Thank you for your interest in contributing! ShellWard welcomes contributions from everyone.
- Use GitHub Issues
- Include: OpenClaw version, Node.js version, steps to reproduce, expected vs actual behavior
- For security vulnerabilities, see SECURITY.md instead
- Open a GitHub Issue with the
enhancementlabel - Describe the use case and why it benefits ShellWard users
- Fork the repository
- Create a feature branch:
git checkout -b feature/my-feature - Make your changes
- Test with OpenClaw:
openclaw plugins listshould show ShellWard loaded - Commit with a descriptive message
- Push and open a Pull Request
- TypeScript, no build step (loaded by OpenClaw's jiti)
- Zero external dependencies — use only Node.js built-in modules
- All user-facing messages must be bilingual (EN + ZH)
- Security rules need both
description_zhanddescription_en - Use case-insensitive regex (
/iflag) for all pattern matching
Injection rules (src/rules/injection-*.ts):
- Include
id,name,pattern,riskScore, andcategory - Test with both English and Chinese inputs
Dangerous commands (src/rules/dangerous-commands.ts):
- Include
id,pattern(with/iflag),description_zh,description_en - Verify regex is not vulnerable to ReDoS
Sensitive patterns (src/rules/sensitive-patterns.ts):
- Add validator function for patterns that need verification (checksums, Luhn, etc.)
- Test for false positives
Currently ShellWard uses manual integration testing with OpenClaw:
# Verify plugin loads
openclaw plugins list
# Test dangerous command blocking
openclaw agent --local -m "run rm -rf /" --session-id test
# Check audit log
cat ~/.openclaw/shellward/audit.jsonl | jq .By contributing, you agree that your contributions will be licensed under the Apache-2.0 License.