{"kind":"Skill","metadata":{"namespace":"community","name":"security-triage","version":"0.1.0"},"spec":{"description":"Triage OpenClaw security advisories, drafts, and GHSA reports with shipped-tag and trust-model proof.","files":{"SKILL.md":"---\nname: security-triage\ndescription: Triage OpenClaw security advisories, drafts, and GHSA reports with shipped-tag and trust-model proof.\n---\n\n# Security Triage\n\nUse when reviewing OpenClaw security advisories, drafts, or GHSA reports.\n\nGoal: high-confidence maintainers' triage without over-closing real issues or shipping unnecessary regressions.\n\n## Close Bar\n\nClose only if one of these is true:\n\n- duplicate of an existing advisory or fixed issue\n- invalid against shipped behavior\n- out of scope under `SECURITY.md`\n- fixed before any affected release/tag\n\nDo not close only because `main` is fixed. If latest shipped tag or npm release is affected, keep it open until released or published with the right status.\n\n## Required Reads\n\nBefore answering:\n\n1. Read `SECURITY.md`.\n2. Read the GHSA body with `gh api /repos/openclaw/openclaw/security-advisories/\u003cGHSA\u003e`.\n3. Inspect the exact implicated code paths.\n4. Verify shipped state:\n   - `git tag --sort=-creatordate | head`\n   - `npm view openclaw version --userconfig \"$(mktemp)\"`\n   - `git tag --contains \u003cfix-commit\u003e`\n   - if needed: `git show \u003ctag\u003e:path/to/file`\n5. Search for canonical overlap:\n   - existing published GHSAs\n   - older fixed bugs\n   - same trust-model class already covered in `SECURITY.md`\n\n## Review Method\n\nFor each advisory, decide:\n\n- `close`\n- `keep open`\n- `keep open but narrow`\n\nDefault to one advisory at a time when comments/closures are involved:\n\n1. Review exactly one GHSA.\n2. Print the GHSA URL first.\n3. Summarize the decision and evidence for discussion.\n4. Draft one maintainer-ready comment.\n5. Copy only that one comment to the clipboard.\n6. Stop and wait for Peter to post/discuss before moving to the next GHSA.\n\nDo not batch multiple close comments unless Peter explicitly asks for a batch.\n\nCheck in this order:\n\n1. Trust model\n   - Is the prerequisite already inside trusted host/local/plugin/operator state?\n   - Does `SECURITY.md` explicitly call this class out as out of scope or hardening-only?\n2. Shipped behavior\n   - Is the bug present in the latest shipped tag or npm release?\n   - Was it fixed before release?\n3. Exploit path\n   - Does the report show a real boundary bypass, not just prompt injection, local same-user control, or helper-level semantics?\n   - If data only moves between trusted workspace-memory files called out in `SECURITY.md`, do not treat \"injection markers\" alone as a security bug.\n   - In that case, frame sanitization as optional hardening only if it preserves expected memory workflows.\n4. Functional tradeoff\n   - If a hardening change would reduce intended user functionality, call that out before proposing it.\n   - Prefer fixes that preserve user workflows over deny-by-default regressions unless the boundary demands it.\n5. Hardening follow-up\n   - Even when the GHSA should close, ask whether a narrow hardening change would reduce footguns without changing the documented trust boundary.\n   - Separate hardening from vulnerability status. Phrase it as \"not required for GHSA closure, but worth considering\".\n   - Bring up hardening only if it is concrete, low-risk, and preserves intended maintainer/operator workflows.\n   - If hardening would require a product/security model change, say that explicitly and do not imply it is a required fix for closure.\n\n## Response Format\n\nWhen preparing a maintainer-ready close reply:\n\n1. Print the GHSA URL first.\n2. Then draft a detailed response the maintainer can post.\n3. Include:\n   - exact reason for close\n   - exact code refs\n   - exact shipped tag / release facts\n   - exact fix commit or canonical duplicate GHSA when applicable\n   - optional hardening note only if worthwhile and functionality-preserving\n\nKeep tone firm, specific, non-defensive.\n\n## Discussion Mode\n\nWhen Peter is manually posting GHSA comments, use this flow:\n\n1. Show the URL.\n2. Give a terse verdict (`close`, `keep open`, or `keep open but narrow`).\n3. List the strongest evidence bullets.\n4. State any optional hardening follow-up separately from the close reason.\n5. Copy the proposed comment body with `pbcopy`.\n6. End the reply after the one advisory. Do not continue to the next advisory until Peter says to continue.\n\nIf the GitHub API cannot post comments for private advisories, say so once and keep using clipboard/UI paste.\n\n## Clipboard Step\n\nAfter drafting the final post body for the current advisory, copy it:\n\n```bash\npbcopy \u003c\u003c'EOF'\n\u003cfinal response\u003e\nEOF\n```\n\nTell the user that the clipboard now contains the proposed response for that advisory.\n\n## Useful Commands\n\n```bash\ngh api /repos/openclaw/openclaw/security-advisories/\u003cGHSA\u003e\ngh api /repos/openclaw/openclaw/security-advisories --paginate\ngit tag --sort=-creatordate | head -n 20\nnpm view openclaw version --userconfig \"$(mktemp)\"\ngit tag --contains \u003ccommit\u003e\ngit show \u003ctag\u003e:\u003cpath\u003e\ngh search issues --repo openclaw/openclaw --match title,body,comments -- \"\u003cterms\u003e\"\ngh search prs --repo openclaw/openclaw --match title,body,comments -- \"\u003cterms\u003e\"\n```\n\n## Decision Notes\n\n- “fixed on main, unreleased” is usually not a close.\n- “needs attacker-controlled trusted local state first” is usually out of scope.\n- “same-host same-user process can already read/write local state” is usually out of scope.\n- “trusted workspace memory promotes/reindexes trusted workspace memory” is usually out of scope unless it crosses a documented boundary.\n- “helper function behaves differently than documented config semantics” is usually invalid.\n- If only the severity is wrong but the bug is real, keep it open and narrow the impact in the reply.\n"},"import":{"commit_sha":"424c6d0a5f4665b803ad6768d08b0be7659deaf4","imported_at":"2026-05-18T20:13:36Z","license_text":"MIT License\n\nCopyright (c) 2025 Peter Steinberger\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n","owner":"openclaw","repo":"openclaw/openclaw","source_url":"https://github.com/openclaw/openclaw/tree/424c6d0a5f4665b803ad6768d08b0be7659deaf4/.agents/skills/security-triage"}},"content_hash":[51,106,158,199,117,127,176,196,181,254,132,41,237,64,213,141,93,149,114,108,32,49,15,13,35,16,162,115,14,78,89,79],"trust_level":"unsigned","yanked":false}