Dev (#253)
* docs: restructure README.md — 2,539 → 209 lines (#247) - Cut from 2,539 lines / 73 sections to 209 lines / 18 sections - Consolidated 4 install methods into one unified section - Moved all skill details to domain-level READMEs (linked from table) - Front-loaded value prop and keywords for SEO - Added POWERFUL tier highlight section - Added skill-security-auditor showcase section - Removed stale Q4 2025 roadmap, outdated ROI claims, duplicate content - Fixed all internal links - Clean heading hierarchy (H2 for main sections only) Closes #233 Co-authored-by: Leo <leo@openclaw.ai> * fix: enhance 5 skills with scripts, references, and Anthropic best practices (#248) * fix(skill): enhance git-worktree-manager with scripts, references, and Anthropic best practices * fix(skill): enhance mcp-server-builder with scripts, references, and Anthropic best practices * fix(skill): enhance changelog-generator with scripts, references, and Anthropic best practices * fix(skill): enhance ci-cd-pipeline-builder with scripts, references, and Anthropic best practices * fix(skill): enhance prompt-engineer-toolkit with scripts, references, and Anthropic best practices * docs: update README, CHANGELOG, and plugin metadata * fix: correct marketing plugin count, expand thin references --------- Co-authored-by: Leo <leo@openclaw.ai> * ci: Add VirusTotal security scan for skills (#252) * Dev (#231) * Improve senior-fullstack skill description and workflow validation - Expand frontmatter description with concrete actions and trigger clauses - Add validation steps to scaffolding workflow (verify scaffold succeeded) - Add re-run verification step to audit workflow (confirm P0 fixes) * chore: sync codex skills symlinks [automated] * fix(skill): normalize senior-fullstack frontmatter to inline format Normalize YAML description from block scalar (>) to inline single-line format matching all other 50+ skills. Align frontmatter trigger phrases with the body's Trigger Phrases section to eliminate duplication. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(ci): add GITHUB_TOKEN to checkout + restore corrupted skill descriptions - Add token: ${{ secrets.GITHUB_TOKEN }} to actions/checkout@v4 in sync-codex-skills.yml so git-auto-commit-action can push back to branch (fixes: fatal: could not read Username, exit 128) - Restore correct description for incident-commander (was: 'Skill from engineering-team') - Restore correct description for senior-fullstack (was: '>') * fix(ci): pass PROJECTS_TOKEN to fix automated commits + remove duplicate checkout Fixes PROJECTS_TOKEN passthrough for git-auto-commit-action and removes duplicate checkout step in pr-issue-auto-close workflow. * fix(ci): remove stray merge conflict marker in sync-codex-skills.yml (#221) Co-authored-by: Leo <leo@leo-agent-server> * fix(ci): fix workflow errors + add OpenClaw support (#222) * feat: add 20 new practical skills for professional Claude Code users New skills across 5 categories: Engineering (12): - git-worktree-manager: Parallel dev with port isolation & env sync - ci-cd-pipeline-builder: Generate GitHub Actions/GitLab CI from stack analysis - mcp-server-builder: Build MCP servers from OpenAPI specs - changelog-generator: Conventional commits to structured changelogs - pr-review-expert: Blast radius analysis & security scan for PRs - api-test-suite-builder: Auto-generate test suites from API routes - env-secrets-manager: .env management, leak detection, rotation workflows - database-schema-designer: Requirements to migrations & types - codebase-onboarding: Auto-generate onboarding docs from codebase - performance-profiler: Node/Python/Go profiling & optimization - runbook-generator: Operational runbooks from codebase analysis - monorepo-navigator: Turborepo/Nx/pnpm workspace management Engineering Team (2): - stripe-integration-expert: Subscriptions, webhooks, billing patterns - email-template-builder: React Email/MJML transactional email systems Product Team (3): - saas-scaffolder: Full SaaS project generation from product brief - landing-page-generator: High-converting landing pages with copy frameworks - competitive-teardown: Structured competitive product analysis Business Growth (1): - contract-and-proposal-writer: Contracts, SOWs, NDAs per jurisdiction Marketing (1): - prompt-engineer-toolkit: Systematic prompt development & A/B testing Designed for daily professional use and commercial distribution. * chore: sync codex skills symlinks [automated] * docs: update README with 20 new skills, counts 65→86, new skills section * docs: add commercial distribution plan (Stan Store + Gumroad) * docs: rewrite CHANGELOG.md with v2.0.0 release (65 skills, 9 domains) (#226) * docs: rewrite CHANGELOG.md with v2.0.0 release (65 skills, 9 domains) - Consolidate 191 commits since v1.0.2 into proper v2.0.0 entry - Document 12 POWERFUL-tier skills, 37 refactored skills - Add new domains: business-growth, finance - Document Codex support and marketplace integration - Update version history summary table - Clean up [Unreleased] to only planned work * docs: add 24 POWERFUL-tier skills to plugin, fix counts to 85 across all docs - Add engineering-advanced-skills plugin (24 POWERFUL-tier skills) to marketplace.json - Add 13 missing skills to CHANGELOG v2.0.0 (agent-workflow-designer, api-test-suite-builder, changelog-generator, ci-cd-pipeline-builder, codebase-onboarding, database-schema-designer, env-secrets-manager, git-worktree-manager, mcp-server-builder, monorepo-navigator, performance-profiler, pr-review-expert, runbook-generator) - Fix skill count: 86→85 (excl sample-skill) across README, CHANGELOG, marketplace.json - Fix stale 53→85 references in README - Add engineering-advanced-skills install command to README - Update marketplace.json version to 2.0.0 --------- Co-authored-by: Leo <leo@openclaw.ai> * feat: add skill-security-auditor POWERFUL-tier skill (#230) Security audit and vulnerability scanner for AI agent skills before installation. Scans for: - Code execution risks (eval, exec, os.system, subprocess shell injection) - Data exfiltration (outbound HTTP, credential harvesting, env var extraction) - Prompt injection in SKILL.md (system override, role hijack, safety bypass) - Dependency supply chain (typosquatting, unpinned versions, runtime installs) - File system abuse (boundary violations, binaries, symlinks, hidden files) - Privilege escalation (sudo, SUID, cron manipulation, shell config writes) - Obfuscation (base64, hex encoding, chr chains, codecs) Produces clear PASS/WARN/FAIL verdict with per-finding remediation guidance. Supports local dirs, git repo URLs, JSON output, strict mode, and CI/CD integration. Includes: - scripts/skill_security_auditor.py (1049 lines, zero dependencies) - references/threat-model.md (complete attack vector documentation) - SKILL.md with usage guide and report format Tested against: rag-architect (PASS), agent-designer (PASS), senior-secops (FAIL - correctly flagged eval/exec patterns). Co-authored-by: Leo <leo@openclaw.ai> * docs: add skill-security-auditor to marketplace, README, and CHANGELOG - Add standalone plugin entry for skill-security-auditor in marketplace.json - Update engineering-advanced-skills plugin description to include it - Update skill counts: 85→86 across README, CHANGELOG, marketplace - Add install command to README Quick Install section - Add to CHANGELOG [Unreleased] section --------- Co-authored-by: Baptiste Fernandez <fernandez.baptiste1@gmail.com> Co-authored-by: alirezarezvani <5697919+alirezarezvani@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Leo <leo@leo-agent-server> Co-authored-by: Leo <leo@openclaw.ai> * Dev (#249) * docs: restructure README.md — 2,539 → 209 lines (#247) - Cut from 2,539 lines / 73 sections to 209 lines / 18 sections - Consolidated 4 install methods into one unified section - Moved all skill details to domain-level READMEs (linked from table) - Front-loaded value prop and keywords for SEO - Added POWERFUL tier highlight section - Added skill-security-auditor showcase section - Removed stale Q4 2025 roadmap, outdated ROI claims, duplicate content - Fixed all internal links - Clean heading hierarchy (H2 for main sections only) Closes #233 Co-authored-by: Leo <leo@openclaw.ai> * fix: enhance 5 skills with scripts, references, and Anthropic best practices (#248) * fix(skill): enhance git-worktree-manager with scripts, references, and Anthropic best practices * fix(skill): enhance mcp-server-builder with scripts, references, and Anthropic best practices * fix(skill): enhance changelog-generator with scripts, references, and Anthropic best practices * fix(skill): enhance ci-cd-pipeline-builder with scripts, references, and Anthropic best practices * fix(skill): enhance prompt-engineer-toolkit with scripts, references, and Anthropic best practices * docs: update README, CHANGELOG, and plugin metadata * fix: correct marketing plugin count, expand thin references --------- Co-authored-by: Leo <leo@openclaw.ai> --------- Co-authored-by: Leo <leo@openclaw.ai> * Dev (#250) * docs: restructure README.md — 2,539 → 209 lines (#247) - Cut from 2,539 lines / 73 sections to 209 lines / 18 sections - Consolidated 4 install methods into one unified section - Moved all skill details to domain-level READMEs (linked from table) - Front-loaded value prop and keywords for SEO - Added POWERFUL tier highlight section - Added skill-security-auditor showcase section - Removed stale Q4 2025 roadmap, outdated ROI claims, duplicate content - Fixed all internal links - Clean heading hierarchy (H2 for main sections only) Closes #233 Co-authored-by: Leo <leo@openclaw.ai> * fix: enhance 5 skills with scripts, references, and Anthropic best practices (#248) * fix(skill): enhance git-worktree-manager with scripts, references, and Anthropic best practices * fix(skill): enhance mcp-server-builder with scripts, references, and Anthropic best practices * fix(skill): enhance changelog-generator with scripts, references, and Anthropic best practices * fix(skill): enhance ci-cd-pipeline-builder with scripts, references, and Anthropic best practices * fix(skill): enhance prompt-engineer-toolkit with scripts, references, and Anthropic best practices * docs: update README, CHANGELOG, and plugin metadata * fix: correct marketing plugin count, expand thin references --------- Co-authored-by: Leo <leo@openclaw.ai> --------- Co-authored-by: Leo <leo@openclaw.ai> * ci: add VirusTotal security scan for skills - Scans changed skill directories on PRs to dev/main - Scans all skills on release publish - Posts scan results as PR comment with analysis links - Rate-limited to 4 req/min (free tier compatible) - Appends VirusTotal links to release body on publish * fix: resolve YAML lint errors in virustotal workflow - Add document start marker (---) - Quote 'on' key for truthy lint rule - Remove trailing spaces - Break long lines under 160 char limit --------- Co-authored-by: Baptiste Fernandez <fernandez.baptiste1@gmail.com> Co-authored-by: alirezarezvani <5697919+alirezarezvani@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Leo <leo@leo-agent-server> Co-authored-by: Leo <leo@openclaw.ai> --------- Co-authored-by: Leo <leo@openclaw.ai> Co-authored-by: Baptiste Fernandez <fernandez.baptiste1@gmail.com> Co-authored-by: alirezarezvani <5697919+alirezarezvani@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Leo <leo@leo-agent-server>
This commit is contained in:
Alireza Rezvani
GitHub
159
.github/workflows/virustotal-scan.yml
vendored
Normal file
159
.github/workflows/virustotal-scan.yml
vendored
Normal file
@@ -0,0 +1,159 @@
|
||||
---
|
||||
name: VirusTotal Security Scan
|
||||
|
||||
"on":
|
||||
pull_request:
|
||||
branches: [dev, main]
|
||||
release:
|
||||
types: [published]
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
pull-requests: write
|
||||
|
||||
jobs:
|
||||
scan-skills:
|
||||
name: Scan Skills with VirusTotal
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: write
|
||||
pull-requests: write
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
fetch-depth: 0
|
||||
|
||||
- name: Package changed skills (PR)
|
||||
if: github.event_name == 'pull_request'
|
||||
run: |
|
||||
mkdir -p /tmp/vt-scan
|
||||
|
||||
CHANGED=$(git diff --name-only \
|
||||
${{ github.event.pull_request.base.sha }} \
|
||||
${{ github.sha }} \
|
||||
| grep -E '\.(js|ts|py|sh|json|yml|yaml|md|mjs|cjs)$' || true)
|
||||
|
||||
if [ -z "$CHANGED" ]; then
|
||||
echo "No scannable files changed"
|
||||
echo "SKIP_SCAN=true" >> "$GITHUB_ENV"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
SKILL_DIRS=$(echo "$CHANGED" \
|
||||
| grep -oP '^[^/]+/[^/]+' | sort -u || true)
|
||||
|
||||
if [ -z "$SKILL_DIRS" ]; then
|
||||
for f in $CHANGED; do
|
||||
if [ -f "$f" ]; then
|
||||
cp "$f" "/tmp/vt-scan/"
|
||||
fi
|
||||
done
|
||||
else
|
||||
for dir in $SKILL_DIRS; do
|
||||
if [ -d "$dir" ]; then
|
||||
dirname=$(echo "$dir" | tr '/' '-')
|
||||
zip -r "/tmp/vt-scan/${dirname}.zip" "$dir" \
|
||||
-x "*/node_modules/*" "*/.git/*"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
ROOT_FILES=$(echo "$CHANGED" | grep -v '/' || true)
|
||||
if [ -n "$ROOT_FILES" ]; then
|
||||
for f in $ROOT_FILES; do
|
||||
if [ -f "$f" ]; then
|
||||
cp "$f" "/tmp/vt-scan/"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
echo "Files to scan:"
|
||||
ls -la /tmp/vt-scan/
|
||||
|
||||
- name: Package all skills (Release)
|
||||
if: github.event_name == 'release'
|
||||
run: |
|
||||
mkdir -p /tmp/vt-scan
|
||||
|
||||
for dir in */; do
|
||||
if [ -d "$dir" ] && [ "$dir" != ".github/" ] \
|
||||
&& [ "$dir" != "node_modules/" ]; then
|
||||
dirname=$(echo "$dir" | tr -d '/')
|
||||
zip -r "/tmp/vt-scan/${dirname}.zip" "$dir" \
|
||||
-x "*/node_modules/*" "*/.git/*"
|
||||
fi
|
||||
done
|
||||
|
||||
echo "Files to scan:"
|
||||
ls -la /tmp/vt-scan/
|
||||
|
||||
- name: VirusTotal Scan
|
||||
if: env.SKIP_SCAN != 'true'
|
||||
uses: crazy-max/ghaction-virustotal@v5
|
||||
id: vt-scan
|
||||
with:
|
||||
vt_api_key: ${{ secrets.VT_API_KEY }}
|
||||
files: |
|
||||
/tmp/vt-scan/*
|
||||
request_rate: 4
|
||||
update_release_body: ${{ github.event_name == 'release' }}
|
||||
github_token: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
- name: Parse scan results
|
||||
if: env.SKIP_SCAN != 'true'
|
||||
run: |
|
||||
echo "## VirusTotal Scan Results" >> "$GITHUB_STEP_SUMMARY"
|
||||
echo "" >> "$GITHUB_STEP_SUMMARY"
|
||||
|
||||
ANALYSIS="${{ steps.vt-scan.outputs.analysis }}"
|
||||
|
||||
if [ -z "$ANALYSIS" ]; then
|
||||
echo "No analysis results returned" >> "$GITHUB_STEP_SUMMARY"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
echo "| File | VirusTotal Analysis |" >> "$GITHUB_STEP_SUMMARY"
|
||||
echo "|------|-------------------|" >> "$GITHUB_STEP_SUMMARY"
|
||||
|
||||
IFS=',' read -ra RESULTS <<< "$ANALYSIS"
|
||||
for result in "${RESULTS[@]}"; do
|
||||
FILE=$(echo "$result" | cut -d'=' -f1)
|
||||
URL=$(echo "$result" | cut -d'=' -f2-)
|
||||
echo "| \`$(basename "$FILE")\` | [Report]($URL) |" \
|
||||
>> "$GITHUB_STEP_SUMMARY"
|
||||
done
|
||||
|
||||
echo "" >> "$GITHUB_STEP_SUMMARY"
|
||||
echo "All files scanned with 70+ AV engines" \
|
||||
>> "$GITHUB_STEP_SUMMARY"
|
||||
|
||||
- name: Comment on PR
|
||||
if: github.event_name == 'pull_request' && env.SKIP_SCAN != 'true'
|
||||
uses: actions/github-script@v7
|
||||
with:
|
||||
script: |
|
||||
const analysis = '${{ steps.vt-scan.outputs.analysis }}';
|
||||
if (!analysis) return;
|
||||
const results = analysis.split(',').map(r => {
|
||||
const [file, ...urlParts] = r.split('=');
|
||||
const url = urlParts.join('=');
|
||||
return `| \`${file.split('/').pop()}\` | [Report](${url}) |`;
|
||||
});
|
||||
const body = [
|
||||
'## 🛡️ VirusTotal Security Scan',
|
||||
'',
|
||||
'| File | Analysis |',
|
||||
'|------|----------|',
|
||||
...results,
|
||||
'',
|
||||
'Scanned with 70+ antivirus engines',
|
||||
'',
|
||||
'_Automated by [ghaction-virustotal](https://github.com/crazy-max/ghaction-virustotal)_'
|
||||
].join('\n');
|
||||
await github.rest.issues.createComment({
|
||||
owner: context.repo.owner,
|
||||
repo: context.repo.repo,
|
||||
issue_number: context.issue.number,
|
||||
body
|
||||
});
|
||||
Reference in New Issue
Block a user