vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-03-12 07:20:45 +00:00
Code Issues Packages Projects Releases Wiki Activity
17,588 Commits 680 Branches 76 Tags
b38f37163030ebe1692500a48eac237de647cc56
Commit Graph

211 Commits

Author SHA1 Message Date
Vincent Koc
bf623a580b Agents: add skill API rate-limit guardrail (#38452) 
* Agents: add rate-limit guardrail for skill API writes

* Changelog: note skill API rate-limit awareness
 2026-03-06 20:20:00 -05:00
Mark Zhang
81f22ae109 openai-image-gen: validate and normalize --output-format (#36648) 
* openai-image-gen: validate and normalize output format

* Skills/openai-image-gen: cover output-format edge cases

* Changelog: note openai image output format validation

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
 2026-03-06 11:14:30 -05:00
Mark Zhang
20038fb955 openai-image-gen: validate --background and --style options (#36762) 
* openai-image-gen: validate --background and --style inputs

* Skills/openai-image-gen: warn on ignored background and style flags

* Skills/openai-image-gen: cover empty and warning cases

* Changelog: note openai image flag validation

* Skills/openai-image-gen: fix Python import order

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
 2026-03-06 11:04:25 -05:00
Vincent Koc
05c2cbf0e9 Skills/nano-banana-pro: clarify MEDIA token comment (#38063) 2026-03-06 10:51:11 -05:00
Mark Zhang
37a3fb0f86 nano-banana-pro: respect explicit --resolution when editing images (#36880) 
* nano-banana-pro: respect explicit --resolution when editing images

* Changelog: note nano banana resolution fix

* Update CHANGELOG.md

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
 2026-03-06 10:44:54 -05:00
ABFS Tech
86a89d96d7 fix(nano-banana-pro): remove space after MEDIA: token in generate_image.py (#18706) 
The MEDIA: output token must appear at line start with no space after
the colon for OpenClaw's splitMediaFromOutput parser to extract the
file path and auto-attach media on outbound chat channels (Discord,
Telegram, WhatsApp, etc.).

The script was printing 'MEDIA: /path' (with space), which while
tolerated by the regex, does not match the canonical 'MEDIA:/path'
format used by all other skills (e.g. openai-image-gen) and tested
in the codebase (pi-embedded-subscribe.tools.media.test.ts,
media/parse.test.ts).

Also updated the comment to clarify the format constraint.
 2026-03-06 10:29:06 -05:00
Brenner Spear
36e2e04a32 feat(nano-banana-pro): add --aspect-ratio flag to generate_image.py (#28159) 
* feat(nano-banana-pro): add --aspect-ratio flag to generate_image.py

* Nano Banana: allow all supported aspect ratios

* Docs: expand nano banana aspect ratio options

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
 2026-03-06 00:26:55 -05:00
Vincent Koc
4d183af0cf fix: code/cli acpx reliability 20260304 (#34020) 
* agents: switch claude-cli defaults to bypassPermissions

* agents: add claude-cli default args coverage

* agents: emit watchdog stall system event for cli runs

* agents: test cli watchdog stall system event

* acpx: fallback to sessions new when ensure returns no ids

* acpx tests: mock sessions new fallback path

* acpx tests: cover ensure-empty fallback flow

* skills: clarify claude print mode without pty

* docs: update cli-backends claude default args

* docs: refresh cli live test default args

* gateway tests: align live claude args defaults

* changelog: credit claude/acpx reliability fixes

* Agents: normalize legacy Claude permission flag overrides

* Tests: cover legacy Claude permission override normalization

* Changelog: note legacy Claude permission flag auto-normalization

* ACPX: fail fast when ensure/new return no session IDs

* ACPX tests: support empty sessions new fixture output

* ACPX tests: assert ensureSession failure when IDs missing

* CLI runner: scope watchdog heartbeat wake to session

* CLI runner tests: assert session-scoped watchdog wake

* Update CHANGELOG.md
 2026-03-04 01:15:28 -05:00
AaronWander
4c32411bee fix(exec): suggest increasing timeout on timeouts 2026-03-03 02:35:10 +00:00
bmendonca3
738f5d4533 skills: make sherpa-onnx-tts bin ESM-compatible 2026-03-02 18:30:42 +00:00
Onur Solmaz
a7d56e3554 feat: ACP thread-bound agents (#23580) 
* docs: add ACP thread-bound agents plan doc

* docs: expand ACP implementation specification

* feat(acp): route ACP sessions through core dispatch and lifecycle cleanup

* feat(acp): add /acp commands and Discord spawn gate

* ACP: add acpx runtime plugin backend

* fix(subagents): defer transient lifecycle errors before announce

* Agents: harden ACP sessions_spawn and tighten spawn guidance

* Agents: require explicit ACP target for runtime spawns

* docs: expand ACP control-plane implementation plan

* ACP: harden metadata seeding and spawn guidance

* ACP: centralize runtime control-plane manager and fail-closed dispatch

* ACP: harden runtime manager and unify spawn helpers

* Commands: route ACP sessions through ACP runtime in agent command

* ACP: require persisted metadata for runtime spawns

* Sessions: preserve ACP metadata when updating entries

* Plugins: harden ACP backend registry across loaders

* ACPX: make availability probe compatible with adapters

* E2E: add manual Discord ACP plain-language smoke script

* ACPX: preserve streamed spacing across Discord delivery

* Docs: add ACP Discord streaming strategy

* ACP: harden Discord stream buffering for thread replies

* ACP: reuse shared block reply pipeline for projector

* ACP: unify streaming config and adopt coalesceIdleMs

* Docs: add temporary ACP production hardening plan

* Docs: trim temporary ACP hardening plan goals

* Docs: gate ACP thread controls by backend capabilities

* ACP: add capability-gated runtime controls and /acp operator commands

* Docs: remove temporary ACP hardening plan

* ACP: fix spawn target validation and close cache cleanup

* ACP: harden runtime dispatch and recovery paths

* ACP: split ACP command/runtime internals and centralize policy

* ACP: harden runtime lifecycle, validation, and observability

* ACP: surface runtime and backend session IDs in thread bindings

* docs: add temp plan for binding-service migration

* ACP: migrate thread binding flows to SessionBindingService

* ACP: address review feedback and preserve prompt wording

* ACPX plugin: pin runtime dependency and prefer bundled CLI

* Discord: complete binding-service migration cleanup and restore ACP plan

* Docs: add standalone ACP agents guide

* ACP: route harness intents to thread-bound ACP sessions

* ACP: fix spawn thread routing and queue-owner stall

* ACP: harden startup reconciliation and command bypass handling

* ACP: fix dispatch bypass type narrowing

* ACP: align runtime metadata to agentSessionId

* ACP: normalize session identifier handling and labels

* ACP: mark thread banner session ids provisional until first reply

* ACP: stabilize session identity mapping and startup reconciliation

* ACP: add resolved session-id notices and cwd in thread intros

* Discord: prefix thread meta notices consistently

* Discord: unify ACP/thread meta notices with gear prefix

* Discord: split thread persona naming from meta formatting

* Extensions: bump acpx plugin dependency to 0.1.9

* Agents: gate ACP prompt guidance behind acp.enabled

* Docs: remove temp experiment plan docs

* Docs: scope streaming plan to holy grail refactor

* Docs: refactor ACP agents guide for human-first flow

* Docs/Skill: add ACP feature-flag guidance and direct acpx telephone-game flow

* Docs/Skill: add OpenCode and Pi to ACP harness lists

* Docs/Skill: align ACP harness list with current acpx registry

* Dev/Test: move ACP plain-language smoke script and mark as keep

* Docs/Skill: reorder ACP harness lists with Pi first

* ACP: split control-plane manager into core/types/utils modules

* Docs: refresh ACP thread-bound agents plan

* ACP: extract dispatch lane and split manager domains

* ACP: centralize binding context and remove reverse deps

* Infra: unify system message formatting

* ACP: centralize error boundaries and session id rendering

* ACP: enforce init concurrency cap and strict meta clear

* Tests: fix ACP dispatch binding mock typing

* Tests: fix Discord thread-binding mock drift and ACP request id

* ACP: gate slash bypass and persist cleared overrides

* ACPX: await pre-abort cancel before runTurn return

* Extension: pin acpx runtime dependency to 0.1.11

* Docs: add pinned acpx install strategy for ACP extension

* Extensions/acpx: enforce strict local pinned startup

* Extensions/acpx: tighten acp-router install guidance

* ACPX: retry runtime test temp-dir cleanup

* Extensions/acpx: require proactive ACPX repair for thread spawns

* Extensions/acpx: require restart offer after acpx reinstall

* extensions/acpx: remove workspace protocol devDependency

* extensions/acpx: bump pinned acpx to 0.1.13

* extensions/acpx: sync lockfile after dependency bump

* ACPX: make runtime spawn Windows-safe

* fix: align doctor-config-flow repair tests with default-account migration (#23580) (thanks @osolmaz)
 2026-02-26 11:00:09 +01:00
Peter Steinberger
42373b6742 fix(skills): support multiline frontmatter fallback without PyYAML 2026-02-23 18:56:14 +00:00
Brian Mendonca
f18f087c3c fix(skills): make quick_validate work without PyYAML 
(cherry picked from commit 485a55b4ec)
 2026-02-23 18:56:14 +00:00
Gustavo Madeira Santana
c92c3ad224 Tests: isolate quick_validate stub and remove DS_Store 2026-02-23 03:25:37 -05:00
Vincent Koc
07edadfa8a skill-creator: reject unclosed YAML frontmatter (#24289) 2026-02-23 02:51:51 -05:00
Vincent Koc
c8a62e1cea Skills/Python: harden script edge cases and add regression tests (#24277) 
* Skill creator: skip self-including .skill output

* Skill creator tests: cover output-dir-inside-skill case

* Skill validator: parse frontmatter robustly across newlines

* Skill validator tests: add CRLF and malformed frontmatter coverage

* Model usage: require positive --days value

* Model usage tests: cover --days validation and filtering

* Nano banana: close input image handles after loading

* Skill validator: keep type hints compatible with older python

* Changelog: credit @vincentkoc for Python skills hardening
 2026-02-23 02:34:23 -05:00
Vincent Koc
844924cf8d fix(skill-creator): harden skill packaging path handling (#24260) 
* fix(skill-creator): skip symlinks during skill packaging

* test(skill-creator): cover symlink skipping and root-escape guard
 2026-02-23 02:07:36 -05:00
Vincent Koc
76dabd5214 CI/Skills: add Python lint and test harness for skills scripts (#24246) 
* CI: add skills Python checks job

* Chore: add Python lint and test pre-commit hooks

* Tests: fix skill-creator package test import path

* Chore: add Python tooling config for skills scripts

* CI: run all skills Python tests

* Chore: run all skills Python tests in pre-commit

* Chore: enable pytest discovery for all skills tests

* Changelog: note skills Python quality harness
 2026-02-23 01:52:00 -05:00
CornBrother0x
f3adf142c1 fix(security): escape user input in HTML gallery to prevent stored XSS (#16958) 
* Security/openai-image-gen: escape HTML gallery user input

* Tests/openai-image-gen: add gallery XSS regression coverage

* Changelog: add openai-image-gen XSS hardening note

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
 2026-02-23 01:39:58 -05:00
Sid
3bfe990c33 fix(skill-creator): exclude .git and VCS internals from .skill archives (#23180) 
The packager included .git directory contents in .skill archives,
causing unnecessary bloat, metadata leakage, and poor artifact hygiene.

Hard-exclude .git, .svn, .hg, __pycache__, and node_modules from
packaged archives. These paths are never useful in distributable skills.

Fixes #23149

Co-authored-by: Cursor <cursoragent@cursor.com>
 2026-02-22 15:24:11 -05:00
Peter Steinberger
7abae052f9 chore(skills): remove bundled food-order skill 2026-02-22 15:06:27 +01:00
Henry Loenwind
24d18d0d72 fix: Correct data path in SKILL.md (coding-agent) (#11009) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: f7e56b80c6
Co-authored-by: HenryLoenwind <1485873+HenryLoenwind@users.noreply.github.com>
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Reviewed-by: @obviyus
 2026-02-21 18:09:25 +05:30
Santiago Medina Rolong
11f6bea598 add secret safety 2026-02-21 11:58:14 +01:00
Santiago Medina Rolong
8db5e77ffa skills: fmt 2026-02-21 11:58:14 +01:00
Santiago Medina Rolong
da844d6411 skills: update xurl description 2026-02-21 11:58:14 +01:00
Santiago Medina
ac2ef69454 Update skills/xurl/SKILL.md 
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
 2026-02-21 11:58:14 +01:00
Santiago Medina Rolong
635b6298e3 skills: add xurl skill 2026-02-21 11:58:14 +01:00
Harold Hunt
02ac5b59d1 Skills: add SonosCLI troubleshooting guidance (openclaw#21316) thanks @huntharo 
Verified:
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: huntharo <5617868+huntharo@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-20 19:52:42 -06:00
Val Alexander
82a1741336 fix: update formula handling in SKILL.md and frontmatter.ts (#11046) 
- Changed "cask" to "formula" in SKILL.md for consistency.
- Enhanced formula parsing in frontmatter.ts to trim whitespace and fallback to cask if formula is not provided.
 2026-02-19 16:57:08 -06:00
Peter Steinberger
ee1d6427b5 fix(security): enforce symlink-safe skill packaging 2026-02-19 10:56:17 +01:00
aether-ai-agent
c275932aa4 fix(security): OC-22 prevent Zip Slip and symlink following in skill packaging 
This commit implements critical security fixes for vulnerability OC-22
(CVSS 7.7, CWE-426) in the skill packaging system.

## Security Fixes

1. Symlink Detection and Rejection
   - Added check to detect and reject symlinks in skill directories
   - Prevents attackers from including arbitrary system files via symlink following
   - Rejects packaging with error message if any symlink is found

2. Path Traversal (Zip Slip) Prevention
   - Added validation for arcname paths in zip archives
   - Rejects paths containing ".." (directory traversal)
   - Rejects absolute paths that could escape skill directory
   - Prevents attackers from overwriting system files during extraction

## Attack Vectors Mitigated

- Symlink following: Attacker creates symlink to /etc/passwd or other
  sensitive files in skill directory → now rejected
- Zip Slip: Attacker crafts paths with "../../root/.bashrc" to overwrite
  system files during extraction → now rejected

## Changes

- Modified: skills/skill-creator/scripts/package_skill.py
  - Added symlink check (line 73-76)
  - Added path validation check (line 84-87)
  - Enhanced error messages for security violations

- Added: skills/skill-creator/scripts/test_package_skill.py
  - Comprehensive test suite with 11 test cases
  - Tests for symlink rejection
  - Tests for path traversal prevention
  - Tests for normal file packaging
  - Tests for edge cases (nested files, multiple files, large skills)

## Testing

All 11 tests pass:
- test_normal_file_packaging: Normal files packaged correctly
- test_symlink_rejection: Symlinks detected and rejected
- test_symlink_to_sensitive_file: Sensitive file symlinks rejected
- test_zip_slip_prevention: Normal subdirectories work properly
- test_absolute_path_prevention: Path validation logic tested
- test_nested_files_allowed: Properly nested files allowed
- test_multiple_files_with_symlink_mixed: Single symlink fails entire package
- test_large_skill_with_many_files: Large skills handled correctly
- test_missing_skill_directory: Error handling verified
- test_file_instead_of_directory: Error handling verified
- test_missing_skill_md: Error handling verified
 2026-02-19 10:56:17 +01:00
Peter Steinberger
797a47c3ce docs: harden coding-agent skill guidance example 2026-02-18 16:55:50 +01:00
DylanWoodAkers
cfd384ead2 feat(skills): improve descriptions with routing logic (#14577) 
* feat(skills): improve descriptions with routing logic

Apply OpenAI's recommended pattern for skill descriptions:
- Add 'Use when' conditions for clear triggering
- Add 'NOT for' negative examples to reduce misfires
- Make descriptions act as routing logic, not marketing copy

Based on: https://developers.openai.com/blog/skills-shell-tips/

Skills updated:
- coding-agent: clarify when to delegate vs direct edit
- github: add boundaries vs browser/scripting
- weather: add scope limitations

Glean reported 20% drop in skill triggering without negative
examples, recovering after adding them. This change brings
Clawdbot skills in line with that pattern.

* docs(skills): clarify routing boundaries (openclaw#14577) (thanks @DylanWoodAkers)

* docs(changelog): add PR 14577 release note (openclaw#14577) (thanks @DylanWoodAkers)

---------

Co-authored-by: ClawdBotWolf <clawdbotwolf@proton.me>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
 2026-02-18 01:31:28 +01:00
Blakeshannon
9cce40d123 feat(skills): Add 'Use when / Don't use when' routing blocks (#14521) 
* feat(skills): add 'Use when / Don't use when' blocks to skill descriptions

Based on OpenAI's Shell + Skills + Compaction best practices article.

Key changes:
- Added clear routing logic to skill descriptions
- Added negative examples to prevent misfires
- Added templates/examples to github skill
- Included Blake's specific setup notes for openhue

Skills updated:
- apple-reminders: Clarify vs Clawdbot cron
- github: Clarify vs local git operations
- imsg: Clarify vs other messaging channels
- openhue: Add device inventory, room layout
- tmux: Clarify vs exec tool
- weather: Add location defaults, format codes

Reference: https://developers.openai.com/blog/skills-shell-tips

* fix(skills): restore metadata and generic CLI examples

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
 2026-02-18 01:28:20 +01:00
Sebastian
f79cf3a01d revert: remove accidentally merged video-quote-finder skill (#18550) 2026-02-16 21:16:29 -05:00
OpenClaw Bot
767109e7d5 fix(skills): improve git credential handling for gh-issues sub-agents 
- Add explicit GH_TOKEN setup in sub-agent environment
- Disable credential helper before push
- Use GIT_ASKPASS to prevent credential prompts
 2026-02-17 00:00:08 +01:00
zisisp
71dad89193 Revert "skills/video-quote-finder: add markdown PR hygiene checks" 
This reverts commit 38c0d42542.
 2026-02-16 23:50:47 +01:00
zisisp
d0793cbb9b skills/video-quote-finder: add markdown PR hygiene checks 2026-02-16 23:50:47 +01:00
zisisp
e2f28ff4cb skills/video-quote-finder: strip URL fragments before adding timestamp 2026-02-16 23:50:47 +01:00
zisisp
61726a2fbd skills: add video-quote-finder with timestamp links 2026-02-16 23:50:47 +01:00
Peter Steinberger
2363e1b085 fix(security): restrict skill download target paths 2026-02-16 03:47:28 +01:00
Shadow
9203a2fdb1 Discord: CV2! (#16364) 2026-02-15 10:24:53 -06:00
Peter Steinberger
d3428053d9 fix: redact config values in skills status 2026-02-14 17:35:16 +01:00
Peter Steinberger
e50ce897b0 chore(skills): remove duplicate local-places skill 2026-02-13 16:15:47 +01:00
Hudson Rivera
588d7133f5 fix(docs): correct wake command in coding-agent skill (#10516) 
The skill documented `openclaw gateway wake --text ... --mode now` which
is not a valid subcommand. The correct command is
`openclaw system event --text ... --mode now`.

Fixes #10515.
 2026-02-09 12:18:20 -05:00
Peter Steinberger
31a7e4f937 chore(skills): remove bird skill 2026-02-06 22:28:44 -08:00
Gustavo Madeira Santana
6b7d3c3062 Revert "feat(skills): add QR code skill (#8817)" 
This reverts commit ad13c265ba.
 2026-02-05 17:20:27 -05:00
Omar Khaleel
ad13c265ba feat(skills): add QR code skill (#8817) 
feat(skills): add QR code generation and reading skill

Adds qr-code skill with:
- qr_generate.py - Generate QR codes with customizable size/error correction
- qr_read.py - Decode QR codes from images
- SKILL.md documentation

Co-authored-by: Omar-Khaleel
 2026-02-05 13:34:43 -08:00
Wangnov
089d03453d docs(skills): split tmux send-keys for TUI (#7737) 
* docs(skills): split tmux send-keys for TUI

* docs(skills): soften TUI send-keys wording

---------

Co-authored-by: wangnov <1694546283@qq.com>
 2026-02-03 22:03:47 -08:00
Michelle Tilley
5af322f710 feat(discord): add set-presence action for bot activity and status 
Bridge the agent tools layer to the Discord gateway WebSocket via a new
gateway registry, allowing agents to set the bot's activity and online
status. Supports playing, streaming, listening, watching, custom, and
competing activity types. Custom type uses activityState as the sidebar
text; other types show activityName in the sidebar and activityState in
the flyout. Opt-in via channels.discord.actions.presence (default false).

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-02-04 04:02:38 +00:00