← 返回 Skills 市场

Artifact Contract Auditor

Name: Artifact Contract Auditor
Author: willoscar

作者 WILLOSCAR · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ✓ 安全检测通过

146

总下载

当前安装

版本数

在 OpenClaw 中安装

/install artifact-contract-auditor

功能描述

Audit the workspace against the pipeline artifact contract (DONE outputs + pipeline target_artifacts). Writes `output/CONTRACT_REPORT.md`. **Trigger**: contr...

使用说明 (SKILL.md)

Artifact Contract Auditor

Purpose: make each workspace auditable and shareable.

This skill checks two contracts:

Units contract: if a unit is marked DONE, its required outputs must exist.
Pipeline contract: the pipeline’s target_artifacts (from the pipeline spec referenced by PIPELINE.lock.md) should exist for a complete run.

It always writes a report so workspaces can serve as regression baselines.

Inputs

UNITS.csv
PIPELINE.lock.md
Pipeline spec referenced by PIPELINE.lock.md (under pipelines/*.pipeline.md; reads YAML target_artifacts)

Outputs

output/CONTRACT_REPORT.md

Workflow (analysis-only)

Read UNITS.csv and validate DONE outputs

For every unit with status=DONE, verify each required output exists.
Outputs prefixed with ? are treated as optional and do not fail the contract.

Read PIPELINE.lock.md and validate pipeline target artifacts

Resolve the pipeline spec under pipelines/*.pipeline.md and load target_artifacts from its YAML front matter.
Resolve the pipeline spec path and load target_artifacts from its YAML front matter.
If the pipeline is complete (all units are DONE/SKIP), verify each required target_artifacts file exists.

Write output/CONTRACT_REPORT.md (always)

Include missing DONE outputs (unit-level drift) and missing pipeline targets (pipeline-level completeness drift).

Status semantics

PASS: pipeline complete (all units DONE/SKIP) AND all required target artifacts exist AND no DONE unit is missing required outputs.
OK: pipeline incomplete (still running) BUT DONE unit outputs are consistent; missing targets are expected.
FAIL: at least one DONE unit is missing required outputs OR pipeline is complete but required target artifacts are missing.

How to use this report (self-loop routing)

If DONE outputs are missing: fix the contract drift (regenerate the missing artifacts, or revert the unit status to TODO/BLOCKED).
If the pipeline is complete but target artifacts are missing: find which unit/skill owns each missing artifact and rerun that unit.

Script

Quick Start

python scripts/run.py --workspace workspaces/\x3Cws>

All Options

--workspace \x3Cdir>
--unit-id \x3CU###> (optional)
--inputs \x3Csemicolon-separated> (unused; runner compatibility)
--outputs \x3Csemicolon-separated> (unused; runner compatibility)
--checkpoint \x3CC#> (optional)

Examples

End-of-run audit (recommended before sharing a workspace):
- python scripts/run.py --workspace workspaces/\x3Cws>

安全使用建议

This skill appears to do exactly what it says: offline auditing of UNITS.csv and pipeline target_artifacts and writing output/CONTRACT_REPORT.md. Before running it, inspect the workspace's PIPELINE.lock.md (it controls which pipeline spec path is loaded) and ensure it doesn't point to unexpected absolute paths you don't want the auditor to read. Run the script in an isolated or non-sensitive workspace if you are worried about accidental disclosure of local files. If you need stronger guarantees, review the bundled tooling/*.py files (they are included) or run the script under a restricted user account or container.

功能分析

Type: OpenClaw Skill Name: artifact-contract-auditor Version: 1.0.0 The artifact-contract-auditor skill is a legitimate utility designed to audit workspace completeness by verifying the existence of required output files defined in pipeline specifications. The core logic in scripts/run.py and the extensive quality-checking routines in tooling/quality_gate.py perform file system checks and data validation (CSV, YAML, JSONL) aligned with the stated purpose. While tooling/executor.py utilizes subprocess.run to execute pipeline units, this is a standard component of the OpenClaw execution framework and shows no signs of intentional misuse or command injection. No evidence of data exfiltration, remote payload execution, or malicious prompt injection was found.

能力评估

✓ Purpose & Capability

Name/description match behavior: the script reads UNITS.csv and PIPELINE.lock.md, resolves a pipeline spec, checks for missing DONE outputs and pipeline target artifacts, and writes output/CONTRACT_REPORT.md. Declared requirements (python3/python) align with the provided Python scripts and modules. No unrelated credentials, binaries, or installs are requested.

ℹ Instruction Scope

SKILL.md restricts the skill to analysis-only and no network; the implementation matches that (reads workspace files and repo pipeline specs, writes the report and quality gate). One thing to note: the script resolves the pipeline path from the workspace's PIPELINE.lock.md and then uses Path(...).resolve() to load that file. If PIPELINE.lock.md points to an absolute path, the auditor will attempt to load that path — i.e., it will read whatever file path is specified. This is coherent for legitimate pipeline use, but it means the auditor can be directed to read arbitrary local files if the workspace's PIPELINE.lock.md is manipulated.

✓ Install Mechanism

No install spec (instruction-only) and bundled Python code is executed directly; no downloads or external installers are used. This is the lowest-risk install model for bundled code, assuming the user trusts the packaged files.

✓ Credentials

The skill requests no environment variables or credentials. It only reads local workspace files and bundled pipeline specs. No secrets/external tokens are required or declared.

✓ Persistence & Privilege

always:false and normal model-invocation settings. The skill writes only workspace-local report files (output/CONTRACT_REPORT.md and may update output/QUALITY_GATE.md via the quality_gate helper). It does not modify other skills or global agent configuration.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install artifact-contract-auditor
安装完成后，直接呼叫该 Skill 的名称或使用 /artifact-contract-auditor 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Artifact Contract Auditor v0.1.0 - Initial release of the artifact-contract-auditor skill. - Audits workspaces for completeness by checking unit-level required outputs (in UNITS.csv) and pipeline-level target artifacts. - Generates an always-updated CONTRACT_REPORT.md detailing missing outputs or targets. - Analysis-only: does not modify content artifacts; only writes a report. - Useful for verifying workspace integrity before sharing or ending a run.

元数据

Slug artifact-contract-auditor

版本 1.0.0

许可证 MIT-0

累计安装 1

当前安装数 1

历史版本数 1

常见问题