Fix: replace exec/spawn with open package and declare filesystem permissions

skills/agentguard/SKILL.md

@@ -7,6 +7,25 @@ metadata:
   author: GoPlusSecurity
   version: "1.1"
   optional_env: "GOPLUS_API_KEY, GOPLUS_API_SECRET (for Web3 transaction simulation only)"
+filesystem-access:
+  - path: "~/.ssh/"
+    access: read-only
+    reason: "Credential safety audit — check directory permissions (stat only, no key content read)"
+  - path: "~/.gnupg/"
+    access: read-only
+    reason: "Credential safety audit — check directory permissions (stat only)"
+  - path: "~/.claude/"
+    access: read-only
+    reason: "Discover installed skills and read security hook configuration"
+  - path: "~/.openclaw/"
+    access: read-only
+    reason: "Discover installed skills and read OpenClaw config for patrol checks"
+  - path: "~/.qclaw/"
+    access: read-only
+    reason: "Discover installed skills in QClaw environments"
+  - path: "~/.agentguard/"
+    access: read-write
+    reason: "Read/write audit log (audit.jsonl) and protection level config (config.json)"
 user-invocable: true
 allowed-tools: Read, Write, Grep, Glob, Bash(node *trust-cli.ts *) Bash(node *action-cli.ts *) Bash(*checkup-report.js) Bash(echo *checkup-report.js) Bash(cat *checkup-report.js) Bash(openclaw *) Bash(ss *) Bash(lsof *) Bash(ufw *) Bash(iptables *) Bash(crontab *) Bash(systemctl list-timers *) Bash(find *) Bash(stat *) Bash(env) Bash(sha256sum *) Bash(node *) Bash(cd *)
 argument-hint: "[scan|action|patrol|trust|report|config|checkup] [args...]"

skills/agentguard/package.json

@@ -2,6 +2,7 @@
   "private": true,
   "type": "module",
   "dependencies": {
-    "@goplus/agentguard": "^1.0.6"
+    "@goplus/agentguard": "^1.0.6",
+    "open": "11.0.0"
   }
 }

skills/agentguard/scripts/checkup-report.js

@@ -15,7 +15,7 @@
 import { writeFileSync, readFileSync, existsSync } from 'node:fs';
 import { join, dirname } from 'node:path';
 import { tmpdir, homedir } from 'node:os';
-import { exec, spawn } from 'node:child_process';
+import open from 'open';
 import { fileURLToPath } from 'node:url';
 
 const DIM_META = {
@@ -1376,20 +1376,7 @@ body{background:#0a0e14;color:#dfe2eb;font-family:'Inter',sans-serif}
   // the buffer is flushed, causing the caller (Claude) to receive an empty path.
   process.stdout.write(outPath + '\n', () => {
     if (!isHeadless) {
-      if (process.platform === 'win32') {
-        // Use PowerShell Start-Process to open the file via Shell Execute API,
-        // bypassing cmd.exe entirely — cmd /c start creates a visible intermediate
-        // window whose title is the file path, which is the UX bug in #23.
-        spawn('powershell', [
-          '-NoProfile', '-WindowStyle', 'Hidden', '-Command',
-          `Start-Process '${outPath.replace(/'/g, "''")}'`,
-        ], { detached: true, stdio: 'ignore', windowsHide: true }).unref();
-      } else {
-        const cmd = process.platform === 'darwin' ? 'open' : 'xdg-open';
-        exec(`${cmd} "${outPath}"`, (err) => {
-          if (err) process.stderr.write(`Could not open browser: ${err.message}\n`);
-        });
-      }
+      open(outPath).catch(err => process.stderr.write(`Could not open browser: ${err.message}\n`));
     }
     // Hard exit after 3s — guards against exec child process hanging and
     // blocking Node from exiting naturally (e.g. xdg-open on misconfigured Linux).