Maintainer workflow for OpenClaw GitHub Security Advisories (GHSA). Use when Codex needs to inspect, patch, validate, or publish a repo advisory, verify private-fork state, prepare advisory Markdown or JSON payloads safely, handle GHSA API-specific publish constraints, or confirm advisory publish success.
Use this skill for repo security advisory workflow only. Keep general release work in openclaw-release-maintainer.
SECURITY.md.Fetch the current advisory and the latest published npm version:
gh api /repos/openclaw/openclaw/security-advisories/<GHSA>
npm view openclaw version --userconfig "$(mktemp)"
Use the fetch output to confirm the advisory state, linked private fork, and vulnerability payload shape before patching.
Before publishing, verify that the advisory's private fork has no open PRs:
fork=$(gh api /repos/openclaw/openclaw/security-advisories/<GHSA> | jq -r .private_fork.full_name)
gh pr list -R "$fork" --state open
The PR list must be empty before publish.
\n strings.jq, not hand-escaped shell JSON.Example pattern:
cat > /tmp/ghsa.desc.md <<'EOF'
<markdown description>
EOF
jq -n --rawfile desc /tmp/ghsa.desc.md \
'{summary,severity,description:$desc,vulnerabilities:[...]}' \
> /tmp/ghsa.patch.json
severity and cvss_vector_string in the same PATCH call."state":"published". There is no separate /publish endpoint.Example shape:
gh api -X PATCH /repos/openclaw/openclaw/security-advisories/<GHSA> \
--input /tmp/ghsa.patch.json
After publish, re-fetch the advisory and confirm:
state=publishedpublished_at is set\\nVerification pattern:
gh api /repos/openclaw/openclaw/security-advisories/<GHSA>
jq -r .description < /tmp/ghsa.refetch.json | rg '\\\\n'