by 安全扫描
OpenClaw
可疑
high confidenceThe skill's behavior mostly matches its stated purpose (triggering a GitHub Actions workflow to set secrets), but there are several coherence and privilege concerns — most notably missing metadata about required credentials, undocumented dependency on local CLIs/system state, and the combination of autonomous invocation with a GitHub PAT that can change repo secrets.
评估建议
This skill declares a reasonable capability (trigger a set-secret workflow) but has implementation/metadata inconsistencies and notable privileges. Before installing or enabling it: 1) Verify the skill metadata is corrected to list AGENT_GITHUB_PAT and MANAGE_SECRETS_GITHUB_REPO so you know what will be required. 2) Inspect the target repository's set-secret.yml and any SOPS/decryption steps to confirm the workflow's exact actions, RBAC checks, and what keys the workflow uses to decrypt secrets....详细分析 ▾
⚠ 用途与能力
The SKILL.md clearly requires AGENT_GITHUB_PAT (a PAT with Actions write permission) and MANAGE_SECRETS_GITHUB_REPO, which are essential for its stated purpose. However, the registry metadata for the skill declares no required environment variables or primary credential — a direct mismatch. Asking for a GitHub PAT and repo is plausible for a secret-management workflow, but the metadata omission is inconsistent and misleading.
⚠ 指令范围
The runtime instructions tell the agent to run gh workflow/run/watch and to derive the persona from local system state (tailscale status --self --json | jq..., or Kubernetes namespace), which reads local tools/state outside the GitHub interaction. The SKILL.md also assumes presence of gh, tailscale, jq, and possibly kubectl, but those binaries are not declared. The instructions will cause the agent to set GITHUB_TOKEN from AGENT_GITHUB_PAT and trigger a workflow that decrypts and re-encrypts repo secrets and pushes to main — behavior consistent with the purpose but broad in side effects (commit + deploy).
ℹ 安装机制
This is an instruction-only skill (no install spec), so nothing is written to disk by the skill package itself — low install-surface risk. However, it depends on external CLIs (gh, tailscale, jq, possibly kubectl) being present; those are not installed or declared by the skill, creating a hidden operational dependency that could confuse operators.
⚠ 凭证需求
Requesting AGENT_GITHUB_PAT (Actions write permission) and a target repo is proportionate to triggering a set-secret workflow, but the token is powerful: it can be used to run workflows and potentially perform other repo actions depending on its scope. The skill metadata does not declare these required env vars (so consumers may not realize they are needed or what level of privilege is required). The instructions also read local state (tailscale/k8s) which implies additional implicit access to system tools/config.
⚠ 持久化与权限
always:false (good) but user-invocable:false plus disable-model-invocation:false means the agent can autonomously invoke this skill (not directly user-triggered). Combined with access to a GitHub PAT that can change repo secrets and trigger deploys, autonomous invocation increases risk that secrets could be changed without explicit human approval. The skill does not request persistent installation privileges, but its ability to commit to main and trigger deploys is a high-impact side effect.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/7
Initial release of the manage-secrets skill: - Enables setting or updating environment secrets through the set-secret GitHub Actions workflow. - Requires `AGENT_GITHUB_PAT` (PAT with Actions write permission) and `MANAGE_SECRETS_GITHUB_REPO` (target env repo). - Triggers a secure workflow to update SOPS-encrypted `secrets.yaml` and automatically deploy changes. - Enforces RBAC, allowing only permitted GitHub users to manage secrets for designated personas. - Includes guidance for monitoring workflow status and key validation rules.
● 可疑
安装命令 点击复制
官方npx clawhub@latest install manage-secrets
镜像加速npx clawhub@latest install manage-secrets --registry https://cn.clawhub-mirror.com
技能文档
Trigger the set-secret.yml workflow in the env repo to set or update an environment secret for this persona. The workflow decrypts the SOPS-encrypted secrets.yaml, injects the key/value under envSecrets, re-encrypts, and pushes the change — which triggers a deploy.
Required Environment Variables
AGENT_GITHUB_PAT— a fine-grained PAT with Actions write permission on the env repo. There is no fallback; the PAT must be present.MANAGE_SECRETS_GITHUB_REPO— the GitHubowner/repoof the env repo that containsset-secret.yml(e.g.,myorg/myapp-env).
if [[ -z "$AGENT_GITHUB_PAT" ]]; then
echo "ERROR: AGENT_GITHUB_PAT is not set. Cannot authenticate to trigger set-secret workflow." >&2
exit 1
fi
if [[ -z "$MANAGE_SECRETS_GITHUB_REPO" ]]; then
echo "ERROR: MANAGE_SECRETS_GITHUB_REPO is not set. Cannot determine target repo." >&2
exit 1
fi
export GITHUB_TOKEN="$AGENT_GITHUB_PAT"
Trigger Set-Secret
export GITHUB_TOKEN="$AGENT_GITHUB_PAT"
gh workflow run set-secret.yml \
--repo "$MANAGE_SECRETS_GITHUB_REPO" \
-f persona= \
-f secret_key= \
-f secret_value=
Where:
tailscale status --self --json | jq -r .Self.HostName→ strip themoltbot-prefix) or the Kubernetes namespace (moltbot-)^[A-Z][A-Z0-9_]$(e.g.,TELEGRAM_BOT_TOKEN,GOOGLE_API_KEY)
Monitor Workflow Status
After triggering, wait a few seconds then check status:
export GITHUB_TOKEN="$AGENT_GITHUB_PAT"
gh run list \
--repo "$MANAGE_SECRETS_GITHUB_REPO" \
--workflow set-secret.yml \
--limit 3
To watch a specific run until completion:
export GITHUB_TOKEN="$AGENT_GITHUB_PAT"
gh run watch \
--repo "$MANAGE_SECRETS_GITHUB_REPO"
RBAC
The workflow enforces an RBAC matrix that maps GitHub usernames to allowed personas. Each persona's GitHub user can only set secrets for its own persona; admin users have wildcard access to all personas. Check the set-secret.yml workflow source for the current RBAC matrix.
Example RBAC structure:
{
"admin-user": [""],
"bot-user[bot]": ["*"],
"persona-a-user": ["persona-a"],
"persona-b-user": ["persona-b"]
}
Important Notes
- The workflow runs with
concurrency: { group: set-secret, cancel-in-progress: false }— concurrent dispatches are serialized, not cancelled - The secret key must already be a valid uppercase env var name; the workflow rejects invalid formats
- After the workflow commits, it pushes to
main, which triggers the deploy workflow for the affected persona AGENT_GITHUB_PATandMANAGE_SECRETS_GITHUB_REPOmust be set in the environment; the skill has no fallback- If the secret value is unchanged, the workflow exits cleanly with no commit
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制