功能描述

Automatically update a public dashboard with commit count, last commit, and timestamps from a private GitHub repo for transparent project progress.

使用说明 (SKILL.md)

build-transparency-dashboard

Name: Build Transparency Dashboard
Author: cryptocana

Scaffold a live public "build dashboard" that automatically shows proof of work — commit count, last commit message, timestamp — pulled from a private GitHub repo and displayed on a public static site.

When to Use

Use this skill when you want to:

Show your community what you're shipping, updated automatically on every push
Build in public without exposing your private repo
Add a community ideas board to let people vote on what you build next
Create a polished /build page for your product or project

The Pattern

Private repo (your code)
  └── GitHub Actions: on push → runs update-status.js
        └── Writes status.json → commits to public site repo
              └── Public site fetches status.json every 60s → displays live stats

Result: every git push to your private repo automatically updates your public dashboard within minutes.

What's Included

build-transparency-dashboard/
├── SKILL.md                     ← this file
├── scripts/
│   ├── update-status.js         ← generates status.json from git log
│   └── ideas-api.js             ← Express routes for community ideas board
├── assets/
│   ├── build.html               ← dashboard page template
│   ├── nav.js                   ← shared nav renderer (configurable)
│   ├── nav.css                  ← nav styles
│   └── github-actions.yml       ← GitHub Actions workflow template
└── references/
    └── setup-guide.md           ← step-by-step setup instructions

Quick Setup

1. Variables to Customize

In assets/build.html, search for these TODOs:

TODO	Replace With
`YOUR_PROJECT_NAME`	Your project's display name (e.g. `MyApp`)
`YOUR_BORN_DATE`	ISO date your project started (e.g. `2026-01-01T00:00:00-05:00`)
`YOUR_BRAND_COLOR`	Hex color (default: `#7c6eff`)
`YOUR_COIN_CA`	Token contract address, or remove the coin section entirely
`YOUR_IDEAS_API_URL`	Base URL of your ideas API (e.g. `https://myapp.fly.dev/public/ideas`)
`YOUR_TWITTER_HANDLE`	Your @handle for the nav badge
`YOUR_QUEUE_ITEMS`	What you're building next (edit the queue section)

In assets/github-actions.yml, set these:

Variable	Description
`SITE_REPO`	Your public site repo (e.g. `username/my-site`)
`SITE_REPO_PATH`	Directory name for checkout (e.g. `my-site`)
`BOT_NAME`	Committer name (e.g. `StatusBot`)
`BOT_EMAIL`	Committer email

In assets/nav.js, edit the config object at the top:

const NAV_CONFIG = {
  brand: 'MYAPP',            // nav logo text
  links: [
    { href: '/', label: 'Home' },
    { href: '/build', label: 'The Build' },
  ],
  badge: { label: '@yourhandle ↗', href: 'https://x.com/yourhandle' },
};

2. GitHub Secret Required

Add to your private repo → Settings → Secrets and variables → Actions:

GH_PAT — Personal Access Token with repo scope (to push to the public site repo)

3. Deploy Your Public Site

The build.html file is a standalone static page. Deploy anywhere:

Fly.io: fly launch + fly deploy in your site repo
Netlify: drag & drop or connect repo
GitHub Pages: push to a gh-pages branch
Vercel: connect repo, zero config

4. Add the Ideas API (Optional)

The community ideas board requires a running API. Copy scripts/ideas-api.js into your backend app and mount the routes. It uses a flat JSON file for storage — no database needed.

Or skip it entirely: remove the coin/ideas section from build.html and it works as a pure static display.

5. Add the Workflow to Your Private Repo

Copy assets/github-actions.yml to .github/workflows/update-build-status.yml in your private repo. Push a commit — the workflow fires automatically.

status.json Shape

The workflow generates this file and commits it to your public site repo:

{
  "generatedAt": "2026-02-28T21:00:00Z",
  "version": "1.0.0",
  "project": {
    "name": "MyApp",
    "description": "Your project description.",
    "born": "2026-01-01T00:00:00-05:00",
    "status": "building",
    "statusText": "Online · Building"
  },
  "lastCommit": {
    "message": "feat: add dark mode",
    "time": "2026-02-28T20:55:00Z"
  },
  "commitsThisWeek": 12,
  "shipped": [],
  "queue": [],
  "ideas": []
}

Design System

The template uses:

Syne (display headings) + DM Sans (body) + DM Mono (mono/labels)
Dark theme — #050508 background, #7c6eff brand accent
Noise overlay, animated orbs, fixed ticker bar
Fully responsive (desktop → tablet → mobile)

Swap --nova / --nova2 CSS vars for your brand color.

See a Live Example

The pattern was built for novaiok-site.fly.dev/build. That's the reference implementation.

Files to Read Next

references/setup-guide.md — detailed step-by-step with commands
assets/build.html — the template (search TODOs)
assets/github-actions.yml — the workflow

安全使用建议

What to check before installing / using this skill: - The registry metadata is incomplete: SKILL.md requires a GH_PAT (Personal Access Token) with 'repo' scope to push status.json to your public site, but the skill listing does not declare any required credential. Treat that as a red flag and ask the publisher to correct the metadata. - A GH_PAT with 'repo' scope can be powerful. Create a token with the smallest possible scope and access: ideally a token that only has permission to the single public site repo, or use a dedicated machine user or GitHub App that you can revoke or limit. Avoid using a personal account token that has access to many repos. - Understand exactly what will be published: commit messages and timestamps from your private repo are intentionally exported to the public status.json. If you have sensitive commit messages (secrets, internal references), do not enable this workflow until you sanitize history or filter what is published. - Consider alternatives that reduce risk: instead of giving a PAT that can access multiple repos, run a workflow in the public repo that pulls sanitized metadata from the private repo via a more controlled channel (e.g., repository_dispatch with a limited token), or use a GitHub App with fine-grained permissions. - The included ideas API defaults to CORS_ORIGIN='*' and stores ideas in a local JSON file. If you host that API, set CORS_ORIGIN to your site origin (not '*'), and review input handling/limits (the API is simple and has no auth). Consider abuse (spam voting) and add rate limits or moderation if needed. - Verify the owner/source: the skill's source/homepage are unknown. Prefer code from publishers you trust, and if you proceed, inspect the included scripts (update-status.js and ideas-api.js) yourself. The files in this package appear to implement the documented behavior, but the metadata omission reduces confidence. - Operational hygiene: rotate the GH_PAT if compromised, limit its scope, and monitor actions performed by the bot account. If unsure about token permissions or the anonymous publisher, do not install until those questions are resolved.

功能分析

Type: OpenClaw Skill Name: build-transparency-dashboard Version: 1.0.0 The skill bundle contains multiple critical vulnerabilities. `scripts/ideas-api.js` and `scripts/update-status.js` are vulnerable to path traversal due to direct use of unsanitized environment variables (`IDEAS_FILE`, `SITE_REPO_PATH`) in `path.join` for file operations, potentially allowing arbitrary file read/write on the server or CI/CD runner. `assets/build.html` is vulnerable to XSS as `PROJECT_NAME`, `PROJECT_DESC`, `PROJECT_BORN`, and `statusText` from `status.json` are directly inserted into the DOM without HTML escaping. The GitHub Actions workflow (`assets/github-actions.yml`) is vulnerable to shell injection via `BOT_NAME` and `BOT_EMAIL` environment variables in `git config` commands. These vulnerabilities could be exploited if an attacker can control the environment variables, for example, through prompt injection against an agent generating the workflow or a compromised CI/CD environment.

能力评估

⚠ Purpose & Capability

The described purpose (export commit count/last commit/timestamps from a private GitHub repo to a public site) matches the included code (scripts/update-status.js, assets/github-actions.yml) and the instructions. However the skill package metadata states no required environment variables or primary credential, while SKILL.md and the workflow clearly require a GH_PAT (Personal Access Token with repo scope) to push status.json to the public site repo. That metadata omission is an incoherence and a meaningful security/permission concern.

ℹ Instruction Scope

The runtime instructions stay within the stated purpose: add a GitHub Actions workflow in the private repo that reads git logs and commits status.json into a public site repo, and optionally run an ideas API. They explicitly instruct creating a GH_PAT secret. Important behaviors to note: the workflow and update-status.js read private repo git history (commit messages and timestamps) and publish that data to a public repo (this is the intended effect but is sensitive), and the ideas API defaults to CORS_ORIGIN='*' (public). The instructions do not contain extraneous exfiltration endpoints or hidden network calls beyond the push to the public site and optional Fly deploy.

✓ Install Mechanism

There is no install spec — this is an instruction-and-code bundle. No downloads or third-party installers; included scripts and static assets are provided in the skill. That minimizes installer risk. The workflow runs Node and shell commands in GitHub Actions (expected).

⚠ Credentials

The skill requires a GH_PAT with 'repo' scope (documented in SKILL.md and github-actions.yml) but the registry metadata declared 'Required env vars: none' and 'Primary credential: none'. This mismatch is important: a PAT with repository write access is a high-privilege secret and should be declared. The PAT scope requested ('repo') can be broader than necessary depending on how the token is created — the skill should advise using the least-privilege method (e.g., a machine account / GitHub App / repository-limited token) and document exactly which repositories the token will access. The optional FLY_API_TOKEN is also noted in the workflow and should be declared if used.

✓ Persistence & Privilege

The skill does not request 'always: true' or other elevated persistent privileges. It writes only to the public site repo (status.json) and the ideas API writes a local JSON file for persisted ideas. It does not modify other skills or system-wide settings. Autonomous invocation is allowed by default (normal for skills) but is not combined with other elevated privileges here.

版本历史

v1.0.0

Live public build dashboard — GitHub Actions auto-updates stats from private repo, community ideas board, shipped log, live clock. Drop-in for any builder.

元数据

Slug build-transparency-dashboard

版本 1.0.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题