1. Skill Overview
This skill handles all GitHub Security Advisory (GHSA) operations within the OpenClaw project, covering the full workflow: fetching advisory status, validating private security forks, preparing Markdown/JSON payloads, publishing advisories, and post-release validation.
Core Principles:
- Read
SECURITY.mdbefore reviewing or publishing any repository security advisory - Explicit approval must be obtained before executing any publish operation
- This skill is exclusively for GHSA workflows; it must never be used for Stable or Beta software release pipelines
2. Core Capabilities
2.1 Fetch & Inspect Advisory Status
Retrieve active security advisories and the latest published npm package version:
gh api /repos/openclaw/openclaw/security-advisories/
npm view openclaw version --userconfig "$(mktemp)"
Use the returned output to verify advisory state, associated private security fork, and vulnerability payload structure.
2.2 Verify All Private Fork PRs Are Closed
Before publication, confirm there are no open pull requests on the advisory’s dedicated private security fork:
fork=$(gh api /repos/openclaw/openclaw/security-advisories/ | jq -r .private_fork.full_name)
gh pr list -R "$fork" --state open
The PR listing must return empty before proceeding to publish.
2.3 Safely Prepare Advisory Markdown & JSON
- Write advisory Markdown via heredoc to temporary files; avoid manually escaped
\nstring literals - Construct PATCH JSON payloads using
jq; do not hand-escape raw JSON inside shell commands
Standard template pattern:
cat > /tmp/ghsa.desc.md <<'EOF'
# Advisory content here
EOF
jq -n --rawfile desc /tmp/ghsa.desc.md \
'{summary,severity,description:$desc,vulnerabilities:[...]}' \
> /tmp/ghsa.patch.json
2.4 Execute PATCH API Calls in Mandatory Order
Do not set both
If both fields require updates, split them into separate sequential API calls.
severity and cvss_vector_string within a single PATCH request.
Advisories are officially published via a PATCH request setting
"state":"published" — there is no standalone dedicated /publish endpoint.Example publish command:
gh api -X PATCH /repos/openclaw/openclaw/security-advisories/ \
--input /tmp/ghsa.patch.json
2.5 Post-Publish Validation
Refetch the advisory record and validate these critical fields after publication:
stateset topublishedpublished_attimestamp populated- Raw description text contains no literal double-escaped newlines
\\n
Validation workflow:
gh api /repos/openclaw/openclaw/security-advisories/ > /tmp/ghsa.refetch.json
jq -r .description < /tmp/ghsa.refetch.json | rg '\\\\n'
3. Primary Use Cases
- Audit existing security advisories: Retrieve and inspect GHSA status and vulnerability payload data
- Patch and update advisories: Modify summary, severity rating, descriptive text, and vulnerability metadata
- Publish draft security advisories: Promote draft GHSA records to public published status
- Pre-flight private fork validation: Confirm zero open PRs on the security private fork prior to release
- Post-release sanity checks: Verify publish state, timestamp population, and clean unescaped description formatting
4. Common Footguns (Known Failure Modes)
| Footgun | Explanation |
|---|---|
| HTTP 422 publish rejection | Missing mandatory payload fields, or unresolved open PRs remaining on the private security fork |
| Malformed payload despite visually correct shell strings | Manually assembling Markdown with escaped newline literals corrupts formatting |
| PATCH field ordering violations | GHSA API enforces separate update requests for severity and cvss_vector_string |
| Overly detailed public advisory text | Draft descriptions must omit raw commit hashes, PR numbers/titles, and internal fix implementation details. Prioritize the patched-version field and high-level neutral wording; retain SHA values, PR references, and implementation notes in internal audit artifacts only. |
5. Critical Guiding Principles
- Read
SECURITY.mdfirst: Mandatory before reviewing or publishing any security advisory - Obtain explicit approval before publishing: No publish actions without prior stakeholder sign-off
- GHSA exclusive scope: This skill is isolated from standard Beta/Stable release pipelines
- Clean private fork requirement: All open PRs must be merged/closed before publication
- Heredoc + jq payload standard: Avoid manual shell escaping for Markdown and JSON construction
- Split CVSS/severity updates: Never combine
severityandcvss_vector_stringin one PATCH payload - Publish via state mutation: Use PATCH to set
state: published; no dedicated publish API endpoint exists - Post-release format validation: Confirm no double-escaped
\\nliterals exist in the final advisory description
Summary
OpenClaw GHSA Maintainer is a dedicated skill for managing and publishing GitHub Security Advisories (GHSA) within the OpenClaw repository. It implements an end-to-end standardized workflow covering advisory status retrieval, private security fork pre-checks, safe Markdown/JSON payload generation, ordered PATCH API publishing, and post-release validation. Strictly separated from general software release workflows, it enforces guardrails including mandatory security policy review, pre-publish approval, and clean private fork state, while documenting well-known API and shell formatting pitfalls. This skill is intended exclusively for OpenClaw maintainers handling vulnerability triage, security advisory publication, and private security fork governance.