EdgeOne ClawScan

edgeone-clawscan 1.0.15 introduces privacy controls and improved deployment safety: - Added optional AIG_CLOUD_LOOKUP environment variable to fully disable all outbound HTTPS lookups (cloud threat/CVE, default is enabled). - Documented minimum data sent when cloud lookup is enabled—never sends skill bodies, chats, or workspace files, only skill name, source label, or OpenClaw version. - Added provenance and verification sections: clarify publisher, registry caveats, and checking against official releases. - Cautions and pre-run checklist emphasize verifying the binary on PATH and taking care with live Gateway probes. - Clarified setup for self-hosted threat intelligence, stricter air-gap guidance, and how to force local-only operation.

edgeone-clawscan v1.0.14 Changelog - Version bump to 1.0.14 with no file changes detected. - All existing features, triggers, and documentation remain unchanged from previous release.

No code or content changes detected in this release. - Version update only; no user-facing functionality changes. - All features, security behavior, and documentation remain as in the previous version.

edgeone-clawscan 1.0.12 Changelog - No code or content changes in this release. - Version bump only; all features, usage, and behavior remain unchanged.

edgeone-clawscan 1.0.11 Changelog - Added a strict language detection and output rule: the skill now always matches the language of the user's triggering message for all outputs, enforced from the very start of execution. - If the user's language cannot be determined, the output defaults to Chinese. - All internal and final outputs are consistently produced in the detected language, with no mixing or silent switching. - No code or functional changes beyond this documentation and process requirement.

edgeone-clawscan 1.0.8 - Updated documentation with a comprehensive SKILL.md, including detailed descriptions of feature triggers, outbound requests, live probe behavior, and privacy boundaries. - Clearly documented data handling and privacy guarantees for all scan steps and network activity. - Outlined the exact audit workflow, including supply chain risk detection and local versus cloud check fallbacks. - Added explicit use-case instructions and trigger boundaries for skill usage. - Improved configuration and security declaration sections for full transparency.

edgeone-clawscan 1.0.9 Changelog - No file changes detected in this version. - Behavior, features, and configuration remain unchanged from the previous release.

edgeone-clawscan 1.0.8 - Added "auth: aigsec" field to support authentication. - Added "license: MIT" and standardized metadata fields. - Introduced detailed keyword and trigger entries for improved discoverability. - Expanded tags list for better classification and filtering. - No changes to scanning logic or functionality.

edgeone-clawscan v1.0.7 - Added a clear privacy and external service disclosure section clarifying exactly what limited data is sent during cloud lookups, and that all other checks are strictly local. - Updated Step 1 (配置审计) reporting rules to treat built-in OpenClaw audit findings as "risk hints" and configuration risks, not as direct high-severity security incidents. - Clarified language recommendations and reporting boundaries for configuration risk findings, emphasizing plain, action-oriented advice over alarming severity labels. - All core scanning steps remain the same; updates are to transparency, privacy explanation, and precise reporting guidance.

edgeone-clawscan 1.0.6 - No file changes detected in this version. - No updates to feature set, configuration, or documentation. - Behavior, interface, and output remain unchanged.

edgeone-clawscan 1.0.5 - Improved resilience: Cloud threat intelligence and CVE advisory lookups are now best-effort only, never blocking the scan or the final report. - Added automatic fallback to local skill audit if cloud APIs fail, timeout, or return invalid/empty results. - When CVE advisory lookup is unavailable, the report now notes that vulnerability intelligence could not be fetched, instead of incorrectly reporting zero vulnerabilities. - Ensured cloud lookup failures for individual skills do not prevent scanning of other skills or the completion of the report. - More precise handling of skill verdicts, including treating cloud results as advisory (not authoritative) and using local evidence when discrepancies arise.

edgeone-clawscan 1.0.4 - Improved handling and output mapping for "risky" skill verdicts in supply chain risk detection; now "risky" is contextualized and not treated as high risk by default. - Minor adjustments to metadata format and `homepage` attribute. - Updated description and internal naming consistency. - No changes to code, APIs, workflows, or triggers.

edgeone-clawscan 1.0.3 - Updated homepage and metadata link to point directly to the SKILL.md file location. - No other content or functional changes detected.

edgeone-clawscan v1.0.2 - Updated the Step 2 supply chain API endpoint to use HTTPS (`https://matrix.tencent.com/clawscan/skill_security`). - Clarified cloud API usage for skill sources and registry-backed skills. - No functional changes; documentation and workflow updated for increased clarity and secure API usage.

edgeone-clawscan 1.0.1 - Added a fourth step, "隐私泄露风险检测" (Privacy Leakage Risk Self-Assessment), to the full OpenClaw security scan for explicit privacy exposure reporting. - Documented clear guardrails for privacy analysis: no reading or summarizing user data, no privilege escalation, and findings must be based on explicit config and metadata. - The audit workflow for OpenClaw environment now consists of four steps (was three). - Various clarifications and updates to output rules and evidence sources for the new privacy risk step. - Added homepage and metadata fields to SKILL.md for improved discoverability.

edgeone-clawscan 1.0.0 - Initial release with OpenClaw security scanning powered by Tencent Zhuque Lab AI-Infra-Guard. - Supports two main features: full OpenClaw environment security scans and individual skill/security audits. - Integrates multi-step workflows: built-in security audit, supply chain risk detection (with cloud API), and CVE advisory lookup. - Provides detailed local audit processes for registry, GitHub, or local skills, focused on key security and permission risks. - Strictly limits scan triggers to explicit user security scan or audit requests; avoids false positives on routine operations.