fix: Fixed issue with openclaw skill page return empty#12347
fix: Fixed issue with openclaw skill page return empty#12347wanghe-fit2cloud merged 1 commit intodev-v2from
Conversation
|
Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: wanghe-fit2cloud The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e2f4d0e776
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| "docker exec %s openclaw skills info %q --json 2>&1", | ||
| 30*time.Second, | ||
| containerName, | ||
| name, |
There was a problem hiding this comment.
getOpenclawSkillKey now builds a bash -c command that interpolates req.Name via %q, but %q only produces a double-quoted Go string literal and does not neutralize shell substitutions like $() or backticks. A crafted skill name (sent directly to the API) can therefore execute arbitrary host-side shell commands before docker exec runs. The previous implementation did not pass user-controlled skill names into the shell, so this is a new command-injection path.
Useful? React with 👍 / 👎.
3 participants
No description provided.