Release Tracker

Track GitHub repository releases and generate prioritized summaries. Supports multiple repos, custom priority keywords, and delivery to Discord (forum posts...

This skill appears to do what it says: it uses the gh CLI to check releases, stores a local state file, and posts summaries via the agent's delivery channels. Before installing: - Ensure gh is installed and authenticated with only the scopes you intend (the gh token determines access to private repos). - Review where you place the workspace (release-tracker.json and state file are written there) and run setup.sh from a directory you control. - Confirm how your OpenClaw agent is configured to deliver messages to Discord/Telegram/Slack so you know which credentials are used and where messages will be sent. - Note the optional local CHANGELOG read (/opt/homebrew/...) — if you have sensitive files under node_modules or similar paths, understand the skill may attempt to read them when a matching package is present. - Run the setup and cron in an isolated session or test environment first to verify behavior and delivery targets.

Type: OpenClaw Skill Name: release-tracker Version: 1.1.0 The skill is classified as suspicious due to potential command injection vulnerabilities. Specifically, the SKILL.md instructions for fetching release content and changelogs involve executing `gh` and `cat` commands with parameters derived from external sources (user configuration, GitHub API). The `cat /opt/homebrew/lib/node_modules/<package>/CHANGELOG.md` instruction is particularly concerning as the `<package>` variable is not clearly defined and could be susceptible to path traversal or command injection if the OpenClaw agent does not rigorously sanitize inputs before executing shell commands, posing a Remote Code Execution risk. There is no clear evidence of intentional malicious behavior like data exfiltration or backdoor installation, but the presence of these RCE-prone instructions makes the skill suspicious.