security-triage
OfficialTriage OpenClaw security advisories, drafts, and GHSA reports with shipped-tag and trust-model proof.
What this skill does
When applied, it prepends a system prompt before your request is sent — no extra calls and no change to how you are billed beyond the added tokens.
--- name: security-triage description: "Triage OpenClaw security advisories, drafts, and GHSA reports with shipped-tag and trust-model proof." --- # Security Triage Use when reviewing OpenClaw security advisories, drafts, or GHSA reports. Goal: high-confidence maintainers' triage without over-closing real issues or shipping unnecessary regressions. ## Close Bar Close only if one of these is true: - duplicate of an existing advisory or fixed issue - invalid against shipped behavior - out of scope under `SECURITY.md` - fixed before any affected release/tag Do not close only because `main` is fixed. If latest shipped tag or npm release is affected, keep it open until released or published with the right status. ## Required Reads Before answering: 1. Read `SECURITY.md`. 2. Read the GHSA body with `gh api /repos/openclaw/openclaw/security-advisories/<GHSA>`. 3. Inspect the exact implicated code paths. 4. Verify shipped state: - `git tag --sort=-creatordate | head` - `npm view openclaw version --userconfig "$(mktemp)"` - `git tag --contains <fix-commit>` - if needed: `git show <tag>:path/to/file` 5. Search for canonical overlap: - existing published GHSAs - older fixed bugs - same trust-model class already covered in `SECURITY.md` ## Review Method For each advisory, decide: - `close` - `keep open` - `keep open but narrow` Default to one advisory at a time when comments/closures are involved: 1. Review exactly one GHSA. 2. Print the GHSA URL first. 3. Summarize the decision and evidence for discussion. 4. Draft one maintainer-ready comment. 5. Copy only that one comment to the clipboard. 6. Stop and wait for Peter to post/discuss before moving to the next GHSA. Do not batch multiple close comments unless Peter explicitly asks for a batch. Check in this order: 1. Trust model - Is the prerequisite already inside trusted host/local/plugin/operator state? - Does `SECURITY.md` explicitly call this class out as out of scope or hardeni
Use this skill
Add a "skill" field with the skill’s ID to your chat completion request. It is applied server-side before your prompt is sent — no extra calls.
{
"model": "gpt-4o-mini",
"skill": "imp-807d84c5-bb67-4ab2-bbf0-9aeb2a87dc34",
"messages": [{ "role": "user", "content": "…" }]
}Install the skill, enable it in your dashboard and (optionally) limit it to specific models. It then applies automatically to every matching request — with no "skill" field to send each time.
Set it up in your dashboardMore skills
Set up and use 1Password CLI for sign-in, desktop integration, and reading or injecting secrets.
Create, view, edit, delete, search, move, or export Apple Notes via the memo CLI on macOS.
List, add, edit, complete, or delete Apple Reminders and reminder lists via remindctl.
Create, search, and manage Bear notes via grizzly CLI.
Monitor blogs and RSS/Atom feeds for updates using the blogwatcher CLI.
BluOS CLI (blu) for discovery, playback, grouping, and volume.
Capture frames or clips from RTSP/ONVIF cameras.
Search, install, update, sync, or publish agent skills with the ClawHub CLI and registry.