$ loading_
帮助维护者检查、修复并验证 OpenClaw 的 GHSA 安全公告与私有分叉状态。
复制安装指令,让 AI 自动完成配置 · 推荐新手
请帮我安装 askskill 上的 "openclaw-ghsa-maintainer" 技能: 1. 下载 https://raw.githubusercontent.com/openclaw/openclaw/main/.agents/skills/openclaw-ghsa-maintainer/SKILL.md 2. 保存为 ~/.claude/skills/openclaw-ghsa-maintainer/SKILL.md 3. 装好后重载技能,告诉我可以用了
请检查 OpenClaw 当前所有 GHSA 安全公告的状态,列出待修复、待验证、待发布的项目,并说明私有分叉是否配置正确。
一份状态清单,包含各公告阶段、风险点和私有分叉配置检查结果。
针对这个 OpenClaw GHSA 公告,请验证补丁是否已正确应用,说明复现步骤、验证结果,以及是否可以进入发布流程。
一份验证报告,说明漏洞是否已修复、测试结论及下一步建议。
请根据已确认的修复内容,为 OpenClaw 生成 GHSA 公告发布前检查清单,包括版本影响范围、修复说明、发布时间和私有分叉同步确认项。
一份可执行的发布前清单,帮助维护者安全完成公告发布。
Use this skill for repo security advisory workflow only. Keep general release work in release-openclaw-maintainer.
SECURITY.md.Fetch the current advisory and the latest published npm version:
gh api /repos/openclaw/openclaw/security-advisories/<GHSA>
npm view openclaw version --userconfig "$(mktemp)"
Use the fetch output to confirm the advisory state, linked private fork, and vulnerability payload shape before patching.
Before publishing, verify that the advisory's private fork has no open PRs:
fork=$(gh api /repos/openclaw/openclaw/security-advisories/<GHSA> | jq -r .private_fork.full_name)
gh pr list -R "$fork" --state open
The PR list must be empty before publish.
\n strings.jq, not hand-escaped shell JSON.Example pattern:
cat > /tmp/ghsa.desc.md <<'EOF'
<markdown description>
EOF
jq -n --rawfile desc /tmp/ghsa.desc.md \
'{summary,severity,description:$desc,vulnerabilities:[...]}' \
> /tmp/ghsa.patch.json
severity and cvss_vector_string in the same PATCH call."state":"published". There is no separate /publish endpoint.Example shape:
gh api -X PATCH /repos/openclaw/openclaw/security-advisories/<GHSA> \
--input /tmp/ghsa.patch.json
After publish, re-fetch the advisory and confirm:
state=publishedpublished_at is set\\nVerification pattern:
gh api /repos/openclaw/openclaw/security-advisories/<GHSA>
jq -r .description < /tmp/ghsa.refetch.json | rg '\\\\n'
帮助团队检索重复的 PR 与问题单,并自动分组同步重复状态。