$ loading_
帮助维护者分诊、清理并解决 GitHub 中的 OpenClaw 密钥泄露告警。
复制安装指令,让 AI 自动完成配置 · 推荐新手
请帮我安装 askskill 上的 "openclaw-secret-scanning-maintainer" 技能: 1. 下载 https://raw.githubusercontent.com/openclaw/openclaw/main/.agents/skills/openclaw-secret-scanning-maintainer/SKILL.md 2. 保存为 ~/.claude/skills/openclaw-secret-scanning-maintainer/SKILL.md 3. 装好后重载技能,告诉我可以用了
请检查这个 GitHub PR 的 OpenClaw Secret Scanning 告警,判断是否为真实泄露;如果是,请给出需要打码、撤销密钥、修改提交历史和关闭告警的处理步骤。
一份告警分诊结论,以及修复、打码、密钥轮换和告警处置步骤清单。
这个 GitHub issue 中疑似暴露了访问令牌。请说明如何确认风险、编辑或打码内容、通知相关人员,并记录后续修复措施。
针对 issue 泄露场景的处置方案,包括风险确认、内容清理、通知流程和记录模板。
请帮我整理仓库里最近的 OpenClaw Secret Scanning 告警,按误报、已修复、待处理分类,并为每类给出下一步建议。
一份分类后的告警清单,以及每类对应的处置建议和优先级说明。
Maintainer-only. This skill requires repo admin / maintainer permissions to edit or delete other users' comments and resolve secret scanning alerts.
Use this skill when processing alerts from https://github.com/openclaw/openclaw/security/secret-scanning.
Language rule: All notification comments and replacement comments MUST be written in English.
All mechanical operations (API calls, temp file management, security enforcements) are handled by:
$REPO_ROOT/.agents/skills/openclaw-secret-scanning-maintainer/scripts/secret-scanning.mjs
The script enforces:
hide_secret=true on all alert fetches (no plaintext secrets in stdout)mktemp with random UUIDs for all temp files-F body=@file for all body uploads (no inline shell quoting).secret or .body to stdoutSupports single or multiple alerts. For multiple alerts, process in ascending order.
For each alert:
fetch-alert + fetch-content to get metadata and bodyredact-body-if-needed for issue/PR body; skip for comments (delete directly)delete-comment + recreate-comment for comments; cannot purge body historynotify posts the right template per location type, unless the current issue/PR body is already redactedresolve closes the alertsummary prints formatted results# List all open alerts
node secret-scanning.mjs list-open
# Fetch specific alert metadata + locations
node secret-scanning.mjs fetch-alert <NUMBER>
# Fetch content for each location (saves body to temp file)
node secret-scanning.mjs fetch-content '<location-json>'
The fetch-content output includes:
body_file: path to temp file with full body contentauthor: who posted itissue_number / pr_number: where it isedit_history_count: number of existing editstype: location type for routingdiscussion_comment, it also includes comment_node_id, discussion_node_id, and reply_to_node_id when the original comment was a reply.| type | Flow |
|---|---|
issue_comment | Comment: delete+recreate |
pull_request_comment | Comment: delete+recreate |
pull_request_review_comment | Comment: delete+recreate |
discussion_comment | Discussion comment: delete+recreate (GraphQL) |
issue_body | Body: redact in place |
pull_request_body | Body: redact in place |
commit | Notify only |
| other | Skip and report |
The agent reads the body file from fetch-content output and:
[REDACTED <secret_type>] — no partial values, no prefix/suffixThis is the only step that requires semantic understanding. Everything else is mechanical.
For issue_body and pull_request_body: if the current body has already been redacted by the author and no plaintext credential remains, do not post a public notification comment. Resolve the alert with a maintainer-only resolution comment such as:
…
帮助团队检索重复的 PR 与问题单,并自动分组同步重复状态。
用于处理 ClawSweeper 的巡检报告、修复任务、合并流程与运维监控。