Exécutez n'importe quel Skill dans Manus
en un clic

Exécutez n'importe quel Skill dans Manus en un clic

Commencer

openclaw-ghsa-maintainer

Inspect, patch, validate, publish, or confirm OpenClaw GHSA security advisories and private-fork state.

Exécuter dans Manus

Étoiles377 865

Forks79 017

Mis à jour28 mai 2026 à 15:30

Source

openclaw

openclaw/openclaw

Ouvrir le dépôt GitHub Voir les dépôts du créateur

Commande d'installation

Téléchargement

Exécuter dans Manus

Utile pourSOC

Développeurs de logicielsProfessions informatiques et mathématiques15-1252L4

SKILL.md

readonly

name	openclaw-ghsa-maintainer
description	Inspect, patch, validate, publish, or confirm OpenClaw GHSA security advisories and private-fork state.

OpenClaw GHSA Maintainer

Use this skill for repo security advisory workflow only. Keep general release work in release-openclaw-maintainer.

Respect advisory guardrails

Before reviewing or publishing a repo advisory, read SECURITY.md.
Ask permission before any publish action.
Treat this skill as GHSA-only. Do not use it for stable or beta release work.

Fetch and inspect advisory state

Fetch the current advisory and the latest published npm version:

gh api /repos/openclaw/openclaw/security-advisories/<GHSA>
npm view openclaw version --userconfig "$(mktemp)"

Use the fetch output to confirm the advisory state, linked private fork, and vulnerability payload shape before patching.

Verify private fork PRs are closed

Before publishing, verify that the advisory's private fork has no open PRs:

fork=$(gh api /repos/openclaw/openclaw/security-advisories/<GHSA> | jq -r .private_fork.full_name)
gh pr list -R "$fork" --state open

The PR list must be empty before publish.

Prepare advisory Markdown and JSON safely

Write advisory Markdown via heredoc to a temp file. Do not use escaped \n strings.
Build PATCH payload JSON with jq, not hand-escaped shell JSON.

Example pattern:

cat > /tmp/ghsa.desc.md <<'EOF'
<markdown description>
EOF

jq -n --rawfile desc /tmp/ghsa.desc.md \
  '{summary,severity,description:$desc,vulnerabilities:[...]}' \
  > /tmp/ghsa.patch.json

Apply PATCH calls in the correct sequence

Do not set severity and cvss_vector_string in the same PATCH call.
Use separate calls when the advisory requires both fields.
Publish by PATCHing the advisory and setting "state":"published". There is no separate /publish endpoint.

Example shape:

gh api -X PATCH /repos/openclaw/openclaw/security-advisories/<GHSA> \
  --input /tmp/ghsa.patch.json

Publish and verify success

After publish, re-fetch the advisory and confirm:

state=published
published_at is set
the description does not contain literal escaped \\n

Verification pattern:

gh api /repos/openclaw/openclaw/security-advisories/<GHSA>
jq -r .description < /tmp/ghsa.refetch.json | rg '\\\\n'

Common GHSA footguns

Publishing fails with HTTP 422 if required fields are missing or the private fork still has open PRs.
A payload that looks correct in shell can still be wrong if Markdown was assembled with escaped newline strings.
Advisory PATCH sequencing matters; separate field updates when GHSA API constraints require it.
Public hardening/no-publish comments and draft text should avoid raw commit hashes, PR titles/numbers, and fix-mechanism summaries. Prefer patched-version fields or release-only wording; keep SHAs, PRs, and implementation notes in internal evidence.

Plus depuis ce dépôt

même dépôt

weather

openclaw/openclaw

Current weather and forecasts with web_fetch, falling back to wttr.in curl for locations, rain, temperature, travel planning.

2026-06-05377.9k

openclaw-secret-scanning-maintainer

openclaw/openclaw

Triage, redact, clean up, and resolve OpenClaw GitHub Secret Scanning alerts in issues or PRs.

2026-06-04377.9k

openclaw-test-heap-leaks

openclaw/openclaw

Investigate OpenClaw pnpm test memory growth, Vitest OOMs, RSS spikes, and heap snapshot deltas.

2026-06-04377.9k

release-openclaw-ci

openclaw/openclaw

Run, watch, debug, and summarize OpenClaw full release CI, release checks, live provider gates, install/update proofs, and release-secret preflights.

2026-06-04377.9k

release-openclaw-maintainer

openclaw/openclaw

Prepare or verify OpenClaw stable/beta releases, changelogs, release notes, publish commands, and artifacts.

2026-06-03377.9k

autoreview

openclaw/openclaw

Auto Review closeout. Codex review is the default when no engine is set and is the recommended reviewer.

2026-06-02377.9k

name	openclaw-ghsa-maintainer
description	Inspect, patch, validate, publish, or confirm OpenClaw GHSA security advisories and private-fork state.

OpenClaw GHSA Maintainer

Use this skill for repo security advisory workflow only. Keep general release work in release-openclaw-maintainer.

Respect advisory guardrails

Before reviewing or publishing a repo advisory, read SECURITY.md.
Ask permission before any publish action.
Treat this skill as GHSA-only. Do not use it for stable or beta release work.

Fetch and inspect advisory state

Fetch the current advisory and the latest published npm version:

gh api /repos/openclaw/openclaw/security-advisories/<GHSA>
npm view openclaw version --userconfig "$(mktemp)"

Use the fetch output to confirm the advisory state, linked private fork, and vulnerability payload shape before patching.

Verify private fork PRs are closed

Before publishing, verify that the advisory's private fork has no open PRs:

fork=$(gh api /repos/openclaw/openclaw/security-advisories/<GHSA> | jq -r .private_fork.full_name)
gh pr list -R "$fork" --state open

The PR list must be empty before publish.

Prepare advisory Markdown and JSON safely

Write advisory Markdown via heredoc to a temp file. Do not use escaped \n strings.
Build PATCH payload JSON with jq, not hand-escaped shell JSON.

Example pattern:

cat > /tmp/ghsa.desc.md <<'EOF'
<markdown description>
EOF

jq -n --rawfile desc /tmp/ghsa.desc.md \
  '{summary,severity,description:$desc,vulnerabilities:[...]}' \
  > /tmp/ghsa.patch.json

Apply PATCH calls in the correct sequence

Do not set severity and cvss_vector_string in the same PATCH call.
Use separate calls when the advisory requires both fields.
Publish by PATCHing the advisory and setting "state":"published". There is no separate /publish endpoint.

Example shape:

gh api -X PATCH /repos/openclaw/openclaw/security-advisories/<GHSA> \
  --input /tmp/ghsa.patch.json

Publish and verify success

After publish, re-fetch the advisory and confirm:

state=published
published_at is set
the description does not contain literal escaped \\n

Verification pattern:

gh api /repos/openclaw/openclaw/security-advisories/<GHSA>
jq -r .description < /tmp/ghsa.refetch.json | rg '\\\\n'

Common GHSA footguns

Publishing fails with HTTP 422 if required fields are missing or the private fork still has open PRs.
A payload that looks correct in shell can still be wrong if Markdown was assembled with escaped newline strings.
Advisory PATCH sequencing matters; separate field updates when GHSA API constraints require it.
Public hardening/no-publish comments and draft text should avoid raw commit hashes, PR titles/numbers, and fix-mechanism summaries. Prefer patched-version fields or release-only wording; keep SHAs, PRs, and implementation notes in internal evidence.