Skip to content

Comments

fix: remove fs/process.env from scanner-flagged backend files#836

Merged
brunobuddy merged 4 commits intomainfrom
worktree-warnings
Feb 24, 2026
Merged

fix: remove fs/process.env from scanner-flagged backend files#836
brunobuddy merged 4 commits intomainfrom
worktree-warnings

Conversation

@brunobuddy
Copy link
Member

@brunobuddy brunobuddy commented Feb 24, 2026

Summary

When users install the manifest plugin via openclaw plugins install manifest, the OpenClaw security scanner flags three backend files with "Environment variable access combined with network send — possible credential harvesting". These are false positives caused by raw compiled NestJS files in dist/backend/ retaining literal process.env and fs imports.

This PR eliminates the scanner triggers by:

  • product-telemetry.ts: Removed fs imports (readFileSync/existsSync) and the file-based telemetry opt-out check — only the env-var check remains, matching how the plugin's own telemetry already works
  • version-check.service.ts: Replaced direct process.env access with NestJS ConfigService injection
  • agents.controller.ts: Removed fs imports and moved readLocalApiKey() to local-mode.constants.ts, replaced process.env with ConfigService

Test plan

  • Backend unit tests pass (94 suites, 1137 tests)
  • Frontend tests pass (51 suites, 623 tests)
  • Plugin build tests pass (9 suites, 141 tests)
  • TypeScript compiles cleanly (tsc --noEmit)

@codecov
Copy link

codecov bot commented Feb 24, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.67%. Comparing base (dc140f5) to head (15126ca).
⚠️ Report is 11 commits behind head on main.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main     #836      +/-   ##
==========================================
+ Coverage   92.56%   92.67%   +0.11%     
==========================================
  Files         182      183       +1     
  Lines        7353     7360       +7     
  Branches     2038     2038              
==========================================
+ Hits         6806     6821      +15     
+ Misses        435      429       -6     
+ Partials      112      110       -2
Flag Coverage Δ
backend 93.00% <100.00%> (+0.23%) ⬆️
frontend 94.22% <ø> (ø)
plugin 77.43% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@brunobuddy
fix: remove fs imports and process.env from scanner-flagged backend f…
a78bb23 
…iles

Remove readFileSync/existsSync from product-telemetry.ts and
agents.controller.ts to eliminate false-positive security scanner
warnings in the OpenClaw plugin. Replace direct process.env access
with NestJS ConfigService in version-check.service.ts and
agents.controller.ts. Move readLocalApiKey() to local-mode.constants.ts
for reuse without pulling in fs imports.
@brunobuddy
chore: add changeset for scanner warning fix
518e89c
@brunobuddy
fix: update deleteAgent test to use ConfigService mock
f8edf9f
@brunobuddy brunobuddy merged commit 4e75668 into main Feb 24, 2026
13 checks passed
@brunobuddy brunobuddy deleted the worktree-warnings branch February 24, 2026 05:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@brunobuddy