← 返回 Skills 市场
Crash Fixer
作者
Hamon Ben Riazy
· GitHub ↗
· v3.0.0
654
总下载
0
收藏
5
当前安装
6
版本数
在 OpenClaw 中安装
/install crash-fixer
功能描述
Autonomous crash analysis and bug fixing. Monitors crash reports from Cloudflare D1, deduplicates, analyzes with Codex 5.3 High, generates fixes, and creates...
使用说明 (SKILL.md)
crash-fixer
Full autonomous crash-fixing loop. Fetches crashes, deduplicates, analyzes with AI, generates fixes, and creates PRs.
Trigger
/crash-fixer [--hours 24] [--limit 5] [--dry-run]
How It Works
- Fetch - Query crash reporter for new crashes
- Deduplicate - Check fingerprint for identical crashes already fixed
- Analyze - Use Codex 5.3 High (o3-high) to understand crash
- Fix - Generate code fix
- PR - Create branch → commit → PR
- Update - Mark status in crash reporter
Options
| Flag | Default | Description |
|---|---|---|
--hours N |
24 | Only fetch crashes from last N hours |
--limit N |
3 | Max crashes to process per run |
--dry-run |
false | Analyze but don't create PRs |
Required Environment
| Variable | Description |
|---|---|
GH_TOKEN |
GitHub API token |
CRASH_REPORTER_API_KEY |
API key for crash reporter worker |
CRASH_REPORTER_URL |
URL of crash reporter worker |
TARGET_REPO |
GitHub repo to fix (owner/name) |
Note: Uses MiniMax M2.5 (available in OpenClaw) for AI analysis - no extra API key needed.
Example
/crash-fixer --dry-run
安全使用建议
This skill has clear inconsistencies you should resolve before installing:
- Ask the author to explain and fix the mismatch between SKILL.md and index.js: SKILL.md says MiniMax M2.5 is available and 'no extra API key needed', but the code calls https://api.minimax.chat with Authorization: Bearer ${ZAI_API_KEY} (an env var not documented). It also mentions 'Codex 5.3 High' in the docs but the code does not call OpenAI.
- Treat this as a potential data-exfiltration risk: the code sends crash details (including user_id and device info) to an external endpoint (minimax.chat). Only proceed if you trust that endpoint and the associated API key usage is documented and intended.
- Never supply your personal GH_TOKEN with broad scopes. If you test, create a limited-service token with only the repo scopes needed and prefer a test repo.
- Request an updated SKILL.md that lists all environment variables used (including ZAI_API_KEY) and documents where crash data is sent. If the skill must call an external AI API, ask for justification why it cannot use the platform-provided model.
- If you cannot get clear answers, run the skill in a sandboxed environment (dry-run) with minimal secrets and monitor network egress to confirm where data is sent before granting production credentials.
功能分析
Type: OpenClaw Skill
Name: crash-fixer
Version: 3.0.0
The skill is classified as suspicious due to its high-risk capabilities and a critical prompt injection vulnerability. It uses a GitHub token (`GH_TOKEN`) to read, create branches, commit AI-generated code, and create pull requests in a target repository (`TARGET_REPO`), effectively allowing it to modify source code. The `analyzeCrash` function in `index.js` constructs an AI prompt using raw, unsanitized crash data (e.g., `errorName`, `message`, `stackTrace`). A malicious actor could submit a crafted crash report containing prompt injection instructions, leading the AI to generate malicious `fix_code` or specify an arbitrary `file_path`, which the skill would then commit to the target repository. This represents a significant supply chain risk and potential for remote code execution via AI manipulation.
能力评估
Purpose & Capability
The declared purpose (fetch crashes, analyze, produce PRs) aligns with the requested GH_TOKEN, CRASH_REPORTER_API_KEY, CRASH_REPORTER_URL, and TARGET_REPO. However, the SKILL.md mentions using local/available MiniMax M2.5 and 'Codex 5.3 High', while the code calls an external minimax.chat API — a mismatch between description and actual implementation.
Instruction Scope
SKILL.md says no extra API key is needed and that MiniMax M2.5 is available in OpenClaw, but index.js posts crash payloads (including user_id and device/device_info) to https://api.minimax.chat and supplies an Authorization header from process.env.ZAI_API_KEY. The instructions do not disclose this external endpoint or the additional env var, meaning crash data will be transmitted outside the declared systems.
Install Mechanism
No install spec (instruction-only) and no downloads are present; risk from installation is low. There is a bundled index.js file so the runtime behavior must be inspected, but nothing writes arbitrary external install artifacts.
Credentials
Declared env vars (GH_TOKEN, CRASH_REPORTER_API_KEY, CRASH_REPORTER_URL, TARGET_REPO) are reasonable for the described task. But the code also expects ZAI_API_KEY (used to call an external minimax.chat service) which is not declared in SKILL.md. SKILL.md also references 'Codex 5.3 High' (an OpenAI model) despite no OpenAI credential being requested. Undeclared credentials and model mismatches are a red flag.
Persistence & Privilege
always:false and the skill does not request persistent platform privileges. The skill will create branches/commits/PRs using the user's GH_TOKEN (expected for the task), so standard least-privilege guidance applies for that token.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install crash-fixer - 安装完成后,直接呼叫该 Skill 的名称或使用
/crash-fixer触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v3.0.0
crash-fixer 3.0.0
- Major update: Fully autonomous crash-fixing workflow from report to PR creation.
- Now supports user-invoked commands with customizable flags for hours, limit, and dry run.
- Integrates Codex 5.3 High for crash analysis and MiniMax M2.5 for AI-powered fixes.
- Enhanced environment variable support for secure configuration.
- Automatically marks crash status after processing and PR creation.
v2.0.0
crash-fixer 2.0.0
- Added new required environment variable: TARGET_REPO for specifying the GitHub repository.
- Updated documentation for clearer usage instructions, environment requirements, and streamlined workflow steps.
- Removed _meta.json file.
- Improved options and examples for easier invocation.
v1.3.0
crash-fixer 1.3.0 changelog:
- Added support for the CRASH_REPORTER_URL environment variable in skill configuration.
- Updated environment variable requirements in SKILL.md.
- Added _meta.json file.
v1.2.0
- Added new environment variable requirements: OPENAI_API_KEY and CRASH_REPORTER_API_KEY, in addition to GH_TOKEN.
- Updated documentation to reflect required API keys for OpenAI Codex and crash reporter integration.
v1.1.0
- Added automatic deduplication of crashes using fingerprinting to avoid repeated fixes for the same issue.
- Switched code analysis to use Codex 5.3 High for improved root cause identification and code generation.
- Enhanced crash processing logic: checks for existing PRs or fixes before attempting new ones.
- Updated required environment: now requires only GH_TOKEN for operation.
- Default crash processing limit per run changed from 5 to 3.
- Documentation updated to clearly outline new workflow, deduplication strategy, and configuration options.
v1.0.0
Initial release of crash-fixer.
- Monitors Cloudflare D1 for crash reports and filters non-bug feedback.
- Analyzes stack traces with AI to identify and summarize root causes.
- Searches codebase via GitHub API and generates automated fix PRs.
- Supports dry-run mode and configurable crash query limits.
- Requires GitHub and OpenAI API keys for operation.
元数据
常见问题
Crash Fixer 是什么?
Autonomous crash analysis and bug fixing. Monitors crash reports from Cloudflare D1, deduplicates, analyzes with Codex 5.3 High, generates fixes, and creates... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 654 次。
如何安装 Crash Fixer?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install crash-fixer」即可一键安装,无需额外配置。
Crash Fixer 是免费的吗?
是的,Crash Fixer 完全免费(开源免费),可自由下载、安装和使用。
Crash Fixer 支持哪些平台?
Crash Fixer 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Crash Fixer?
由 Hamon Ben Riazy(@ryce)开发并维护,当前版本 v3.0.0。
推荐 Skills