by 安全扫描
OpenClaw
安全
high confidenceThe skill's code, required binaries, and environment variables are coherent with a git-based changelog/rollback tool; its actions (installing hooks, committing tracked files, registering a cron) match the stated purpose, though it can automatically stage/commit/push workspace files so users should review tracking and git remotes first.
评估建议
This skill appears to do what it says (auto-capture, staged commits, diffs, restores, rollbacks). Before installing: 1) Inspect the included scripts (setup.sh, commit.sh, restore.sh, rollback.sh) to verify behavior. 2) Review or create a robust .gitignore and consider narrowing .agent-changelog.json tracked list (it defaults to '.') to avoid committing secrets or large runtime files. 3) Be aware setup will try to edit your OPENCLAW_CONFIG and register a cron to run every 10 minutes; if you alrea...详细分析 ▾
✓ 用途与能力
Name/description request git/jq/node and workspace/config env vars — all of which the included scripts and hooks actually use. The skill reads/writes workspace files, stages and commits tracked files, and optionally pushes to a remote; these are expected for a changelog/rollback tool.
ℹ 指令范围
SKILL.md and scripts instruct the agent to install hooks, read/write .version-context and pending_commits.jsonl, edit .agent-changelog.json and .gitignore, and to run shell scripts for status/log/diff/restore/rollback/commit. These are in-scope for the purpose, but the skill will modify OpenClaw config and register a cron — actions that affect the platform and run autonomously on events/cron.
✓ 安装机制
No external downloads or obscure package installs; setup.sh copies included files into the workspace and uses the openclaw CLI (if available) to enable hooks and register a cron. This is a typical local install mechanism and not high-risk by itself.
✓ 凭证需求
Declared env vars (OPENCLAW_WORKSPACE, OPENCLAW_CONFIG) are exactly what the scripts use. No unrelated credentials or secret environment variables are requested. The skill does rely on HOME and standard CLI tools, which is expected.
ℹ 持久化与权限
always:false. The setup script enables hooks and attempts to modify the OpenClaw config and register a cron to run commit.sh every 10 minutes, giving persistent behavior within the platform. This is justified for automated batching but increases the blast radius (automatic commits/pushes).
⚠ hooks/agent-changelog-commit/handler.ts:14
Shell command execution detected (child_process).
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.12026/4/14
- Expanded required dependencies to include jq, node, and two environment variables: OPENCLAW_WORKSPACE and OPENCLAW_CONFIG. - Updated GitHub onboarding section: users must now authenticate (SSH key or HTTPS credential), and the process is more explicitly step-by-step. - No code or functional changes; documentation improvements only.
● 可疑
安装命令
点击复制官方npx clawhub@latest install agent-changelog
镜像加速npx clawhub@latest install agent-changelog --registry https://cn.longxiaskill.com镜像同步中
技能文档
# Agent Changelog OpenClaw tracks workspace file changes between turns and attributes them to the user who triggered the change. Use this skill to answer history and diff questions and to apply controlled restores or rollbacks.
When To Use
Use this skill when the user asks about:- What changed, who changed it, or when it changed
- Diffs between versions or commits
- Rolling back or restoring files
- Taking or inspecting snapshots or status
- Setting up or verifying auto-versioning
Response Framework
- Clarify intent and scope.
- Choose the evidence source.
/agent-changelog invocations: run the matching script and return stdout verbatim.
- Present results clearly.
- Handle destructive actions safely.
restore for single-file fixes; use rollback only when the user wants to revert everything.
- If the target commit is ambiguous, ask a clarification question.
- Guide GitHub onboarding for setup.
setup, proactively ask: "ok do you want help with github?"
- If yes, walk them through GitHub onboarding with no extra setup steps required on their side.
- Confirm account status, git identity, auth method, and remote configuration.
Output Style
- For summaries, keep it short and conversational.
- For script-driven output, do not reformat or summarize; if onboarding guidance is needed, provide it after the raw output.
- If an argument looks like a typo, confirm before running.
File Content Rules
Never embed attribution metadata inside file content. Do not add inline annotations like(updated by X on date), # changed by Y, status footnotes, or any other authorship/timestamp markers into the files you edit. Attribution belongs exclusively in the git commit message, which is handled automatically by the hooks and commit.sh. Files should contain only their actual content — clean, annotation-free.
Implementation 否tes
- Casual history or diff: use a small git window (last 5-10 commits) and include stat output.
- Slash commands: use the scripts in
setup.shandscripts/with the user-provided arguments. - 设置: run the setup script, then ask "ok do you want help with github?" and proceed if they confirm.
- Restore or rollback: locate the commit via
log, then perform the change after showing what will be modified. - Semantic summary: before every commit, run a quick diff and generate a sparse one-line summary of what changed and why (e.g. "added rate-limit rule to AGENTS.md, updated memory skill"). Always pass it via
--summaryand always include it in any history output presented to the user. - Log output:
log.shoutputs raw structured data — present it conversationally based on what the user asked. Don't dump raw script output. Format each entry using the│-prefixed box style (same as status output), one entry per block.
Command Reference (Compact)
Use this only for explicit/agent-changelog invocations, and return stdout verbatim.
setup->bash {baseDir}/setup.shsetupfollow-up -> GitHub onboarding guidancestatus->bash {baseDir}/scripts/status.shlog->bash {baseDir}/scripts/log.sh [count]diff->bash {baseDir}/scripts/diff.sh [commit] [commit2]rollback->bash {baseDir}/scripts/rollback.sh ["reason"]restore->bash {baseDir}/scripts/restore.sh ["reason"]commit(user-requested) ->bash {baseDir}/scripts/commit.sh --manual ["message"] [--summary "one-line semantic summary"]commit(cron-triggered) ->bash {baseDir}/scripts/commit.sh [--summary "one-line semantic summary"]
Auto-Versioning Overview
Two hooks capture and commit changes between turns and attribute them to the active user. Defaults can be overridden via.agent-changelog.json.
Tracked by default: . (entire workspace). Secrets and runtime files are excluded via the .gitignore that setup creates — note that if a .gitignore already exists in the workspace, setup leaves it untouched, so ensure it covers secrets before enabling tracking.
To track a specific subset instead, edit /.agent-changelog.json with a tracked array (this fully replaces the default):
``json
{ "tracked": ["", ""] }
`
GitHub Onboarding (Setup Add-on)
Use this flow after setup to help users connect the workspace to GitHub. The user will need to authenticate (SSH key or HTTPS credential) — walk them through it step by step:
- Account and intent. Confirm they have a GitHub account and want this repo linked.
Git identity. Ensureuser.nameanduser.emailare set for commits.- Auth method. Offer SSH or HTTPS; proceed with their preference.
Remote and verify. Ensure anorigin` remote exists and verify access.- Next action. Create or select the GitHub repo, then push or fetch as needed.