{"kind":"Skill","metadata":{"namespace":"community","name":"clawsweeper","version":"0.1.0"},"spec":{"description":"Use for all ClawSweeper work: OpenClaw issue/PR sweep reports, commit-review reports, repair jobs, cloud fix PRs, @clawsweeper maintainer mention commands, trusted ClawSweeper-reviewed autofix/automerge, GitHub Actions monitoring, permissions, gates, and manual backfills.","files":{"SKILL.md":"---\nname: clawsweeper\ndescription: \"Use for all ClawSweeper work: OpenClaw issue/PR sweep reports, commit-review reports, repair jobs, cloud fix PRs, @clawsweeper maintainer mention commands, trusted ClawSweeper-reviewed autofix/automerge, GitHub Actions monitoring, permissions, gates, and manual backfills.\"\n---\n\n# ClawSweeper\n\nClawSweeper lives at `~/Projects/clawsweeper`. It is the one OpenClaw\nmaintenance bot for sweeping, commit review, repair jobs, and guarded fix PRs.\nUse this skill whenever asked about reports, findings, dispatch health,\nrepair/cloud PR creation, comment commands, automerge, permissions, or gates.\n\n## Start\n\n```bash\ncd ~/Projects/clawsweeper\ngit status --short --branch\ngit pull --ff-only\npnpm run build:all\n```\n\nDo not overwrite unrelated edits. If the tree is dirty, inspect first and keep\nread-only report work read-only unless the requester asked to commit.\n\n## One Bot, One App\n\nUse the ClawSweeper repo and the `clawsweeper` GitHub App. Use only\n`CLAWSWEEPER_*` configuration for this automation. Do not use legacy apps,\nvariables, labels, or skills.\n\nRequired app setup:\n\n- `CLAWSWEEPER_APP_CLIENT_ID`: public app client ID for `clawsweeper`.\n- `CLAWSWEEPER_APP_PRIVATE_KEY`: private key used only inside\n  `actions/create-github-app-token` steps.\n- Target app permissions: read target scan context; write issues and pull\n  requests; contents write for report commits, repair branches, and workflow\n  inputs; Actions write on `openclaw/clawsweeper` for comment-router\n  re-review dispatch, workflow dispatch, run cancellation, and self-heal;\n  optional Checks write for commit Check Runs.\n\nToken boundary:\n\n- Codex workers do not get mutation credentials.\n- Review workers run with stripped secret/token env.\n- Deterministic scripts own comments, labels, branch pushes, PR creation,\n  closes, and merges through short-lived GitHub App tokens.\n- Merge and write gates default closed.\n\n## Commit Reports\n\nCanonical commit reports:\n\n```text\nrecords/\u003crepo-slug\u003e/commits/\u003c40-char-sha\u003e.md\n```\n\nUse the lister:\n\n```bash\npnpm commit-reports -- --since 6h\npnpm commit-reports -- --since \"24 hours ago\" --findings\npnpm commit-reports -- --since 7d --non-clean\npnpm commit-reports -- --repo openclaw/openclaw --author steipete --since 7d\npnpm commit-reports -- --since 24h --json\n```\n\nResults: `nothing_found`, `findings`, `inconclusive`, `failed`,\n`skipped_non_code`. One report per SHA; reruns overwrite the SHA-named report.\n\nManual rerun/backfill:\n\n```bash\ngh workflow run commit-review.yml --repo openclaw/clawsweeper \\\n  -f target_repo=openclaw/openclaw \\\n  -f commit_sha=\u003cend-sha\u003e \\\n  -f before_sha=\u003cstart-or-parent-sha\u003e \\\n  -f create_checks=false \\\n  -f enabled=true\n```\n\nUse `create_checks=true` only when the requester explicitly wants target commit Check\nRuns. Add `-f additional_prompt=\"...\"` for focused one-off review instructions.\n\n## Sweep Reports\n\nIssue/PR reports live at:\n\n```text\nrecords/\u003crepo-slug\u003e/items/\u003cnumber\u003e.md\nrecords/\u003crepo-slug\u003e/closed/\u003cnumber\u003e.md\n```\n\nLead with counts, concrete findings, and report links. Do not post unsolicited\nGitHub comments from report-reading work. Public surfaces are markdown reports,\ndurable ClawSweeper review comments, and optional checks.\n\nPR reports include Codex `/review`-style `reviewFindings` with priority,\nconfidence, repository-relative file, and line range. Public PR comments show a\nshort `Review findings:` list when findings exist; full review comments,\nevidence links, likely owners, and runtime details stay inside the collapsed\n`Review details` block.\n\nUseful commands:\n\n```bash\npnpm run status\npnpm run audit\npnpm run reconcile\npnpm run apply-decisions -- --dry-run\n```\n\n## Create One Repair Job\n\nCreate a job from issue/PR refs and a maintainer prompt:\n\n```bash\npnpm run repair:create-job -- \\\n  --repo openclaw/openclaw \\\n  --refs 123,456 \\\n  --prompt-file /tmp/clawsweeper-prompt.md\n```\n\nCreate from an existing ClawSweeper report:\n\n```bash\npnpm run repair:create-job -- \\\n  --from-report ../clawsweeper/records/openclaw-openclaw/items/123.md\n```\n\nThe job creator checks for an existing open PR, body match, or remote\n`clawsweeper/\u003ccluster-id\u003e` branch before writing another job. Use `--dry-run`\nto inspect. Use `--force` only after deciding the duplicate guard is stale.\n\nValidate, commit, then dispatch:\n\n```bash\npnpm run repair:validate-job -- jobs/openclaw/inbox/clawsweeper-openclaw-openclaw-123.md\npnpm run repair:dispatch -- jobs/openclaw/inbox/clawsweeper-openclaw-openclaw-123.md \\\n  --mode autonomous \\\n  --runner blacksmith-4vcpu-ubuntu-2404 \\\n  --execution-runner blacksmith-16vcpu-ubuntu-2404 \\\n  --model gpt-5.5\n```\n\nDo not dispatch a just-created job before the job file is committed and pushed;\nthe workflow reads the job path from GitHub.\n\n## Replacement PRs\n\nFor a useful but uneditable/stale/unsafe source PR, make the maintainer prompt\nexplicit:\n\n```md\nTreat #123 as useful source work. If the source branch cannot be safely updated\nbecause it is uneditable, stale, draft-only, unmergeable, or unsafe, create a\nnarrow ClawSweeper replacement PR instead of waiting. Preserve the source PR\nauthor as co-author, credit the source PR in the replacement PR body, and close\nonly that source PR after the replacement PR is opened.\n```\n\nThe worker should emit `repair_strategy=replace_uneditable_branch` and list the\nsource PR URL in `source_prs`. The deterministic executor opens or updates\n`clawsweeper/\u003ccluster-id\u003e`, adds non-bot source authors as `Co-authored-by`\ntrailers, and closes superseded source PRs only after replacement exists.\n\n## Gates\n\nOpen execution windows intentionally and close them after the run:\n\n```bash\ngh variable set CLAWSWEEPER_ALLOW_EXECUTE --repo openclaw/clawsweeper --body 1\ngh variable set CLAWSWEEPER_ALLOW_FIX_PR --repo openclaw/clawsweeper --body 1\ngh variable set CLAWSWEEPER_ALLOW_MERGE --repo openclaw/clawsweeper --body 1\ngh variable set CLAWSWEEPER_ALLOW_AUTOMERGE --repo openclaw/clawsweeper --body 1\n```\n\nReset gates only when explicitly requested; the active maintainer window may intentionally\nleave them at `1`.\n\nImportant gates:\n\n- `CLAWSWEEPER_ALLOW_EXECUTE`: allows deterministic write lanes.\n- `CLAWSWEEPER_ALLOW_FIX_PR`: allows branch repair/replacement PRs.\n- `CLAWSWEEPER_ALLOW_MERGE`: allows merge-capable applicators.\n- `CLAWSWEEPER_ALLOW_AUTOMERGE`: allows comment-router automerge.\n- `CLAWSWEEPER_COMMENT_ROUTER_EXECUTE`: lets scheduled comment routing\n  post replies and dispatch repair.\n\n## Maintainer Mentions\n\nPrefer `@clawsweeper` comments for all maintainer-facing control. Slash\ncommands still parse as compatibility aliases, but examples and live guidance\nshould use mentions.\n\n```text\n@clawsweeper status\n@clawsweeper re-review\n@clawsweeper review\n@clawsweeper fix ci\n@clawsweeper address review\n@clawsweeper rebase\n@clawsweeper autofix\n@clawsweeper automerge\n@clawsweeper approve\n@clawsweeper explain\n@clawsweeper stop\n@clawsweeper \u003cquestion or safe action request\u003e\n@clawsweeper[bot] re-review\n@openclaw-clawsweeper fix ci\n@openclaw-clawsweeper[bot] fix ci\n```\n\nAccepted aliases: `review`, `re-review`, `rereview`, `review again`,\n`rerun review`, and `run review`. `review` and `re-review` dispatch a fresh\nClawSweeper issue/PR review without starting repair. `fix ci`,\n`address review`, and `rebase` dispatch the\nrepair worker only for ClawSweeper PRs or PRs opted into\n`clawsweeper:autofix` or `clawsweeper:automerge`. `autofix` runs the bounded\nreview/fix loop without merging. `automerge` runs the bounded review/fix/merge\nloop, but draft PRs stay fix-only until GitHub marks them ready for review.\n\nFreeform maintainer mentions such as `@clawsweeper why did automerge stop?`\nor `@clawsweeper: can you explain this failure?` dispatch a read-only assist\nreview with the mention text as one-off instructions. The answer lands in the\nnext public ClawSweeper review comment. Action-looking prose does not directly\nmutate GitHub; it must map to existing structured recommendations and pass the\nnormal deterministic gates.\n\nDefault accepted maintainers: `OWNER`, `MEMBER`, `COLLABORATOR`; fallback\nrepository permission accepts `admin`, `maintain`, or `write`. Contributor\ncomments are ignored without a reply.\n\nRun router manually:\n\n```bash\npnpm run repair:comment-router -- --repo openclaw/openclaw --lookback-minutes 180\npnpm run repair:comment-router -- --repo openclaw/openclaw --execute --wait-for-capacity\n```\n\nScheduled routing stays dry unless\n`CLAWSWEEPER_COMMENT_ROUTER_EXECUTE=1`.\n\n## Trusted Autofix And Automerge\n\n`@clawsweeper autofix` opts an existing PR into the bounded review/fix loop.\n`@clawsweeper automerge` opts an existing PR into the bounded review/fix/merge\nloop. The router:\n\n- verifies maintainer authorization;\n- labels the PR `clawsweeper:autofix` or `clawsweeper:automerge`;\n- dispatches ClawSweeper review for the current head SHA;\n- creates or reuses a durable adopted job;\n- repairs at most the configured caps;\n- never merges autofix PRs or draft PRs;\n- merges automerge PRs only when ClawSweeper passed the exact current head,\n  checks are green, GitHub says mergeable, no human-review label is present,\n  the PR is not draft, and both merge gates are open.\n\nMissing changelog is not a review finding or merge blocker. If repairing a user-facing change, add/update changelog automatically when practical; never ask or block solely on it.\n\nIf ClawSweeper passes while merge gates are closed, it labels\n`clawsweeper:merge-ready` and comments instead of merging. `@clawsweeper stop`\nadds `clawsweeper:human-review`.\n\nWhen asked to create a PR and enable ClawSweeper automerge, do not\nleave the local OpenClaw checkout on the PR branch. After the PR is created,\npushed, and the `@clawsweeper automerge` request is posted or otherwise\nconfirmed, return the local checkout to `main` and fast-forward it when the\nworking tree is clean:\n\n```bash\ngit switch main\ngit pull --ff-only\n```\n\nIf unrelated local edits or an in-progress rebase prevent switching, report the\nblocker instead of stashing, deleting, or overwriting work.\n\nRepair caps:\n\n```bash\nCLAWSWEEPER_MAX_REPAIRS_PER_PR=10\nCLAWSWEEPER_MAX_REPAIRS_PER_HEAD=1\n```\n\n## Security Boundary\n\nDo not stage unapproved security-sensitive work for ClawSweeper Repair. Route\nvulnerability reports, CVE/GHSA/advisory work, leaked secrets/tokens/keys,\nplaintext secret storage, SSRF, XSS, CSRF, RCE, auth bypass, privilege\nescalation, and sensitive data exposure to central OpenClaw security handling.\n\nFor PRs explicitly opted into `clawsweeper:autofix` or\n`clawsweeper:automerge`, security-sensitive review findings may dispatch\nbounded repair, but merge remains blocked until a later exact-head review is\nclean and the normal merge gates pass. Trust deterministic ClawSweeper security\nmarkers, labels, and job frontmatter; do not infer security handling from vague\nprose.\n\n## Monitoring\n\nReceiver workflows:\n\n```bash\ngh run list --repo openclaw/clawsweeper --workflow \"ClawSweeper Commit Review\" \\\n  --limit 12 --json databaseId,displayTitle,event,status,conclusion,createdAt,updatedAt,url\ngh run list --repo openclaw/clawsweeper --workflow \"repair cluster worker\" \\\n  --limit 12 --json databaseId,displayTitle,event,status,conclusion,createdAt,updatedAt,url\ngh run list --repo openclaw/clawsweeper --workflow \"repair comment router\" \\\n  --limit 12 --json databaseId,displayTitle,event,status,conclusion,createdAt,updatedAt,url\n```\n\nTarget dispatcher:\n\n```bash\ngh run list --repo openclaw/openclaw --workflow \"ClawSweeper Dispatch\" \\\n  --event push --limit 8 --json databaseId,displayTitle,event,status,conclusion,headSha,url\n```\n\nTarget commit check:\n\n```bash\ngh api \"repos/openclaw/openclaw/commits/\u003csha\u003e/check-runs?per_page=100\" \\\n  --jq '.check_runs[] | select(.name==\"ClawSweeper Commit Review\") | [.status,.conclusion,.details_url] | @tsv'\n```\n\n## Reading Output\n\nFor findings or failures, summarize:\n\n- target repo, item/PR/commit, run, report path\n- result, confidence, severity, and exact blocker\n- affected files or cluster refs\n- validation commands and whether they passed\n- whether mutation gates were open or closed\n- next deterministic action\n\nKeep the broom small: one cluster, one branch, one PR, narrow proof, clear\nowner-visible evidence.\n","agents/openai.yaml":"interface:\n  display_name: \"ClawSweeper\"\n  short_description: \"Inspect ClawSweeper commit review reports and Actions runs.\"\n  default_prompt: \"Review recent ClawSweeper commit reports and summarize findings.\"\n"},"import":{"commit_sha":"424c6d0a5f4665b803ad6768d08b0be7659deaf4","imported_at":"2026-05-18T20:13:36Z","license_text":"MIT License\n\nCopyright (c) 2025 Peter Steinberger\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n","owner":"openclaw","repo":"openclaw/openclaw","source_url":"https://github.com/openclaw/openclaw/tree/424c6d0a5f4665b803ad6768d08b0be7659deaf4/.agents/skills/clawsweeper"}},"content_hash":[47,97,40,147,241,239,55,188,103,109,179,66,216,4,83,169,40,221,30,133,38,77,251,249,109,241,214,197,66,135,248,143],"trust_level":"unsigned","yanked":false}