[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"skill-openclaw-openclaw-.agents-skills-openclaw-ghsa-maintainer":3},{"error":4,"detail":5,"metadata":23,"markdownContent":24,"rawMarkdown":20},false,{"repo_full_name":6,"owner":7,"repo_name":7,"repo_forks":8,"skill_path":9,"repo_stars":10,"name":11,"category_id":12,"description":13,"file_tree":14,"skill_md_content":20,"skill_id":21,"skill_key":22},"openclaw/openclaw","openclaw",64359,".agents/skills/openclaw-ghsa-maintainer",330752,"openclaw-ghsa-maintainer",18,"Maintainer workflow for OpenClaw GitHub Security Advisories (GHSA). Use when Codex needs to inspect, patch, validate, or publish a repo advisory, verify private-fork state, prepare advisory Markdown or JSON payloads safely, handle GHSA API-specific publish constraints, or confirm advisory publish success.",[15],{"name":16,"path":17,"size":18,"type":19},"SKILL.md",".agents/skills/openclaw-ghsa-maintainer/SKILL.md",2912,"file","---\nname: openclaw-ghsa-maintainer\ndescription: Maintainer workflow for OpenClaw GitHub Security Advisories (GHSA). Use when Codex needs to inspect, patch, validate, or publish a repo advisory, verify private-fork state, prepare advisory Markdown or JSON payloads safely, handle GHSA API-specific publish constraints, or confirm advisory publish success.\n---\n\n# OpenClaw GHSA Maintainer\n\nUse this skill for repo security advisory workflow only. Keep general release work in `openclaw-release-maintainer`.\n\n## Respect advisory guardrails\n\n- Before reviewing or publishing a repo advisory, read `SECURITY.md`.\n- Ask permission before any publish action.\n- Treat this skill as GHSA-only. Do not use it for stable or beta release work.\n\n## Fetch and inspect advisory state\n\nFetch the current advisory and the latest published npm version:\n\n```bash\ngh api /repos/openclaw/openclaw/security-advisories/\u003CGHSA>\nnpm view openclaw version --userconfig \"$(mktemp)\"\n```\n\nUse the fetch output to confirm the advisory state, linked private fork, and vulnerability payload shape before patching.\n\n## Verify private fork PRs are closed\n\nBefore publishing, verify that the advisory's private fork has no open PRs:\n\n```bash\nfork=$(gh api /repos/openclaw/openclaw/security-advisories/\u003CGHSA> | jq -r .private_fork.full_name)\ngh pr list -R \"$fork\" --state open\n```\n\nThe PR list must be empty before publish.\n\n## Prepare advisory Markdown and JSON safely\n\n- Write advisory Markdown via heredoc to a temp file. Do not use escaped `\\n` strings.\n- Build PATCH payload JSON with `jq`, not hand-escaped shell JSON.\n\nExample pattern:\n\n```bash\ncat > /tmp/ghsa.desc.md \u003C\u003C'EOF'\n\u003Cmarkdown description>\nEOF\n\njq -n --rawfile desc /tmp/ghsa.desc.md \\\n  '{summary,severity,description:$desc,vulnerabilities:[...]}' \\\n  > /tmp/ghsa.patch.json\n```\n\n## Apply PATCH calls in the correct sequence\n\n- Do not set `severity` and `cvss_vector_string` in the same PATCH call.\n- Use separate calls when the advisory requires both fields.\n- Publish by PATCHing the advisory and setting `\"state\":\"published\"`. There is no separate `/publish` endpoint.\n\nExample shape:\n\n```bash\ngh api -X PATCH /repos/openclaw/openclaw/security-advisories/\u003CGHSA> \\\n  --input /tmp/ghsa.patch.json\n```\n\n## Publish and verify success\n\nAfter publish, re-fetch the advisory and confirm:\n\n- `state=published`\n- `published_at` is set\n- the description does not contain literal escaped `\\\\n`\n\nVerification pattern:\n\n```bash\ngh api /repos/openclaw/openclaw/security-advisories/\u003CGHSA>\njq -r .description \u003C /tmp/ghsa.refetch.json | rg '\\\\\\\\n'\n```\n\n## Common GHSA footguns\n\n- Publishing fails with HTTP 422 if required fields are missing or the private fork still has open PRs.\n- A payload that looks correct in shell can still be wrong if Markdown was assembled with escaped newline strings.\n- Advisory PATCH sequencing matters; separate field updates when GHSA API constraints require it.\n","048fc33e-0bc5-55dc-bf1e-cef4eef96f23","openclaw-openclaw-.agents-skills-openclaw-ghsa-maintainer",{"name":11,"description":13},"\u003Ch1>OpenClaw GHSA Maintainer\u003C/h1>\n\u003Cp>Use this skill for repo security advisory workflow only. Keep general release work in \u003Ccode>openclaw-release-maintainer\u003C/code>.\u003C/p>\n\u003Ch2>Respect advisory guardrails\u003C/h2>\n\u003Cul>\n\u003Cli>Before reviewing or publishing a repo advisory, read \u003Ccode>SECURITY.md\u003C/code>.\u003C/li>\n\u003Cli>Ask permission before any publish action.\u003C/li>\n\u003Cli>Treat this skill as GHSA-only. Do not use it for stable or beta release work.\u003C/li>\n\u003C/ul>\n\u003Ch2>Fetch and inspect advisory state\u003C/h2>\n\u003Cp>Fetch the current advisory and the latest published npm version:\u003C/p>\n\u003Cdiv class=\"md-code-block\">\u003Cdiv class=\"md-code-lang\">bash\u003C/div>\u003Cpre>\u003Ccode class=\"hljs language-bash\">gh api /repos/openclaw/openclaw/security-advisories/&lt;GHSA&gt;\nnpm view openclaw version --userconfig \u003Cspan class=\"hljs-string\">&quot;\u003Cspan class=\"hljs-subst\">$(mktemp)\u003C/span>&quot;\u003C/span>\u003C/code>\u003C/pre>\u003C/div>\u003Cp>Use the fetch output to confirm the advisory state, linked private fork, and vulnerability payload shape before patching.\u003C/p>\n\u003Ch2>Verify private fork PRs are closed\u003C/h2>\n\u003Cp>Before publishing, verify that the advisory&#39;s private fork has no open PRs:\u003C/p>\n\u003Cdiv class=\"md-code-block\">\u003Cdiv class=\"md-code-lang\">bash\u003C/div>\u003Cpre>\u003Ccode class=\"hljs language-bash\">fork=$(gh api /repos/openclaw/openclaw/security-advisories/&lt;GHSA&gt; | jq -r .private_fork.full_name)\ngh \u003Cspan class=\"hljs-built_in\">pr\u003C/span> list -R \u003Cspan class=\"hljs-string\">&quot;\u003Cspan class=\"hljs-variable\">$fork\u003C/span>&quot;\u003C/span> --state open\u003C/code>\u003C/pre>\u003C/div>\u003Cp>The PR list must be empty before publish.\u003C/p>\n\u003Ch2>Prepare advisory Markdown and JSON safely\u003C/h2>\n\u003Cul>\n\u003Cli>Write advisory Markdown via heredoc to a temp file. Do not use escaped \u003Ccode>\\n\u003C/code> strings.\u003C/li>\n\u003Cli>Build PATCH payload JSON with \u003Ccode>jq\u003C/code>, not hand-escaped shell JSON.\u003C/li>\n\u003C/ul>\n\u003Cp>Example pattern:\u003C/p>\n\u003Cdiv class=\"md-code-block\">\u003Cdiv class=\"md-code-lang\">bash\u003C/div>\u003Cpre>\u003Ccode class=\"hljs language-bash\">\u003Cspan class=\"hljs-built_in\">cat\u003C/span> &gt; /tmp/ghsa.desc.md &lt;&lt;\u003Cspan class=\"hljs-string\">&#x27;EOF&#x27;\u003C/span>\n&lt;markdown description&gt;\nEOF\n\njq -n --rawfile desc /tmp/ghsa.desc.md \\\n  \u003Cspan class=\"hljs-string\">&#x27;{summary,severity,description:$desc,vulnerabilities:[...]}&#x27;\u003C/span> \\\n  &gt; /tmp/ghsa.patch.json\u003C/code>\u003C/pre>\u003C/div>\u003Ch2>Apply PATCH calls in the correct sequence\u003C/h2>\n\u003Cul>\n\u003Cli>Do not set \u003Ccode>severity\u003C/code> and \u003Ccode>cvss_vector_string\u003C/code> in the same PATCH call.\u003C/li>\n\u003Cli>Use separate calls when the advisory requires both fields.\u003C/li>\n\u003Cli>Publish by PATCHing the advisory and setting \u003Ccode>&quot;state&quot;:&quot;published&quot;\u003C/code>. There is no separate \u003Ccode>/publish\u003C/code> endpoint.\u003C/li>\n\u003C/ul>\n\u003Cp>Example shape:\u003C/p>\n\u003Cdiv class=\"md-code-block\">\u003Cdiv class=\"md-code-lang\">bash\u003C/div>\u003Cpre>\u003Ccode class=\"hljs language-bash\">gh api -X PATCH /repos/openclaw/openclaw/security-advisories/&lt;GHSA&gt; \\\n  --input /tmp/ghsa.patch.json\u003C/code>\u003C/pre>\u003C/div>\u003Ch2>Publish and verify success\u003C/h2>\n\u003Cp>After publish, re-fetch the advisory and confirm:\u003C/p>\n\u003Cul>\n\u003Cli>\u003Ccode>state=published\u003C/code>\u003C/li>\n\u003Cli>\u003Ccode>published_at\u003C/code> is set\u003C/li>\n\u003Cli>the description does not contain literal escaped \u003Ccode>\\\\n\u003C/code>\u003C/li>\n\u003C/ul>\n\u003Cp>Verification pattern:\u003C/p>\n\u003Cdiv class=\"md-code-block\">\u003Cdiv class=\"md-code-lang\">bash\u003C/div>\u003Cpre>\u003Ccode class=\"hljs language-bash\">gh api /repos/openclaw/openclaw/security-advisories/&lt;GHSA&gt;\njq -r .description &lt; /tmp/ghsa.refetch.json | rg \u003Cspan class=\"hljs-string\">&#x27;\\\\\\\\n&#x27;\u003C/span>\u003C/code>\u003C/pre>\u003C/div>\u003Ch2>Common GHSA footguns\u003C/h2>\n\u003Cul>\n\u003Cli>Publishing fails with HTTP 422 if required fields are missing or the private fork still has open PRs.\u003C/li>\n\u003Cli>A payload that looks correct in shell can still be wrong if Markdown was assembled with escaped newline strings.\u003C/li>\n\u003Cli>Advisory PATCH sequencing matters; separate field updates when GHSA API constraints require it.\u003C/li>\n\u003C/ul>\n"]