← 返回 Skills 市场

Github Release Watcher

Name: Github Release Watcher
Author: rogue-agent1

作者 rogue-agent1 · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

110

总下载

当前安装

版本数

在 OpenClaw 中安装

/install github-release-watcher

功能描述

Monitor specified GitHub repositories for new releases and receive notifications of newly detected tags.

使用说明 (SKILL.md)

GitHub Release Watcher

Monitor GitHub repositories for new releases and get notified.

Setup

Requires gh CLI (GitHub CLI), authenticated
Edit repos.txt — one owner/repo per line, # for comments

Usage

# Check all repos for new releases
bash scripts/check_releases.sh

# Use custom config file
bash scripts/check_releases.sh /path/to/repos.txt

# Dry run (show all latest releases regardless of state)
rm -f scripts/.last_seen.json && bash scripts/check_releases.sh

Integration

Cron (recommended)

Run daily via OpenClaw cron job to get notified of new releases:

Schedule: daily at 09:00
Payload: "Check for new GitHub releases using the github-release-watcher skill"

Heartbeat

Add to HEARTBEAT.md for periodic checks (1x/day recommended).

Output

🆕 **owner/repo** → tag (name) — new release detected
✅ No new releases detected. — all repos up to date

State

Release state stored in scripts/.last_seen.json. Delete to reset.

Adding Repos

Edit repos.txt:

# My tools
owner/repo
another/repo

安全使用建议

This skill appears to do what it says: it needs the GitHub CLI (gh) to be authenticated and will create/update scripts/.last_seen.json to remember seen tags. Before enabling: (1) confirm you want gh to be used (gh uses your GitHub credentials/token), (2) review and restrict repos.txt to only repos you intend to monitor, (3) consider running the script manually once to verify output and that the state file location is acceptable, and (4) if you have strict auditing needs, inspect the script for quoting/edge-case behavior (repo names with unusual characters could cause errors) or run it under a dedicated low-privilege account. The author field ('rogue-agent1') is unusual but does not itself indicate malicious behavior.

功能分析

Type: OpenClaw Skill Name: github-release-watcher Version: 1.0.0 The skill monitors GitHub releases but contains a command injection vulnerability in `scripts/check_releases.sh`. Specifically, repository names from `repos.txt` are interpolated directly into a Python one-liner (`python3 -c ...`) without sanitization, which allows for arbitrary code execution if a repository entry contains a single quote followed by Python code. While the provided repository list is benign and the logic aligns with the stated purpose, the lack of input validation on the configuration file constitutes a significant security flaw.

能力评估

✓ Purpose & Capability

Name/description, SKILL.md, skill.json and the script all align: the script calls gh to query repos listed in repos.txt and reports new tags. The declared requirement (gh) matches actual usage. No unrelated credentials, binaries, or config paths are requested.

✓ Instruction Scope

Runtime instructions stay within scope: they require an authenticated gh CLI, edit repos.txt, and run the script. The script only reads repos.txt and a local state file and queries GitHub via gh; it does not transmit data to unexpected endpoints or read unrelated system files.

✓ Install Mechanism

No install spec (instruction-only + small script) — nothing is downloaded or extracted. This minimizes install-time risk.

✓ Credentials

The skill requests no environment variables or credentials. It relies on the gh CLI which expects GitHub authentication; that is proportional to its purpose. The only optional env var used is STATE_FILE to override the local state path, which is reasonable.

ℹ Persistence & Privilege

The script writes a local state file scripts/.last_seen.json (or $STATE_FILE if set) to track seen tags — expected for this task. The skill is not always-enabled and does not modify other skills or system configs.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install github-release-watcher
安装完成后，直接呼叫该 Skill 的名称或使用 /github-release-watcher 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release of GitHub Release Watcher. - Monitor one or more GitHub repositories for new releases. - Requires GitHub CLI (`gh`) and a simple config file (`repos.txt`). - Provides an easy shell script workflow for checking and notification. - Supports integration with cron jobs and heartbeat checks. - Outputs concise status for new and existing releases. - Tracks last seen releases in a local JSON state file.

元数据

Slug github-release-watcher

版本 1.0.0

许可证 MIT-0

累计安装 1

当前安装数 1

历史版本数 1

常见问题