Inspect, patch, validate, and publish OpenClaw GHSA advisories securely.
The material indicates this is essentially prompt/documentation for the OpenClaw GHSA workflow, with no declared secrets, remote endpoints, or local data access requirements. Given the open-source source and very high community adoption, overall risk is low, though the documented examples reference GitHub/GHSA and npm commands and should still be kept within the stated scope.
The material explicitly states that no keys or environment variables are required. The README only describes GHSA workflow steps and does not ask for extra tokens or credential export. If gh commands are actually run, authentication would rely on the host's existing GitHub session, but the skill material itself does not directly request or expose credentials.
The system flags it as prompt-only and no remote endpoint is declared. Although the README includes example calls to the GitHub API and npm view, these appear as instructional command patterns; based on the material itself, there is no evidence of built-in exfiltration to unknown or unrelated third-party endpoints.
As a prompt-only skill, the material itself contains no executable program, installer, or auto-run logic. The README shows example commands using gh, jq, npm, and rg, but these are operational instructions for a human or external tool and do not mean the skill itself gains local code execution privileges.
No built-in ability to read or write local files, repository contents, or system resources is declared. The README only mentions example practices such as writing temporary Markdown/JSON files under /tmp and inspecting GHSA responses; from the skill material alone, there is no factual basis for claiming excessive data access.
The source is an open-source GitHub repository with extremely high community adoption (about 377k stars), which is a strong positive trust signal. The license and maintenance status are not clearly stated, leaving a minor information gap, but there are no concrete red flags such as closed source, abandoned provenance, impersonation, or suspicious installation chains, so supply-chain risk remains low.
Copy the install command and let the AI configure it · recommended for beginners
Please install the "openclaw-ghsa-maintainer" skill from askskill: 1. Download https://raw.githubusercontent.com/openclaw/openclaw/main/.agents/skills/openclaw-ghsa-maintainer/SKILL.md 2. Save it as ~/.claude/skills/openclaw-ghsa-maintainer/SKILL.md 3. Reload skills and tell me it's ready
Check the status of all current OpenClaw GHSA security advisories. List items pending patching, validation, or publication, and confirm whether the private fork is configured correctly.
A status report showing each advisory stage, risks, and private-fork configuration results.
For this OpenClaw GHSA advisory, validate whether the patch has been applied correctly. Include reproduction steps, validation results, and whether it is ready for publication.
A validation report stating whether the issue is fixed, test conclusions, and recommended next steps.
Based on the confirmed fix, create a pre-publication checklist for an OpenClaw GHSA advisory, including affected versions, fix notes, release timing, and private-fork sync confirmation.
An actionable pre-publication checklist to help maintainers release the advisory safely.
Use this skill for repo security advisory workflow only. Keep general release work in release-openclaw-maintainer.
SECURITY.md.Fetch the current advisory and the latest published npm version:
gh api /repos/openclaw/openclaw/security-advisories/<GHSA>
npm view openclaw version --userconfig "$(mktemp)"
Use the fetch output to confirm the advisory state, linked private fork, and vulnerability payload shape before patching.
Before publishing, verify that the advisory's private fork has no open PRs:
fork=$(gh api /repos/openclaw/openclaw/security-advisories/<GHSA> | jq -r .private_fork.full_name)
gh pr list -R "$fork" --state open
The PR list must be empty before publish.
\n strings.jq, not hand-escaped shell JSON.Example pattern:
cat > /tmp/ghsa.desc.md <<'EOF'
<markdown description>
EOF
jq -n --rawfile desc /tmp/ghsa.desc.md \
'{summary,severity,description:$desc,vulnerabilities:[...]}' \
> /tmp/ghsa.patch.json
severity and cvss_vector_string in the same PATCH call."state":"published". There is no separate /publish endpoint.Example shape:
gh api -X PATCH /repos/openclaw/openclaw/security-advisories/<GHSA> \
--input /tmp/ghsa.patch.json
After publish, re-fetch the advisory and confirm:
state=publishedpublished_at is set\\nVerification pattern:
gh api /repos/openclaw/openclaw/security-advisories/<GHSA>
jq -r .description < /tmp/ghsa.refetch.json | rg '\\\\n'
Automate OpenClaw nightly releases, branch maintenance, and forward-porting to main.
Debug Node.js apps with inspect, breakpoints, heap, and CPU profiling.
Audit and harden OpenClaw hosts for security and operational health.
List chats, review message history, and send iMessage or SMS from CLI.
Summarize or transcribe URLs, videos, PDFs, and local files quickly.
Generate shareable code or text diffs for review and collaboration.
Helps maintainers triage, clean up, and resolve OpenClaw secret scanning alerts.
Review, triage, and manage OpenClaw issues and pull requests faster.
Prepare and verify OpenClaw stable or beta releases and release notes.
Handle ClawSweeper reports, fixes, merges, permissions, and GitHub workflow monitoring.
Review, triage, validate, and hand off ClawHub GitHub issues and PRs.
Run, debug, monitor, and summarize OpenClaw release CI workflows.