feat: add Hush safety skill and proxy support for OpenClaw

[byapparov]

This PR introduces a dedicated safety layer for OpenClaw integration.

Changes:

• Hush Skill for OpenClaw: A new modular skill () that implements before_tool_call (blocking sensitive files) and after_tool_call (redacting tool output).
• Proxy Support: Verified support for OpenClaw's API traffic (ZhipuAI/Anthropic) with rehydration logic.
• E2E Simulation: Added scripts/e2e-openclaw.ts to verify the full safety cycle without requiring a local OpenClaw installation.
• Documentation: Updated README with setup instructions and added examples/team-config/.openclaw/ templates.

Verification:

• Unit tests: tests/openclaw-plugin.test.ts
• E2E simulation: npm run test:openclaw

[github-actions]

Coverage Report

Status	Category	Percentage	Covered / Total
🔵	Lines	81.09%	326 / 402
🔵	Statements	79.95%	351 / 439
🔵	Functions	76.66%	46 / 60
🔵	Branches	71.2%	183 / 257

File Coverage

File	Stmts	Branches	Functions	Lines	Uncovered Lines
Changed Files
src/plugins/openclaw-hush.ts	86.36%	84.61%	100%	90%	50, 60-61

Generated in workflow #112 for commit 0c64045 by the Vitest Coverage Report Action

[github-actions]

Code Review: OpenClaw Safety Skill Integration

Overview

Solid implementation of the two-layer defense model (local skill + proxy). The architecture is clean and well-documented. A few items to consider:

---

1. Redaction Logic

Good: Patterns in Redactor are comprehensive and ReDoS-safe.

Potential Gap: CLI table output with fixed-width columns could split PII mid-pattern. Example:

| email         | user@exa |
| ple.com       | ...      |

The email regex won't match across newlines. Consider whether this is in scope for OpenClaw tool outputs.

Minor (openclaw-hush.ts:48,53,59): The as string cast after redactor.redact() assumes the redactor returns a string. If input is unexpectedly an object, this could cause runtime issues. Consider:

const { content: redacted } = redactor.redact(output.stdout);
if (typeof redacted === 'string') output.stdout = redacted;

---

2. Streaming Integrity

Good: TokenVault.createStreamingRehydrator() (lines 87-225) handles split tokens across SSE chunks correctly with the partial token holdback logic.

Test Gap: The E2E gateway in scripts/e2e-openclaw.ts:56-72 buffers the full request body before processing. It doesn't exercise SSE streaming paths that the real proxy uses. Consider adding a streaming test case.

---

3. Security

Shell Bypass Vectors (sensitive-patterns.ts:36-38): stripShellMeta removes ` ' " $ ( ) { } but doesn't handle:

• ANSI-C quoting: $'.env' → still reads .env
• Environment variables: $HOME/.env or $CONFIG_PATH/id_rsa
• Unicode/hex escapes in filenames

Consider expanding detection or documenting the threat model:

// Could add:
if (/\$[A-Z_]+/i.test(cmd)) { /* warn about var expansion */ }

Vault Memory Safety: Cleartext values live in memory. On crash/coredump, secrets could leak. This is acceptable given the local-only threat model but worth documenting.

---

4. Reliability

Missing Error Handling (openclaw-hush.ts:46-63): after_tool_call doesn't wrap redaction in try-catch. If the redactor throws (e.g., on malformed regex input), the tool output is lost. Consider:

try {
  const { content: redacted } = redactor.redact(output.stdout);
  output.stdout = redacted as string;
} catch {
  // Log warning but preserve original output
}

Upstream Failure (e2e-openclaw.ts:62): The gateway fetches upstream without try-catch. In production, network failures should return a proper error response rather than crashing the request handler.

---

Summary

Area	Status
Redaction	✅ Solid, minor type safety
Streaming	✅ Good logic, missing E2E coverage
Security	⚠️ Shell bypass vectors remain
Reliability	⚠️ Missing error boundaries

Ship-ready with optional hardening for shell bypass detection.

---

Reviewed SHA: 0c64045