fix(clawsec-scanner): release 0.0.2 with real OpenClaw DAST harness

.github/workflows/skill-release.yml

@@ -898,6 +898,9 @@ jobs:
             npx clawhub@latest install ${{ steps.parse.outputs.skill_name }}
             ```
 
+            **If you already have `clawsec-suite` installed:**
+            Ask your agent to pull `${{ steps.parse.outputs.skill_name }}` from the ClawSec catalog and it will handle setup and verification automatically.
+
             **Manual download with verification:**
             ```bash
             # 1. Download the release archive, checksums, and signing material

README.md

@@ -159,7 +159,9 @@ See [`skills/clawsec-nanoclaw/INSTALL.md`](skills/clawsec-nanoclaw/INSTALL.md) f
 
 The **clawsec-suite** is a skill-of-skills manager that installs, verifies, and maintains security skills from the ClawSec catalog.
 
-### Skills in the Suite
+`clawsec-suite` is optional orchestration; skills can still be installed directly as standalone packages.
+
+### ClawSec Skills
 
 | Skill | Description | Installation | Compatibility |
 |-------|-------------|--------------|---------------|
@@ -433,8 +435,9 @@ npm run build
 │   ├── populate-local-wiki.sh # Local wiki llms export populator
 │   └── release-skill.sh       # Manual skill release helper
 ├── skills/
-│   ├── clawsec-suite/       # 📦 Suite installer (skill-of-skills)
+│   ├── clawsec-suite/       # 📦 Suite installer (skill-of-skills - start here and have your agent do the rest)
 │   ├── clawsec-feed/        # 📡 Advisory feed skill
+│   ├── clawsec-scanner/     # 🔍 Vulnerability scanner (deps + SAST + OpenClaw DAST)
 │   ├── clawsec-nanoclaw/    # 📱 NanoClaw platform security suite
 │   ├── clawsec-clawhub-checker/ # 🧪 ClawHub reputation checks
 │   ├── clawtributor/           # 🤝 Community reporting skill

skills/clawsec-scanner/CHANGELOG.md

@@ -5,6 +5,20 @@ All notable changes to the ClawSec Scanner will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.0.2] - 2026-03-10
+
+### Changed
+
+- Replaced simulated DAST checks with real OpenClaw hook execution harness testing
+- Updated DAST semantics so high-severity findings are emitted for actual hook execution failures/timeouts, not static payload pattern matches
+- Reclassified DAST harness capability limitations (for example missing TypeScript compiler for `.ts` hooks) to `info` coverage findings instead of high severity
+- Added DAST harness mode guard to prevent recursive scanner execution when hook handlers are tested in isolation
+
+### Added
+
+- New DAST helper executor script for isolated per-hook execution and timeout enforcement
+- DAST harness regression tests covering no-false-positive baseline and malicious-input crash detection
+
 ## [0.0.1] - 2026-02-27
 
 ### Added

skills/clawsec-scanner/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: clawsec-scanner
-version: 0.0.1
-description: Automated vulnerability scanner for agent platforms. Performs dependency scanning (npm audit, pip-audit), multi-database CVE lookup (OSV, NVD, GitHub Advisory), SAST analysis (Semgrep, Bandit), and basic DAST security testing for skill hooks.
+version: 0.0.2
+description: Automated vulnerability scanner for agent platforms. Performs dependency scanning (npm audit, pip-audit), multi-database CVE lookup (OSV, NVD, GitHub Advisory), SAST analysis (Semgrep, Bandit), and agent-specific DAST hook execution testing for OpenClaw hooks.
 homepage: https://clawsec.prompt.security
 clawdis:
   emoji: "🔍"
@@ -16,7 +16,7 @@ Comprehensive security scanner for agent platforms that automates vulnerability
 - **Dependency Scanning**: Analyzes npm and Python dependencies using `npm audit` and `pip-audit` with structured JSON output parsing
 - **CVE Database Integration**: Queries OSV (primary), NVD 2.0, and GitHub Advisory Database for vulnerability enrichment
 - **SAST Analysis**: Static code analysis using Semgrep (JavaScript/TypeScript) and Bandit (Python) to detect hardcoded secrets, command injection, path traversal, and unsafe deserialization
-- **DAST Framework**: Basic dynamic analysis for skill hook security testing (input validation, timeout enforcement)
+- **DAST Framework**: Agent-specific dynamic analysis with real OpenClaw hook execution harness (malicious input, timeout, output bounds, event mutation safety)
 - **Unified Reporting**: Consolidated vulnerability reports with severity classification and remediation guidance
 - **Continuous Monitoring**: OpenClaw hook integration for automated periodic scanning
 
@@ -43,8 +43,8 @@ The scanner orchestrates four complementary scan types to provide comprehensive
    - Identifies: hardcoded secrets (API keys, tokens), command injection (`eval`, `exec`), path traversal, unsafe deserialization
 
 4. **Dynamic Analysis (DAST)**
-   - Test framework for skill hook security validation
-   - Verifies: malicious input handling, timeout enforcement, resource limits
+   - Real hook execution harness for OpenClaw hook handlers discovered from `HOOK.md` metadata
+   - Verifies: malicious input resilience, timeout behavior, output amplification bounds, and core event mutation safety
    - Note: Traditional web DAST tools (ZAP, Burp) do not apply to agent platforms - this provides agent-specific testing
 
 ### Unified Reporting
@@ -248,7 +248,8 @@ scripts/runner.sh              # Orchestration layer
 ├── scan_dependencies.mjs      # npm audit + pip-audit
 ├── query_cve_databases.mjs    # OSV/NVD/GitHub API queries
 ├── sast_analyzer.mjs          # Semgrep + Bandit static analysis
-└── dast_runner.mjs            # Dynamic security testing
+├── dast_runner.mjs            # Dynamic security testing orchestration
+└── dast_hook_executor.mjs     # Isolated real hook execution harness
 
 lib/
 ├── report.mjs                 # Result aggregation and formatting
@@ -325,6 +326,11 @@ proc.on('close', code => {
 - Requires Python 3.8+ runtime
 - Alternative: use Docker image `returntocorp/semgrep`
 
+**"TypeScript hook not executable in DAST harness"**
+- The DAST harness executes real hook handlers and transpiles `handler.ts` files when a TypeScript compiler is available
+- Install TypeScript in the scanner environment: `npm install -D typescript` (or provide `handler.js`/`handler.mjs`)
+- Without a compiler, scanner reports an `info`-level coverage finding instead of a high-severity vulnerability
+
 **"Concurrent scan detected"**
 - Lockfile exists: `/tmp/clawsec-scanner.lock`
 - Wait for running scan to complete or manually remove lockfile
@@ -342,6 +348,7 @@ Check scanner is working correctly:
 node test/dependency_scanner.test.mjs
 node test/cve_integration.test.mjs
 node test/sast_engine.test.mjs
+node test/dast_harness.test.mjs
 
 # Validate skill structure
 python ../../utils/validate_skill.py .
@@ -364,6 +371,7 @@ done
 node test/dependency_scanner.test.mjs  # Dependency scanning
 node test/cve_integration.test.mjs     # CVE database APIs
 node test/sast_engine.test.mjs         # Static analysis
+node test/dast_harness.test.mjs        # DAST harness execution
 ```
 
 ### Linting
@@ -448,11 +456,11 @@ npx clawhub@latest install clawsec-suite
 
 ## Roadmap
 
-### v0.1.0 (Current)
+### v0.0.2 (Current)
 - [x] Dependency scanning (npm audit, pip-audit)
 - [x] CVE database integration (OSV, NVD, GitHub Advisory)
 - [x] SAST analysis (Semgrep, Bandit)
-- [x] Basic DAST framework for skill hooks
+- [x] Real OpenClaw hook execution harness for DAST
 - [x] Unified JSON reporting
 - [x] OpenClaw hook integration
 

skills/clawsec-scanner/hooks/clawsec-scanner-hook/HOOK.md

@@ -20,7 +20,7 @@ The hook orchestrates four independent scanning engines:
 1. **Dependency Scanning**: Executes `npm audit` and `pip-audit` to detect known vulnerabilities in JavaScript and Python dependencies
 2. **SAST (Static Analysis)**: Runs Semgrep (JS/TS) and Bandit (Python) to detect security issues like hardcoded secrets, command injection, and path traversal
 3. **CVE Database Lookup**: Queries OSV API (primary), NVD 2.0 (optional), and GitHub Advisory Database (optional) for vulnerability enrichment
-4. **DAST (Dynamic Analysis)**: Tests skill hook security including input validation, timeout enforcement, and resource limits
+4. **DAST (Dynamic Analysis)**: Executes real OpenClaw hook handlers in an isolated harness and tests malicious-input resilience, timeout behavior, output bounds, and event mutation safety
 
 ## Safety Contract
 

skills/clawsec-scanner/hooks/clawsec-scanner-hook/handler.ts

@@ -196,6 +196,11 @@ function buildAlertMessage(report: ScanReport, format: string): string {
 }
 
 const handler = async (event: HookEvent, _context: HookContext): Promise<void> => {
+  // DAST harness mode executes hook handlers directly; skip recursive scanner runs.
+  if (process.env.CLAWSEC_DAST_HARNESS === "1" || _context?.dastMode === true) {
+    return;
+  }
+
   if (!shouldHandleEvent(event)) return;
 
   const installRoot = configuredPath(