1. Skill Overview
This skill audits OpenClaw security advisories, drafts, and GHSA reports. Its objective is to deliver high-confidence maintainer-level triage decisions, avoiding both premature closure of genuine vulnerabilities and unnecessary functional regressions.
Core Principle: Do not close an advisory solely because the fix lands on the main branch. If the latest published tag or npm release remains vulnerable, leave the advisory open until a proper patched release ships.
2. Core Capabilities
2.1 Close Bar Criteria
An advisory may only be closed if one of the following conditions is satisfied:
- Duplicate of an existing published advisory or previously resolved tracked vulnerability
- Behavior described is invalid and does not match documented shipped functionality
- Falls outside the security scope defined in
SECURITY.md
- Fully patched in all affected release tags / published versions prior to current shipping builds
A fix landing on main alone does not qualify as grounds for closure.
2.2 Pre-Audit Mandatory Reading & Evidence Collection
Complete all of these steps before issuing a final triage verdict:
- Read the full
SECURITY.md security policy
- Pull full GHSA advisory body via
gh api
- Locate and inspect the exact vulnerable source code paths
- Validate shipping release status:
git tag --sort=-creatordate | head
npm view openclaw version
git tag --contains <commit-SHA>
git show :path/to/vulnerable/file.ts
- Search for overlapping canonical records: existing published GHSAs, historic resolved bugs, and identical trust model classes already covered in
SECURITY.md
2.3 Standard Review Workflow
For each GHSA, decide one of three outcomes:
- Close
- Keep open
- Keep open with narrowed impact scope
Single-item sequential rules:
- Process only one GHSA per full workflow pass
- Print the GHSA URL first in output
- Summarize verdict and supporting evidence for discussion
- Draft a complete ready-to-post maintainer comment
- Copy the drafted comment to clipboard
- Pause work and wait for Peter’s release / discussion feedback before triaging the next GHSA
- Bulk batch close comments are forbidden unless explicitly requested by Peter
2.4 Mandatory Inspection Order
Evaluate the advisory against these dimensions in fixed sequence:
| Inspection Dimension |
Key Evaluation Questions |
| Trust Model Boundaries |
Are the preconditions confined to trusted hosts, local workspaces, plugin execution, or operator state? Does SECURITY.md explicitly mark this scenario as out-of-scope or hardening-only? |
| Shipped Release Behavior |
Does the bug reproduce on the latest production tag / npm version? Was a patch merged prior to the affected release’s publish date? |
| Exploitation Path |
Does the report demonstrate a genuine trust boundary bypass, rather than trivial instruction injection, same-user local control, or minor helper-level semantic edge cases? |
| Functional Tradeoff Analysis |
Would hardening mitigations degrade documented expected user workflows? Prioritize fixes that preserve core user functionality over deny-by-default breaking regressions. |
| Hardening Follow-Up |
Even if the GHSA qualifies for closure, identify narrow optional hardening patches that reduce misuse risk without altering documented trust boundaries. |
2.5 Trusted Workspace Data Flow Judgment
When sensitive data only moves between in-memory files within policy-defined trusted workspaces, standalone injection markers do not automatically classify the behavior as a security vulnerability.
Sanitization logic for such flows is framed as optional hardening, provided it does not break expected in-memory workspace workflows.
2.6 Standard Response Format for Maintainer Closure Comments
Structure all drafted maintainer review comments as follows:
- Print the full GHSA URL at the top
- Write detailed reasoning covering:
- Exact definitive closure rationale
- Precise source code path references
- Factual shipping release / tag status
- Fix provenance or duplicate GHSA cross-reference (if applicable)
- Optional hardening recommendations (only when low-risk and non-breaking)
- Tone requirements: Firm, specific, non-defensive, objective
2.7 Public Wording Hygiene Rules
| Allowed Practices |
Forbidden Practices |
| Reference patched release / version fields in public advisory text |
Embed raw commit hashes, PR titles/numbers, or detailed fix mechanism summaries in public GHSA content |
| Retain SHA values, PR links, and implementation breakdowns exclusively in internal notes and validation artifacts |
Include exploitation steps, "Fixed by" callouts, or dedicated Fix Commit sections within closed non-published advisories |
Credit reporters, preserve attribution, clearly state SECURITY.md scope boundaries, and explicitly note the GHSA will close without a public CVE release |
Reference GHSA IDs in public changelogs and release notes unless Peter explicitly approves |
Lead published CVE/GHSA text with a ### Patched Versions section listing fixed releases |
Explain patch internal implementation logic in public advisory text unless Peter explicitly requests full disclosure |
2.8 Discussion Mode (Peter Manual Review Flow)
When Peter manually reviews and replies to GHSA threads:
- Output the GHSA URL
- State a concise single-sentence verdict:
close / keep open / keep open but narrow
- List top supporting evidence bullet points
- Separate optional hardening follow-up suggestions from core closure rationale
- Copy the full drafted comment body to clipboard via
pbcopy
- Halt processing after one advisory and wait for Peter’s signal to continue triaging further items
2.9 Decision Reference Matrix
| Scenario |
Standard Verdict |
Bug patched on main but no production release shipped yet |
Almost never sufficient grounds for closure |
| Exploit requires prior attacker control over trusted local state |
Typically out-of-scope per security policy |
| Same-host same-user process already has full read/write access to local state |
Typically out-of-scope per security policy |
| In-memory trusted workspace data promotion / reindexing within documented trust boundaries |
Typically out-of-scope unless crossing formal policy boundaries |
| Helper logic behavior diverges from documented config semantics only |
Usually marked invalid non-vulnerability |
| Severity scoring misclassification but underlying bug is genuine |
Keep open; narrow stated impact scope in the review comment |
3. Primary Use Cases
- GHSA security advisory triage: Systematically audit new and existing GitHub security vulnerability reports
- Verdict classification: Determine whether to close, retain open, or narrow the impact scope of a GHSA based on trust model rules, shipped release state, and exploit path analysis
- Draft maintainer-ready public review comments: Generate complete rationale with exact code references and shipping release facts
- Distinguish genuine vulnerabilities from out-of-scope edge cases: Avoid misclassifying in-boundary trust model behavior as security flaws
- Identify optional hardening improvements: Surface low-risk mitigating changes that reduce misuse risk without altering core trust boundaries
- Enforce standardized public disclosure hygiene: Prevent leaking internal implementation details in public advisory text
4. Critical Guiding Principles
- Do not close advisories based solely on
main branch fixes; leave open if the latest production release remains vulnerable
- Single sequential triage rule: Process one GHSA at a time and wait for Peter’s confirmation before moving to the next
- Evidence-based triage: Every verdict must cite concrete source code references and published release tag facts
- Trust model boundary evaluation takes priority: First assess whether the exploit prerequisites reside within policy-defined trusted zones
- Separate hardening mitigations from vulnerability status: Optional hardening improvements do not constitute a requirement for closing an advisory
- Strict public wording hygiene: Commit hashes, PR identifiers, and patch implementation details stay internal and are excluded from public GHSA text
- Functionality-first remediation: Prioritize fixes that preserve user workflows over breaking deny-by-default regressions
Summary
Security Triage is a maintainer-exclusive skill for auditing and classifying OpenClaw GitHub Security Advisories (GHSAs). It implements a standardized three-dimensional inspection framework covering trust model boundaries, shipped release vulnerability status, and exploit path feasibility to render consistent triage verdicts: close, keep open, or narrow impact scope. Centered around shipped production tag evidence, it enforces core guardrails including "no closure for main-only fixes", single-item sequential processing, and strict separation between optional hardening patches and vulnerability resolution status. It also standardizes secure public disclosure wording, restricting commit hashes, PR metadata, and implementation details to internal artifacts while only publishing minimal patched version information. This skill is intended for OpenClaw maintainers to conduct consistent, high-confidence vulnerability triage upon receiving new GHSA security reports.