{"kind":"Skill","metadata":{"namespace":"community","name":"openclaw-ghsa-maintainer","version":"0.1.0"},"spec":{"description":"Inspect, patch, validate, publish, or confirm OpenClaw GHSA security advisories and private-fork state.","files":{"SKILL.md":"---\nname: openclaw-ghsa-maintainer\ndescription: Inspect, patch, validate, publish, or confirm OpenClaw GHSA security advisories and private-fork state.\n---\n\n# OpenClaw GHSA Maintainer\n\nUse this skill for repo security advisory workflow only. Keep general release work in `openclaw-release-maintainer`.\n\n## Respect advisory guardrails\n\n- Before reviewing or publishing a repo advisory, read `SECURITY.md`.\n- Ask permission before any publish action.\n- Treat this skill as GHSA-only. Do not use it for stable or beta release work.\n\n## Fetch and inspect advisory state\n\nFetch the current advisory and the latest published npm version:\n\n```bash\ngh api /repos/openclaw/openclaw/security-advisories/\u003cGHSA\u003e\nnpm view openclaw version --userconfig \"$(mktemp)\"\n```\n\nUse the fetch output to confirm the advisory state, linked private fork, and vulnerability payload shape before patching.\n\n## Verify private fork PRs are closed\n\nBefore publishing, verify that the advisory's private fork has no open PRs:\n\n```bash\nfork=$(gh api /repos/openclaw/openclaw/security-advisories/\u003cGHSA\u003e | jq -r .private_fork.full_name)\ngh pr list -R \"$fork\" --state open\n```\n\nThe PR list must be empty before publish.\n\n## Prepare advisory Markdown and JSON safely\n\n- Write advisory Markdown via heredoc to a temp file. Do not use escaped `\\n` strings.\n- Build PATCH payload JSON with `jq`, not hand-escaped shell JSON.\n\nExample pattern:\n\n```bash\ncat \u003e /tmp/ghsa.desc.md \u003c\u003c'EOF'\n\u003cmarkdown description\u003e\nEOF\n\njq -n --rawfile desc /tmp/ghsa.desc.md \\\n  '{summary,severity,description:$desc,vulnerabilities:[...]}' \\\n  \u003e /tmp/ghsa.patch.json\n```\n\n## Apply PATCH calls in the correct sequence\n\n- Do not set `severity` and `cvss_vector_string` in the same PATCH call.\n- Use separate calls when the advisory requires both fields.\n- Publish by PATCHing the advisory and setting `\"state\":\"published\"`. There is no separate `/publish` endpoint.\n\nExample shape:\n\n```bash\ngh api -X PATCH /repos/openclaw/openclaw/security-advisories/\u003cGHSA\u003e \\\n  --input /tmp/ghsa.patch.json\n```\n\n## Publish and verify success\n\nAfter publish, re-fetch the advisory and confirm:\n\n- `state=published`\n- `published_at` is set\n- the description does not contain literal escaped `\\\\n`\n\nVerification pattern:\n\n```bash\ngh api /repos/openclaw/openclaw/security-advisories/\u003cGHSA\u003e\njq -r .description \u003c /tmp/ghsa.refetch.json | rg '\\\\\\\\n'\n```\n\n## Common GHSA footguns\n\n- Publishing fails with HTTP 422 if required fields are missing or the private fork still has open PRs.\n- A payload that looks correct in shell can still be wrong if Markdown was assembled with escaped newline strings.\n- Advisory PATCH sequencing matters; separate field updates when GHSA API constraints require it.\n"},"import":{"commit_sha":"424c6d0a5f4665b803ad6768d08b0be7659deaf4","imported_at":"2026-05-18T20:13:36Z","license_text":"MIT License\n\nCopyright (c) 2025 Peter Steinberger\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n","owner":"openclaw","repo":"openclaw/openclaw","source_url":"https://github.com/openclaw/openclaw/tree/424c6d0a5f4665b803ad6768d08b0be7659deaf4/.agents/skills/openclaw-ghsa-maintainer"}},"content_hash":[47,61,235,73,204,123,75,48,171,123,48,24,203,124,62,18,52,10,240,174,193,222,207,65,2,159,189,84,227,68,137,218],"trust_level":"unsigned","yanked":false}