技能详情(站内镜像,无评论)
作者:Siri @asiridalugoda
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v0.1.2
统计:⭐ 0 · 130 · 0 current installs · 0 all-time installs
⭐ 0
安装量(当前) 0
🛡 VirusTotal :良性 · OpenClaw :良性
Package:asiridalugoda/releaseguard
安全扫描(ClawHub)
- VirusTotal :良性
- OpenClaw :良性
OpenClaw 评估
The skill's declared purpose and runtime instructions match: it simply tells the agent to run the releaseguard CLI and documents optional cloud/keyless features — nothing requested appears disproportionate to the stated functionality.
目的
Name/description describe an artifact policy engine and the skill only requires the 'releaseguard' binary; required binaries and documented commands align with the stated purpose.
说明范围
SKILL.md confines runtime behavior to invoking the releaseguard CLI and documents which flags cause network calls. It does not instruct reading arbitrary system files or unrelated credentials. Note: the docs include optional install commands that pipe a GitHub-hosted install script into sh and suggest moving a binary to /usr/local/bin (uses sudo) — these are standard but should be reviewed before execution.
安装机制
There is no install spec in the registry (instruction-only). The README recommends Homebrew or GitHub Releases. The curl | sh pattern is included as an alternative but is flagged in-text to be reviewed first; direct binary/Release release tarball is also suggested. These install approaches are common, but piping remote scripts to sh and placing binaries in system dirs are higher-risk steps that the user should review carefully.
证书
The skill declares no required environment variables. The SKILL.md documents a small set of optional credentials (RELEASEGUARD_CLOUD_TOKEN for cloud obfuscation/SLSA features, OIDC token for keyless signing, or a local private key file for local signing). Those optional credentials are proportional and only needed for the corresponding cloud/keyless features.
持久
always is false and the skill is user-invocable. There is no indication the skill requests persistent system-wide privileges or modifies other skills' configurations.
综合结论
This skill is coherent with its description, but follow these precautions before installing or using it: - Prefer the Homebrew install or download a signed release; avoid running curl | sh without reviewing the install script first. - Be explicit about when you use cloud/keyless modes: RELEASEGUARD_CLOUD_TOKEN and OIDC-based keyless signing will cause network calls and may send artifact data to the vendor/cloud; only provide those credentials …
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「ReleaseGuard」。简介:Scan, harden, sign, and verify release artifacts with ReleaseGuard — the artifa…。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/asiridalugoda/releaseguard/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
---
name: releaseguard
description: Scan, harden, sign, and verify release artifacts with ReleaseGuard — the artifact policy engine for dist/ and release/ outputs.
homepage: https://github.com/Helixar-AI/ReleaseGuard
user-invocable: true
metadata: {"openclaw":{"requires":{"bins":["releaseguard"],"env":[]}}}
---
# ReleaseGuard Skill
ReleaseGuard is an artifact policy engine. Use it to scan build outputs for secrets, misconfigurations, and supply-chain risks; harden and fix them; generate SBOMs; sign artifacts; and verify release integrity.
## Install ReleaseGuard
**Preferred — Homebrew (macOS / Linux, no remote script execution):**
```bash
brew install Helixar-AI/tap/releaseguard
```
**Alternative — manual download from GitHub Releases (review before running):**
```bash
# 1. Review the install script before executing:
curl -sSfL https://raw.githubusercontent.com/Helixar-AI/ReleaseGuard/main/scripts/install.sh | less
# 2. If satisfied, run it:
curl -sSfL https://raw.githubusercontent.com/Helixar-AI/ReleaseGuard/main/scripts/install.sh | sh
```
**Alternative — direct binary download (no shell script):**
```bash
# Replace VERSION, OS, and ARCH as appropriate (linux/darwin, amd64/arm64)
curl -sSfL https://github.com/Helixar-AI/ReleaseGuard/releases/latest/download/releaseguard-VERSION-OS-ARCH.tar.gz
| tar -xz releaseguard
sudo mv releaseguard /usr/local/bin/releaseguard
```
> **Note:** The install script is MIT-licensed and open-source at
> https://github.com/Helixar-AI/ReleaseGuard/blob/main/scripts/install.sh
> Review it before executing in sensitive environments.
---
## External Services
Some commands interact with external services. This is documented per-command below. No data is sent externally unless you explicitly invoke the relevant flag or mode:
| Feature | External Service | Triggered by |
|---|---|---|
| CVE enrichment | OSV.dev (read-only, no auth) | `sbom --enrich-cve` or `vex` |
| Keyless signing | Sigstore / Fulcio (requires OIDC token) | `sign --mode keyless` |
| Cloud obfuscation | ReleaseGuard Cloud API | `obfuscate --level medium/aggressive` |
| SLSA Provenance L3 | ReleaseGuard Cloud API | Cloud plan only |
**Credentials:** Keyless signing requires an OIDC token (available in GitHub Actions, GitLab CI, etc.). Local signing requires a private key file you supply with `--key`. Cloud features require `RELEASEGUARD_CLOUD_TOKEN`. No credentials are used by default for `check`, `fix`, `sbom`, `pack`, `report`, or `verify`.
---
## Commands
### Check / Scan — `releaseguard check <path>`
Scan an artifact path and evaluate the release policy. **No external network calls.**
**Trigger phrases:** "scan", "check", "audit", "analyze release", "inspect dist", "any secrets", "find vulnerabilities"
```bash
releaseguard check <path>
releaseguard check <path> --format json
releaseguard check <path> --format sarif --out results.sarif
releaseguard check <path> --format markdown --out report.md
```
- Default format: `cli` (human-readable)
- Other formats: `json`, `sarif`, `markdown`, `html`
- Exit code 0 = PASS, non-zero = FAIL
---
### Fix — `releaseguard fix <path>`
Apply safe, deterministic hardening transforms. **No external network calls.**
**Trigger phrases:** "fix", "harden", "apply fixes", "remediate", "auto-fix release"
```bash
releaseguard fix <path>
releaseguard fix <path> --dry-run # preview without applying
```
---
### SBOM — `releaseguard sbom <path>`
Generate a Software Bill of Materials.
**Trigger phrases:** "sbom", "software bill of materials", "dependencies", "generate bom"
```bash
releaseguard sbom <path> # no network calls
releaseguard sbom <path> --format spdx
releaseguard sbom <path> --enrich-cve # fetches CVE data from OSV.dev (read-only)
```
- Default format: `cyclonedx`
- `--enrich-cve` makes read-only requests to OSV.dev; no credentials required
---
### Obfuscate — `releaseguard obfuscate <path>`
Apply obfuscation to release artifacts.
**Trigger phrases:** "obfuscate", "strip symbols", "protect binary"
```bash
releaseguard obfuscate <path> --level light # OSS — no network calls
releaseguard obfuscate <path> --level medium # requires RELEASEGUARD_CLOUD_TOKEN
releaseguard obfuscate <path> --dry-run
```
Levels:
- `none` / `light` — local, no external calls (OSS)
- `medium` / `aggressive` — calls ReleaseGuard Cloud API; requires `RELEASEGUARD_CLOUD_TOKEN`
---
### Harden — `releaseguard harden <path>`
Full hardening pipeline: fix + obfuscate + DRM injection.
**Trigger phrases:** "full harden", "harden release", "full hardening pipeline"
```bash
releaseguard harden <path> --obfuscation light # no network calls
releaseguard harden <path> --obfuscation medium # requires RELEASEGUARD_CLOUD_TOKEN
releaseguard harden <path> --dry-run
```
---
### Pack — `releaseguard pack <path>`
Package an artifact into a canonical archive. **No external network calls.**
**Trigger phrases:** "pack", "package artifact", "create archive"
```bash
releaseguard pack <path> --out release.tar.gz
releaseguard pack <path> --out release.zip --format zip
```
---
### Sign — `releaseguard sign <artifact>`
Sign an artifact and its evidence bundle.
**Trigger phrases:** "sign", "cosign", "keyless sign", "sign artifact"
```bash
# Keyless (Sigstore/Fulcio) — requires OIDC token; use in CI environments
releaseguard sign <artifact> --mode keyless
# Local signing — no external calls; requires private key file
releaseguard sign <artifact> --mode local --key signing.key
```
- `keyless` mode contacts Sigstore's Fulcio CA and Rekor transparency log
- `local` mode is fully offline; key stays on disk
---
### Attest — `releaseguard attest <artifact>`
Emit in-toto and SLSA provenance attestations.
**Trigger phrases:** "attest", "provenance", "slsa", "in-toto"
```bash
releaseguard attest <artifact>
```
---
### Verify — `releaseguard verify <artifact>`
Verify artifact signatures and policy compliance. **No credentials required for verification.**
**Trigger phrases:** "verify", "check signature", "validate artifact"
```bash
releaseguard verify <artifact>
```
---
### Report — `releaseguard report <path>`
Export a scan report. **No external network calls.**
**Trigger phrases:** "report", "export report", "compliance report"
```bash
releaseguard report <path> --format sarif --out results.sarif
releaseguard report <path> --format html --out report.html
```
---
### VEX — `releaseguard vex <path>`
Enrich SBOM with VEX vulnerability data. **Makes read-only requests to OSV.dev.**
**Trigger phrases:** "vex", "vulnerability data", "enrich sbom"
```bash
releaseguard vex <path> --sbom .releaseguard/sbom.cdx.json --out vex.json
```
---
## Typical Workflows
### Quick scan (no network, no credentials)
```bash
releaseguard check ./dist
```
### Full pipeline (CI with keyless signing)
```bash
releaseguard check ./dist
releaseguard fix ./dist
releaseguard sbom ./dist
releaseguard pack ./dist --out release.tar.gz
releaseguard sign release.tar.gz --mode keyless # OIDC token required
releaseguard attest release.tar.gz
releaseguard verify release.tar.gz
```
### Offline pipeline (no network, local key)
```bash
releaseguard check ./dist
releaseguard fix ./dist
releaseguard sbom ./dist
releaseguard pack ./dist --out release.tar.gz
releaseguard sign release.tar.gz --mode local --key signing.key
```
---
## Configuration
```bash
releaseguard init # creates .releaseguard.yml
```
```yaml
# .releaseguard.yml
version: 2
scanning:
exclude_paths:
- test/fixtures
policy:
fail_on: [critical, high]
```