📦 Incident Hotfix — 应急热修
v0.1.0面向开发者的线上事故响应与热修复执行器,提供可复现的故障定位、补丁/回滚决策及CI安全的热修流程,一键止血。
0· 366·1 当前·1 累计
by 下载技能包
最后更新
2026/4/22
安全扫描
OpenClaw
可疑
high confidenceNULL
评估建议
This skill appears to do what it says (create hotfix branches and capture evidence) but requires review before running in a real repo or CI environment. Specific things to check: (1) Inspect and, if needed, sanitize the --id value before running (scripts use the raw ID in file paths; avoid IDs with slashes or ..). (2) Ensure you do not run capture_evidence.sh in environments that expose secrets — it captures env vars matching NODE_ENV, ENV, APP_ENV, CI and GITHUB_ (which may include GITHUB_TOKEN...详细分析 ▾
ℹ 用途与能力
The name/description (incident hotfix, evidence capture, branch creation) matches the provided scripts and docs. The skill reasonably performs git operations and creates incident files. No unexpected external services or credentials are declared.
⚠ 指令范围
SKILL.md instructs running the two provided scripts which perform repo operations and capture environment variables. The scripts run git fetch/pull/checkouts (network and repo-modifying operations) and write to docs/incidents/<ID> — these are within incident workflow but have side effects that should be explicitly acknowledged in the README (network fetch/pull, branch creation). The scripts also capture a subset of environment variables that is broader than the declared metadata (see environment_proportionality).
✓ 安装机制
No install spec; this is instruction-only with two small shell scripts. Nothing is downloaded or installed automatically. This is low-risk from an install point of view.
⚠ 凭证需求
Although the skill declares no required environment variables, scripts/capture_evidence.sh explicitly captures env vars matching '^(NODE_ENV|ENV|APP_ENV|CI|GITHUB_)'. That can include sensitive values (e.g., GITHUB_TOKEN or other CI secrets) depending on environment. The skill does not document or require these credentials but will read and write them into the incident evidence bundle if present — this is disproportionate and should be restricted or documented.
ℹ 持久化与权限
The skill does not request permanent platform privileges and always:false. It creates files under docs/incidents/<ID> and may create git branches and perform git fetch/pull operations — reasonable for a hotfix workflow but these actions modify repository state and perform network operations; the script should prompt or document these side effects. Also, docs/incidents/<ID> uses the raw ID value without sanitizing path separators, which could enable directory traversal or accidental writes outside expected paths if untrusted IDs are supplied.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.1.02026/3/4
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install incident-hotfix
镜像加速npx clawhub@latest install incident-hotfix --registry https://cn.longxiaskill.com