vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-06 07:40:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs: explain security autofix boundary

Browse Source
This commit is contained in:
Peter Steinberger
2026-04-30 02:11:36 +01:00
parent 64cb9c5b71
commit 5e8c396bb8
1 changed files with 10 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
.agents/skills/clawsweeper/SKILL.md
View File

@@ -285,13 +285,17 @@ CLAWSWEEPER_MAX_REPAIRS_PER_HEAD=1
## Security Boundary
Do not stage security-sensitive work for ClawSweeper Repair. Route vulnerability
reports, CVE/GHSA/advisory work, leaked secrets/tokens/keys, plaintext secret
storage, SSRF, XSS, CSRF, RCE, auth bypass, privilege escalation, and sensitive
data exposure to central OpenClaw security handling.
Do not stage unapproved security-sensitive work for ClawSweeper Repair. Route
vulnerability reports, CVE/GHSA/advisory work, leaked secrets/tokens/keys,
plaintext secret storage, SSRF, XSS, CSRF, RCE, auth bypass, privilege
escalation, and sensitive data exposure to central OpenClaw security handling.
For adopted automerge jobs, trust deterministic ClawSweeper security markers,
labels, and job frontmatter; do not infer security handling from vague prose.
For PRs explicitly opted into `clawsweeper:autofix` or
`clawsweeper:automerge`, security-sensitive review findings may dispatch
bounded repair, but merge remains blocked until a later exact-head review is
clean and the normal merge gates pass. Trust deterministic ClawSweeper security
markers, labels, and job frontmatter; do not infer security handling from vague
prose.
## Monitoring