Agent skill

openclaw-ghsa-maintainer

Maintainer workflow for OpenClaw GitHub Security Advisories (GHSA). Use when Codex needs to inspect, patch, validate, or publish a repo advisory, verify private-fork state, prepare advisory Markdown or JSON payloads safely, handle GHSA API-specific publish constraints, or confirm advisory publish success.

View SKILL.md on GitHub Repository
Stars 355,710
Forks 72,004

Install this agent skill to your Project

npx add-skill https://github.com/openclaw/openclaw/tree/main/.agents/skills/openclaw-ghsa-maintainer

SKILL.md

OpenClaw GHSA Maintainer

Use this skill for repo security advisory workflow only. Keep general release work in openclaw-release-maintainer.

Respect advisory guardrails

  • Before reviewing or publishing a repo advisory, read SECURITY.md.
  • Ask permission before any publish action.
  • Treat this skill as GHSA-only. Do not use it for stable or beta release work.

Fetch and inspect advisory state

Fetch the current advisory and the latest published npm version:

bash
gh api /repos/openclaw/openclaw/security-advisories/<GHSA>
npm view openclaw version --userconfig "$(mktemp)"

Use the fetch output to confirm the advisory state, linked private fork, and vulnerability payload shape before patching.

Verify private fork PRs are closed

Before publishing, verify that the advisory's private fork has no open PRs:

bash
fork=$(gh api /repos/openclaw/openclaw/security-advisories/<GHSA> | jq -r .private_fork.full_name)
gh pr list -R "$fork" --state open

The PR list must be empty before publish.

Prepare advisory Markdown and JSON safely

  • Write advisory Markdown via heredoc to a temp file. Do not use escaped \n strings.
  • Build PATCH payload JSON with jq, not hand-escaped shell JSON.

Example pattern:

bash
cat > /tmp/ghsa.desc.md <<'EOF'
<markdown description>
EOF

jq -n --rawfile desc /tmp/ghsa.desc.md \
  '{summary,severity,description:$desc,vulnerabilities:[...]}' \
  > /tmp/ghsa.patch.json

Apply PATCH calls in the correct sequence

  • Do not set severity and cvss_vector_string in the same PATCH call.
  • Use separate calls when the advisory requires both fields.
  • Publish by PATCHing the advisory and setting "state":"published". There is no separate /publish endpoint.

Example shape:

bash
gh api -X PATCH /repos/openclaw/openclaw/security-advisories/<GHSA> \
  --input /tmp/ghsa.patch.json

Publish and verify success

After publish, re-fetch the advisory and confirm:

  • state=published
  • published_at is set
  • the description does not contain literal escaped \\n

Verification pattern:

bash
gh api /repos/openclaw/openclaw/security-advisories/<GHSA>
jq -r .description < /tmp/ghsa.refetch.json | rg '\\\\n'

Common GHSA footguns

  • Publishing fails with HTTP 422 if required fields are missing or the private fork still has open PRs.
  • A payload that looks correct in shell can still be wrong if Markdown was assembled with escaped newline strings.
  • Advisory PATCH sequencing matters; separate field updates when GHSA API constraints require it.

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

openclaw/openclaw

openclaw-test-heap-leaks

Investigate `pnpm test` memory growth, Vitest worker OOMs, and suspicious RSS increases in OpenClaw using the `scripts/test-parallel.mjs` heap snapshot tooling. Use when Codex needs to reproduce test-lane memory growth, collect repeated `.heapsnapshot` files, compare snapshots from the same worker PID, distinguish transformed-module retention from real data leaks, and fix or reduce the impact by patching cleanup logic or isolating hotspot tests.

355,710 72,004
Explore
openclaw/openclaw

parallels-discord-roundtrip

Run the macOS Parallels smoke harness with Discord end-to-end roundtrip verification, including guest send, host verification, host reply, and guest readback.

355,710 72,004
Explore
openclaw/openclaw

security-triage

Triage GitHub security advisories for OpenClaw with high-confidence close/keep decisions, exact tag and commit verification, trust-model checks, optional hardening notes, and a final reply ready to post and copy to clipboard.

355,710 72,004
Explore
openclaw/openclaw

openclaw-release-maintainer

Maintainer workflow for OpenClaw releases, prereleases, changelog release notes, and publish validation. Use when Codex needs to prepare or verify stable or beta release steps, align version naming, assemble release notes, check release auth requirements, or validate publish-time commands and artifacts.

355,710 72,004
Explore
openclaw/openclaw

openclaw-pr-maintainer

Maintainer workflow for reviewing, triaging, preparing, closing, or landing OpenClaw pull requests and related issues. Use when Codex needs to validate bug-fix claims, search for related issues or PRs, apply or recommend close/reason labels, prepare GitHub comments safely, check review-thread follow-up, or perform maintainer-style PR decision making before merge or closure.

355,710 72,004
Explore
openclaw/openclaw

openclaw-parallels-smoke

End-to-end Parallels smoke, upgrade, and rerun workflow for OpenClaw across macOS, Windows, and Linux guests. Use when Codex needs to run, rerun, debug, or interpret VM-based install, onboarding, gateway smoke tests, latest-release-to-main upgrade checks, fresh snapshot retests, or optional Discord roundtrip verification under Parallels.

355,710 72,004
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results