize cli transcript api field · openclaw/openclaw@3a3fae0 docs(changelog): note cli transcript persistence · openclaw/openclaw@6c343f1 fix(agents): persist cli transcript turns · openclaw/openclaw@b8ef507 fix(msteams): harden security-sensitive flows (#65841) · openclaw/openclaw@c56b56e [Dashboard] Fix exec approval modal overflow for long command content… · openclaw/openclaw@053c5b0 Docs: remove QA changelog entry · openclaw/openclaw@7fd5771 QA: fix private runtime source loading (#67428) · openclaw/openclaw@d5933af docs(gateway): correct protocol.md schema path, hello-ok example, aut… · openclaw/openclaw@489404d CI: pin Node 22 runners to 22.18.0 · openclaw/openclaw@4ffa621 models.authStatus: normalize provider ids + tighten env-backed escape… · openclaw/openclaw@f2fdb9d Update CHANGELOG.md · openclaw/openclaw@7694a92 test(parallels): clean up npm update guard jobs · openclaw/openclaw@045ea7b Plugins: prefer scanDir override paths · openclaw/openclaw@b2974da fix(dreaming): default storage.mode to "separate" so phase blocks sto… · openclaw/openclaw@8c392f0 fix(memory-core): skip dreaming transcript ingestion via session stor… · openclaw/openclaw@a1b01f0 fix: dedupe replayed exec.finished node events (#67281) · openclaw/openclaw@5dcf526
perf: lazy-load heavy test imports · openclaw/openclaw@75fcb8c
steipete · 2026-04-26 · via Recent Commits to openclaw:main

@@ -5,11 +5,6 @@

55

*/

66

import fs from "node:fs/promises";

77

import path from "node:path";

8-

import { resolveDefaultAgentId } from "../agents/agent-scope.js";

9-

import { SANDBOX_BROWSER_SECURITY_HASH_EPOCH } from "../agents/sandbox/constants.js";

10-

import { execDockerRaw, type ExecDockerRawResult } from "../agents/sandbox/docker.js";

11-

import { resolveSkillSource } from "../agents/skills/source.js";

12-

import { listAgentWorkspaceDirs } from "../agents/workspace-dirs.js";

138

import { formatCliCommand } from "../cli/command-format.js";

149

import { MANIFEST_KEY } from "../compat/legacy-names.js";

1510

import type { OpenClawConfig, ConfigFileSnapshot } from "../config/config.js";

@@ -20,19 +15,10 @@ import {

2015

normalizeOptionalLowercaseString,

2116

normalizeOptionalString,

2217

} from "../shared/string-coerce.js";

23-

import {

24-

formatPermissionDetail,

25-

formatPermissionRemediation,

26-

inspectPathPermissions,

27-

safeStat,

28-

} from "./audit-fs.js";

2918

import { extensionUsesSkippedScannerPath, isPathInside } from "./scan-paths.js";

3019

import type { SkillScanFinding } from "./skill-scanner.js";

31-

import * as skillScanner from "./skill-scanner.js";

3220

import type { ExecFn } from "./windows-acl.js";

332134-

export { collectPluginsTrustFindings } from "./audit-plugins-trust.js";

35-3622

export type SecurityAuditFinding = {

3723

checkId: string;

3824

severity: "info" | "warn" | "critical";

@@ -41,10 +27,16 @@ export type SecurityAuditFinding = {

4127

remediation?: string;

4228

};

432930+

type CollectPluginsTrustFindingsParams = Parameters<

31+

typeof import("./audit-plugins-trust.js").collectPluginsTrustFindings

32+

>[0];

33+

type SkillScanSummary = Awaited<

34+

ReturnType<typeof import("./skill-scanner.js").scanDirectoryWithSummary>

35+

>;

4436

type ExecDockerRawFn = (

4537

args: string[],

4638

opts?: { allowFailure?: boolean; input?: Buffer | string; signal?: AbortSignal },

47-

) => Promise<ExecDockerRawResult>;

39+

) => Promise<import("../agents/sandbox/docker.js").ExecDockerRawResult>;

48404941

type CodeSafetySummaryCache = Map<string, Promise<unknown>>;

5042

type WorkspaceSkillScanLimits = {

@@ -91,6 +83,18 @@ function realpathWithTimeout(p: string, timeoutMs = 2000): Promise<string | null

9183

}

9284

let skillsModulePromise: Promise<typeof import("../agents/skills.js")> | undefined;

9385

let configModulePromise: Promise<typeof import("../config/config.js")> | undefined;

86+

let agentScopeModulePromise: Promise<typeof import("../agents/agent-scope.js")> | undefined;

87+

let agentWorkspaceDirsModulePromise:

88+

| Promise<typeof import("../agents/workspace-dirs.js")>

89+

| undefined;

90+

let skillSourceModulePromise: Promise<typeof import("../agents/skills/source.js")> | undefined;

91+

let sandboxDockerModulePromise: Promise<typeof import("../agents/sandbox/docker.js")> | undefined;

92+

let sandboxConstantsModulePromise:

93+

| Promise<typeof import("../agents/sandbox/constants.js")>

94+

| undefined;

95+

let auditPluginsTrustModulePromise: Promise<typeof import("./audit-plugins-trust.js")> | undefined;

96+

let auditFsModulePromise: Promise<typeof import("./audit-fs.js")> | undefined;

97+

let skillScannerModulePromise: Promise<typeof import("./skill-scanner.js")> | undefined;

94989599

function loadSkillsModule() {

96100

skillsModulePromise ??= import("../agents/skills.js");

@@ -102,10 +106,87 @@ function loadConfigModule() {

102106

return configModulePromise;

103107

}

104108109+

function loadAuditFsModule() {

110+

auditFsModulePromise ??= import("./audit-fs.js");

111+

return auditFsModulePromise;

112+

}

113+114+

function loadAgentScopeModule() {

115+

agentScopeModulePromise ??= import("../agents/agent-scope.js");

116+

return agentScopeModulePromise;

117+

}

118+119+

function loadAgentWorkspaceDirsModule() {

120+

agentWorkspaceDirsModulePromise ??= import("../agents/workspace-dirs.js");

121+

return agentWorkspaceDirsModulePromise;

122+

}

123+124+

function loadSkillSourceModule() {

125+

skillSourceModulePromise ??= import("../agents/skills/source.js");

126+

return skillSourceModulePromise;

127+

}

128+129+

function loadSkillScannerModule() {

130+

skillScannerModulePromise ??= import("./skill-scanner.js");

131+

return skillScannerModulePromise;

132+

}

133+134+

async function loadExecDockerRaw(): Promise<ExecDockerRawFn> {

135+

sandboxDockerModulePromise ??= import("../agents/sandbox/docker.js");

136+

const { execDockerRaw } = await sandboxDockerModulePromise;

137+

return execDockerRaw;

138+

}

139+140+

async function loadSandboxBrowserSecurityHashEpoch(): Promise<string> {

141+

sandboxConstantsModulePromise ??= import("../agents/sandbox/constants.js");

142+

const { SANDBOX_BROWSER_SECURITY_HASH_EPOCH } = await sandboxConstantsModulePromise;

143+

return SANDBOX_BROWSER_SECURITY_HASH_EPOCH;

144+

}

145+146+

export async function collectPluginsTrustFindings(

147+

params: CollectPluginsTrustFindingsParams,

148+

): Promise<SecurityAuditFinding[]> {

149+

auditPluginsTrustModulePromise ??= import("./audit-plugins-trust.js");

150+

const { collectPluginsTrustFindings: collect } = await auditPluginsTrustModulePromise;

151+

return await collect(params);

152+

}

153+105154

// --------------------------------------------------------------------------

106155

// Helpers

107156

// --------------------------------------------------------------------------

108157158+

async function safeStat(targetPath: string): Promise<{

159+

ok: boolean;

160+

isSymlink: boolean;

161+

isDir: boolean;

162+

mode: number | null;

163+

uid: number | null;

164+

gid: number | null;

165+

error?: string;

166+

}> {

167+

try {

168+

const lst = await fs.lstat(targetPath);

169+

return {

170+

ok: true,

171+

isSymlink: lst.isSymbolicLink(),

172+

isDir: lst.isDirectory(),

173+

mode: typeof lst.mode === "number" ? lst.mode : null,

174+

uid: typeof lst.uid === "number" ? lst.uid : null,

175+

gid: typeof lst.gid === "number" ? lst.gid : null,

176+

};

177+

} catch (err) {

178+

return {

179+

ok: false,

180+

isSymlink: false,

181+

isDir: false,

182+

mode: null,

183+

uid: null,

184+

gid: null,

185+

error: String(err),

186+

};

187+

}

188+

}

189+109190

function expandTilde(p: string, env: NodeJS.ProcessEnv): string | null {

110191

if (!p.startsWith("~")) {

111192

return p;

@@ -197,7 +278,7 @@ async function getCodeSafetySummary(params: {

197278

dirPath: string;

198279

includeFiles?: string[];

199280

summaryCache?: CodeSafetySummaryCache;

200-

}): Promise<Awaited<ReturnType<typeof skillScanner.scanDirectoryWithSummary>>> {

281+

}): Promise<SkillScanSummary> {

201282

const cacheKey = buildCodeSafetySummaryCacheKey({

202283

dirPath: params.dirPath,

203284

includeFiles: params.includeFiles,

@@ -206,14 +287,16 @@ async function getCodeSafetySummary(params: {

206287

if (cache) {

207288

const hit = cache.get(cacheKey);

208289

if (hit) {

209-

return (await hit) as Awaited<ReturnType<typeof skillScanner.scanDirectoryWithSummary>>;

290+

return (await hit) as SkillScanSummary;

210291

}

292+

const skillScanner = await loadSkillScannerModule();

211293

const pending = skillScanner.scanDirectoryWithSummary(params.dirPath, {

212294

includeFiles: params.includeFiles,

213295

});

214296

cache.set(cacheKey, pending);

215297

return await pending;

216298

}

299+

const skillScanner = await loadSkillScannerModule();

217300

return await skillScanner.scanDirectoryWithSummary(params.dirPath, {

218301

includeFiles: params.includeFiles,

219302

});

@@ -388,7 +471,10 @@ export async function collectSandboxBrowserHashLabelFindings(params?: {

388471

execDockerRawFn?: ExecDockerRawFn;

389472

}): Promise<SecurityAuditFinding[]> {

390473

const findings: SecurityAuditFinding[] = [];

391-

const execFn = params?.execDockerRawFn ?? execDockerRaw;

474+

const [execFn, browserHashEpoch] = await Promise.all([

475+

params?.execDockerRawFn ? Promise.resolve(params.execDockerRawFn) : loadExecDockerRaw(),

476+

loadSandboxBrowserSecurityHashEpoch(),

477+

]);

392478

const containers = await listSandboxBrowserContainers(execFn);

393479

if (!containers || containers.length === 0) {

394480

return findings;

@@ -406,7 +492,7 @@ export async function collectSandboxBrowserHashLabelFindings(params?: {

406492

if (!labels.configHash) {

407493

missingHash.push(containerName);

408494

}

409-

if (labels.epoch !== SANDBOX_BROWSER_SECURITY_HASH_EPOCH) {

495+

if (labels.epoch !== browserHashEpoch) {

410496

staleEpoch.push(containerName);

411497

}

412498

const portMappings = await readSandboxBrowserPortMappings({

@@ -444,7 +530,7 @@ export async function collectSandboxBrowserHashLabelFindings(params?: {

444530

title: "Sandbox browser container hash epoch is stale",

445531

detail:

446532

`Containers: ${staleEpoch.join(", ")}. ` +

447-

`Expected openclaw.browserConfigEpoch=${SANDBOX_BROWSER_SECURITY_HASH_EPOCH}.`,

533+

`Expected openclaw.browserConfigEpoch=${browserHashEpoch}.`,

448534

remediation: `${formatCliCommand("openclaw sandbox recreate --browser --all")} (add --force to skip prompt).`,

449535

});

450536

}

@@ -471,6 +557,7 @@ export async function collectWorkspaceSkillSymlinkEscapeFindings(params: {

471557

skillScanLimits?: WorkspaceSkillScanLimits;

472558

}): Promise<SecurityAuditFinding[]> {

473559

const findings: SecurityAuditFinding[] = [];

560+

const { listAgentWorkspaceDirs } = await loadAgentWorkspaceDirsModule();

474561

const workspaceDirs = listAgentWorkspaceDirs(params.cfg);

475562

if (workspaceDirs.length === 0) {

476563

return findings;

@@ -589,6 +676,9 @@ export async function collectIncludeFilePermFindings(params: {

589676

return findings;

590677

}

591678679+

const { formatPermissionDetail, formatPermissionRemediation, inspectPathPermissions } =

680+

await loadAuditFsModule();

681+592682

for (const p of includePaths) {

593683

const perms = await inspectPathPermissions(p, {

594684

env: params.env,

@@ -655,6 +745,8 @@ export async function collectStateDeepFilesystemFindings(params: {

655745

}): Promise<SecurityAuditFinding[]> {

656746

const findings: SecurityAuditFinding[] = [];

657747

const oauthDir = resolveOAuthDir(params.env, params.stateDir);

748+

const { formatPermissionDetail, formatPermissionRemediation, inspectPathPermissions } =

749+

await loadAuditFsModule();

658750659751

const oauthPerms = await inspectPathPermissions(oauthDir, {

660752

env: params.env,

@@ -703,6 +795,7 @@ export async function collectStateDeepFilesystemFindings(params: {

703795

)

704796

.filter(Boolean)

705797

: [];

798+

const { resolveDefaultAgentId } = await loadAgentScopeModule();

706799

const defaultAgentId = resolveDefaultAgentId(params.cfg);

707800

const ids = Array.from(new Set([defaultAgentId, ...agentIds])).map((id) => normalizeAgentId(id));

708801

@@ -943,6 +1036,10 @@ export async function collectInstalledSkillsCodeSafetyFindings(params: {

9431036

const findings: SecurityAuditFinding[] = [];

9441037

const pluginExtensionsDir = path.join(params.stateDir, "extensions");

9451038

const scannedSkillDirs = new Set<string>();

1039+

const [{ listAgentWorkspaceDirs }, { resolveSkillSource }] = await Promise.all([

1040+

loadAgentWorkspaceDirsModule(),

1041+

loadSkillSourceModule(),

1042+

]);

9461043

const workspaceDirs = listAgentWorkspaceDirs(params.cfg);

9471044

const { loadWorkspaceSkillEntries } = await loadSkillsModule();

9481045