Triage security advisories, drafts, and GHSA reports with trusted evidence.
The material indicates a prompt-only security triage skill with no required secrets, no declared remote endpoints, and no stated local execution or data read/write capability. Combined with its GitHub open-source source and strong community adoption, the overall risk appears low.
The material explicitly states that no keys or environment variables are required, and it does not request tokens, API keys, or other sensitive credentials, so credential exposure and abuse risk is low.
The system flags it as prompt-only and the metadata declares no remote endpoints. Although the README mentions `gh api` and `npm view` as manual review steps, the skill itself does not appear to automatically connect to external services or transmit user data.
As a skill marked prompt-only, the material does not indicate actual permission to spawn local processes, run scripts, or invoke system commands. The commands in the README appear to be part of a human review workflow rather than executable capability of the skill itself.
It does not declare the ability to read or write local files, repository contents, the clipboard, or other data resources. While the document suggests reviewing `SECURITY.md`, GHSAs, and code paths, that appears to be guidance rather than inherent data access granted to the skill.
The source is an open-source GitHub repository, and the system marks it as open-source with very strong community adoption (about 377k stars), which are significant risk-reducing factors. The license and maintenance status are not clearly stated, leaving minor gaps in auditability and upkeep visibility, but not enough on their own to raise the risk level.
Copy the install command and let the AI configure it · recommended for beginners
Please install the "security-triage" skill from askskill: 1. Download https://raw.githubusercontent.com/openclaw/openclaw/main/.agents/skills/security-triage/SKILL.md 2. Save it as ~/.claude/skills/security-triage/SKILL.md 3. Reload skills and tell me it's ready
Please triage this OpenClaw security advisory draft, determine affected scope, whether a fix has shipped, and provide shipped-tag and trust-model proof as evidence. Then give a severity rating and remediation recommendation.
A structured triage result including impact assessment, shipped-status evidence, trust justification, severity, and recommended actions.
Please review this GHSA report, verify whether the vulnerability description is accurate, confirm affected and fixed versions, and support your conclusions with shipped-tag and trust-model proof.
A verification report covering report accuracy, version impact, fix status, and the supporting evidence chain.
Please batch summarize the triage findings for the following security advisories and drafts. Output a summary table by severity, fix status, and evidence completeness, and flag items needing manual review.
A team-friendly summary table highlighting priority, remediation progress, and items requiring further review.
Use when reviewing OpenClaw security advisories, drafts, or GHSA reports.
Goal: high-confidence maintainers' triage without over-closing real issues or shipping unnecessary regressions.
Close only if one of these is true:
SECURITY.mdDo not close only because main is fixed. If latest shipped tag or npm release is affected, keep it open until released or published with the right status.
Before answering:
SECURITY.md.gh api /repos/openclaw/openclaw/security-advisories/<GHSA>.git tag --sort=-creatordate | headnpm view openclaw version --userconfig "$(mktemp)"git tag --contains <fix-commit>git show <tag>:path/to/fileSECURITY.mdFor each advisory, decide:
closekeep openkeep open but narrowDefault to one advisory at a time when comments/closures are involved:
Do not batch multiple close comments unless Peter explicitly asks for a batch.
Check in this order:
SECURITY.md explicitly call this class out as out of scope or hardening-only?SECURITY.md, do not treat "injection markers" alone as a security bug.When preparing a maintainer-ready close reply:
Keep tone firm, specific, non-defensive.
…
Fetch GitHub issues, create fixes, open PRs, and handle reviews.
Convert text to speech locally and offline with sherpa-onnx, no cloud needed.
Regenerate OpenClaw release changelog sections from Git history before releases.
Prepare and verify OpenClaw stable or beta releases and release notes.
Automate web page workflows, login checks, tab handling, and recovery steps.
Verify an OpenClaw release is fully published and working across all channels.
Helps maintainers triage, clean up, and resolve OpenClaw secret scanning alerts.
Inspect, patch, validate, and publish OpenClaw GHSA advisories securely.
Handle ClawSweeper reports, fixes, merges, permissions, and GitHub workflow monitoring.
Analyze GitHub and Discord signals to prioritize project maintainer attention.
Audit and harden OpenClaw hosts for security and operational health.
Run, debug, monitor, and summarize OpenClaw release CI workflows.