fix: improve cross-platform compatibility for SKILL.md and setup.sh

SKILL.md:
- Add "Resolving Script Paths" section — Agent must cd to skill dir
  before running scripts (fixes path issues in OpenClaw/Docker)
- Widen allowed-tools patterns to support absolute paths
- Step 4: require cd <skill_directory> before running checkup-report.js
- Step 6: always output MEDIA:<filepath> for Telegram/Discord file
  delivery via OpenClaw sendDocument, in addition to channel-specific

setup.sh:
- Auto-detect platform: Claude Code (~/.claude) vs OpenClaw (~/.openclaw)
- Copy scripts/ directory + node_modules to skill install target
- Install npm dependencies in the target (avoids symlink issues)
- Support --uninstall across all platform locations
- Show platform-specific next-step instructions

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: 0xbeekeeper

setup.sh

@@ -2,12 +2,12 @@
 set -euo pipefail
 
 # GoPlus AgentGuard — One-click setup
-# Installs GoPlus AgentGuard as a Claude Code skill with automatic security hooks.
+# Supports: Claude Code, OpenClaw, ClawHub
+# Detects the platform and installs to the correct location.
 
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+SKILL_SRC="$SCRIPT_DIR/skills/agentguard"
 AGENTGUARD_DIR="$HOME/.agentguard"
-CLAUDE_DIR="$HOME/.claude"
-SKILLS_DIR="$CLAUDE_DIR/skills/agentguard"
 MIN_NODE_VERSION=18
 
 echo ""
@@ -36,21 +36,55 @@ if ! command -v npm &>/dev/null; then
   exit 1
 fi
 
+# ---- Detect platform ----
+detect_platform() {
+  # Check OpenClaw first (workspace skills or managed skills)
+  if [ -d "$HOME/.openclaw" ]; then
+    # Prefer workspace skills if workspace exists
+    if [ -d "$HOME/.openclaw/workspace" ]; then
+      SKILLS_DIR="$HOME/.openclaw/workspace/skills/agentguard"
+      PLATFORM="openclaw-workspace"
+    else
+      SKILLS_DIR="$HOME/.openclaw/skills/agentguard"
+      PLATFORM="openclaw-managed"
+    fi
+    return
+  fi
+
+  # Check Claude Code
+  if [ -d "$HOME/.claude" ]; then
+    SKILLS_DIR="$HOME/.claude/skills/agentguard"
+    PLATFORM="claude-code"
+    return
+  fi
+
+  # Fallback: create Claude Code dir (most common)
+  SKILLS_DIR="$HOME/.claude/skills/agentguard"
+  PLATFORM="claude-code"
+}
+
+detect_platform
+echo "  Platform detected: $PLATFORM"
+echo "  Install target:    $SKILLS_DIR"
+echo ""
+
 # ---- Uninstall mode ----
 if [ "${1:-}" = "--uninstall" ] || [ "${1:-}" = "uninstall" ]; then
   echo "  Uninstalling GoPlus AgentGuard..."
   rm -rf "$SKILLS_DIR" 2>/dev/null && echo "  Removed skill from $SKILLS_DIR" || true
+  # Also clean up other possible locations
+  rm -rf "$HOME/.claude/skills/agentguard" 2>/dev/null || true
+  rm -rf "$HOME/.openclaw/skills/agentguard" 2>/dev/null || true
+  rm -rf "$HOME/.openclaw/workspace/skills/agentguard" 2>/dev/null || true
   rm -rf "$AGENTGUARD_DIR" 2>/dev/null && echo "  Removed config from $AGENTGUARD_DIR" || true
   echo ""
   echo "  GoPlus AgentGuard has been uninstalled."
-  echo "  If you added it as a Claude Code plugin, also run:"
-  echo "    claude plugin remove agentguard"
   echo ""
   exit 0
 fi
 
 # ---- Step 1: Build the project ----
-echo "[1/4] Building GoPlus AgentGuard..."
+echo "[1/5] Building GoPlus AgentGuard..."
 if [ -f "$SCRIPT_DIR/package.json" ]; then
   cd "$SCRIPT_DIR"
   npm install --ignore-scripts 2>/dev/null
@@ -62,25 +96,47 @@ else
 fi
 
 # ---- Step 2: Install CLI dependencies ----
-echo "[2/4] Installing CLI dependencies..."
-if [ -d "$SCRIPT_DIR/skills/agentguard/scripts" ]; then
-  cd "$SCRIPT_DIR/skills/agentguard/scripts"
+echo "[2/5] Installing CLI dependencies..."
+if [ -d "$SKILL_SRC/scripts" ]; then
+  cd "$SKILL_SRC/scripts"
   npm install 2>/dev/null
   echo "  OK: CLI dependencies installed"
 fi
 
-# ---- Step 3: Copy skill to personal skills directory ----
-echo "[3/4] Installing skill..."
+# ---- Step 3: Copy skill files ----
+echo "[3/5] Installing skill files..."
 mkdir -p "$SKILLS_DIR"
-cp "$SCRIPT_DIR/skills/agentguard/SKILL.md" "$SKILLS_DIR/"
-cp "$SCRIPT_DIR/skills/agentguard/scan-rules.md" "$SKILLS_DIR/" 2>/dev/null || true
-cp "$SCRIPT_DIR/skills/agentguard/action-policies.md" "$SKILLS_DIR/" 2>/dev/null || true
-cp "$SCRIPT_DIR/skills/agentguard/web3-patterns.md" "$SKILLS_DIR/" 2>/dev/null || true
-cp "$SCRIPT_DIR/skills/agentguard/evals.md" "$SKILLS_DIR/" 2>/dev/null || true
-echo "  OK: Skill installed to $SKILLS_DIR"
-
-# ---- Step 4: Create config directory ----
-echo "[4/4] Setting up configuration..."
+for f in SKILL.md README.md scan-rules.md action-policies.md web3-patterns.md evals.md patrol-checks.md .clawignore; do
+  [ -f "$SKILL_SRC/$f" ] && cp "$SKILL_SRC/$f" "$SKILLS_DIR/" 2>/dev/null || true
+done
+echo "  OK: Skill files installed"
+
+# ---- Step 4: Copy scripts + node_modules ----
+echo "[4/5] Installing scripts and dependencies..."
+mkdir -p "$SKILLS_DIR/scripts"
+
+# Copy script files
+for f in checkup-report.js guard-hook.js auto-scan.js trust-cli.ts action-cli.ts package.json package-lock.json; do
+  [ -f "$SKILL_SRC/scripts/$f" ] && cp "$SKILL_SRC/scripts/$f" "$SKILLS_DIR/scripts/" 2>/dev/null || true
+done
+
+# Copy data directory
+if [ -d "$SKILL_SRC/scripts/data" ]; then
+  mkdir -p "$SKILLS_DIR/scripts/data"
+  cp -r "$SKILL_SRC/scripts/data/"* "$SKILLS_DIR/scripts/data/" 2>/dev/null || true
+fi
+
+# Install node_modules in the target (avoids symlink issues in containers)
+cd "$SKILLS_DIR/scripts"
+if [ -f "package.json" ]; then
+  npm install 2>/dev/null
+  echo "  OK: Scripts and dependencies installed"
+else
+  echo "  WARN: No package.json found in scripts directory"
+fi
+
+# ---- Step 5: Create config directory ----
+echo "[5/5] Setting up configuration..."
 mkdir -p "$AGENTGUARD_DIR"
 if [ ! -f "$AGENTGUARD_DIR/config.json" ]; then
   echo '{"level":"balanced"}' > "$AGENTGUARD_DIR/config.json"
@@ -97,7 +153,11 @@ echo "  ━━━━━━━━━━━━━━━━━━━━━━━━
 echo "  🦞 NEXT STEP: Run your first security checkup"
 echo "  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
 echo ""
-echo "  Open Claude Code and type:"
+if [ "$PLATFORM" = "claude-code" ]; then
+  echo "  Open Claude Code and type:"
+else
+  echo "  Send your OpenClaw bot:"
+fi
 echo ""
 echo "    /agentguard checkup"
 echo ""
@@ -109,15 +169,13 @@ echo "    • Deliver the report directly to you"
 echo ""
 echo "  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
 echo ""
+echo "  Installed to: $SKILLS_DIR"
+echo "  Platform:     $PLATFORM"
+echo ""
 echo "  Other commands:"
 echo "    /agentguard scan <path>    Scan code for security risks"
 echo "    /agentguard trust list     View trusted skills"
 echo "    /agentguard report         View security event log"
 echo ""
-echo "  Protection levels:"
-echo "    /agentguard config strict      Block all risky actions"
-echo "    /agentguard config balanced    Block dangerous, confirm risky (default)"
-echo "    /agentguard config permissive  Only block critical threats"
-echo ""
 echo "  To uninstall: ./setup.sh --uninstall"
 echo ""

skills/agentguard/SKILL.md

@@ -8,14 +8,27 @@ metadata:
   version: "1.1"
   optional_env: "GOPLUS_API_KEY, GOPLUS_API_SECRET (for Web3 transaction simulation only)"
 user-invocable: true
-allowed-tools: Read, Grep, Glob, Bash(node scripts/trust-cli.ts *) Bash(node scripts/action-cli.ts *) Bash(node scripts/checkup-report.js) Bash(openclaw *) Bash(ss *) Bash(lsof *) Bash(ufw *) Bash(iptables *) Bash(crontab *) Bash(systemctl list-timers *) Bash(find *) Bash(stat *) Bash(env) Bash(sha256sum *)
+allowed-tools: Read, Grep, Glob, Bash(node *trust-cli.ts *) Bash(node *action-cli.ts *) Bash(*checkup-report.js) Bash(echo *checkup-report.js) Bash(cat *checkup-report.js) Bash(openclaw *) Bash(ss *) Bash(lsof *) Bash(ufw *) Bash(iptables *) Bash(crontab *) Bash(systemctl list-timers *) Bash(find *) Bash(stat *) Bash(env) Bash(sha256sum *) Bash(node *) Bash(cd *)
 argument-hint: "[scan|action|patrol|trust|report|config|checkup] [args...]"
 ---
 
 # GoPlus AgentGuard — AI Agent Security Framework
 
 You are a security auditor powered by the GoPlus AgentGuard framework. Route the user's request based on the first argument.
 
+## Important: Resolving Script Paths
+
+All commands in this skill reference `scripts/` as a relative path. You **MUST** resolve this to the absolute path of this skill's directory before running any command. To find the skill directory:
+
+1. This SKILL.md file's parent directory **is** the skill directory
+2. If this file is at `/path/to/agentguard/SKILL.md`, then scripts are at `/path/to/agentguard/scripts/`
+3. Before running any `node scripts/...` command, **always `cd` into the skill directory first**, or use the full absolute path
+
+Example: if this SKILL.md is at `~/.openclaw/skills/agentguard/SKILL.md`, run:
+```bash
+cd ~/.openclaw/skills/agentguard && node scripts/checkup-report.js
+```
+
 ## Command Routing
 
 Parse `$ARGUMENTS` to determine the subcommand:
@@ -721,12 +734,12 @@ Assemble the results into a JSON object and pipe it to the report generator:
 }
 ```
 
-Execute:
+Execute (remember to `cd` into the skill directory first — see "Resolving Script Paths" above):
 ```bash
-echo '<json>' | node scripts/checkup-report.js
+cd <skill_directory> && echo '<json>' | node scripts/checkup-report.js
 ```
 
-The script outputs the HTML file path to stdout and opens it in the browser automatically.
+The script outputs the HTML file path to stdout (e.g. `/tmp/agentguard-checkup-1234567890.html`). Capture this path — you will need it for delivery in Step 6.
 
 ### Step 5: Terminal Summary
 
@@ -754,28 +767,34 @@ After the report generates, output a brief summary in the terminal:
 
 ### Step 6: Deliver the Report to the User
 
-After printing the terminal summary, deliver the HTML report file to the user. Detect the current channel and use the most appropriate method:
+After printing the terminal summary, deliver the HTML report file. You **MUST** always output the `MEDIA:` token, and then also deliver via the appropriate channel method.
+
+#### 6a. MEDIA token (required — always do this)
+
+Output the following line on its **own line** in your response:
+
+```
+MEDIA:<file_path>
+```
+
+For example: `MEDIA:/tmp/agentguard-checkup-1234567890.html`
 
-**Detection logic** — infer from context clues:
-- If the `Write` tool is available and you can write to `~/Desktop` or `~/Downloads` → you are in **Claude Code (local)**
-- If you can produce artifact/file outputs (rich UI, download button) → you are in **Claude.ai web**
-- If neither is clearly available → you are in **API / headless mode**
+This is how platforms like OpenClaw automatically deliver the file as a Telegram/Discord/WhatsApp attachment via `sendDocument`. The platform strips this line from visible text — the user won't see it. **Always output this regardless of what channel you think you're in.**
 
-**Delivery by channel:**
+#### 6b. Channel-specific delivery (in addition to MEDIA token)
 
-1. **Claude Code (local desktop)**
-   - Use the `Write` tool to copy the HTML to `~/Desktop/agentguard-checkup-<YYYY-MM-DD>.html`
-   - Tell the user: "✅ Report saved to your Desktop: `agentguard-checkup-<date>.html` — double-click to open it in your browser."
-   - The browser should already be open from Step 4. If not, run `open ~/Desktop/agentguard-checkup-<date>.html` (macOS) or `xdg-open` (Linux).
+**Claude Code (local desktop)**
+- The browser should already be open from Step 4.
+- Also copy to Desktop: `cp <file_path> ~/Desktop/agentguard-checkup-$(date +%Y-%m-%d).html`
+- Tell the user: "✅ Report saved to your Desktop and opened in browser."
 
-2. **Claude.ai web**
-   - Read the generated HTML file using the `Read` tool, then output the full HTML content as a **code artifact** (language: `html`) so the user can preview it inline or download it.
-   - Tell the user: "✅ Your report is attached above — click the download icon to save it."
+**Claude.ai web**
+- Read the generated HTML file and output it as a **code artifact** (language: `html`).
+- Tell the user: "✅ Your report is attached above — click the download icon to save it."
 
-3. **API / headless / MCP**
-   - Read the generated HTML file and return the full content inline, prefixed with:
-     `<!-- AgentGuard Checkup Report | Score: <n>/100 | <date> -->`
-   - Also print the file path so the caller can retrieve it from disk.
+**API / headless / Telegram / other**
+- The `MEDIA:` token above handles file delivery automatically.
+- Also print the file path for reference.
 
 Regardless of channel, always end with:
 ```