v4-readiness

Generates a v4 upgrade readiness checklist for forks, ensuring operators are prepared for changes before the v4 release.

Install this skill

or

0/100

Security score

The v4-readiness skill was audited on May 30, 2026 and we found 24 security issues across 1 threat category, including 2 critical. Review the findings below before installing.

Categories Tested

Security Issues

high line 8

Template literal with variable interpolation in command context

SourceSKILL.md

8	> ${var} — Optional. Pass `dry-run` to skip the notification (article still writes, log still appends). Pass a fork repo slug (e.g. `someuser/aeon`) to read remote `aeon.yml` + `skills.json` from

high line 29

Template literal with variable interpolation in command context

SourceSKILL.md

29	No new secrets. No new env vars. No new state files. Pure local file I/O over the fork's own working tree, plus optional `gh api` for the `${var}=owner/repo` remote-survey mode.

high line 39

Template literal with variable interpolation in command context

SourceSKILL.md

39	- `articles/v4-readiness-${today}.md` — the full per-fork readiness report.

high line 40

Template literal with variable interpolation in command context

SourceSKILL.md

40	- `memory/logs/${today}.md` — log block.

high line 42

Template literal with variable interpolation in command context

SourceSKILL.md

42	If `${var}` is a fork slug instead of `dry-run` or empty, replace every local file read with `gh api repos/${var}/contents/<path>` and decode the base64 content. Custom-skill scan via `gh api repos/${

high line 55

Template literal with variable interpolation in command context

SourceSKILL.md

55	\| `articles/${skill}-${today}.md` output convention \| per-skill \| Consumed by chains, dashboard, syndicate-article — too many readers to break \|

high line 58

Template literal with variable interpolation in command context

SourceSKILL.md

58	\| `${today}` template variable \| SKILL.md prose \| Substituted by the runner; no plan to change \|

high line 73

Template literal with variable interpolation in command context

SourceSKILL.md

73	\| MCP server tool naming (`aeon-${skill_slug}`) \| `mcp-server/src/index.ts` \| Naming convention for forks consuming the MCP \|

high line 99

Template literal with variable interpolation in command context

SourceSKILL.md

99	- If `${var}` matches `^dry-run$` → `MODE=dry-run`. No notification, article still writes.

high line 100

Template literal with variable interpolation in command context

SourceSKILL.md

100	- Else if `${var}` matches `^[a-zA-Z0-9._-]+/[a-zA-Z0-9._-]+$` → `MODE=remote`, `TARGET=${var}`. All file reads go through `gh api repos/${TARGET}/contents/...`.

high line 101

Template literal with variable interpolation in command context

SourceSKILL.md

101	- Else if `${var}` is empty → `MODE=local`, `TARGET=$(gh repo view --json nameWithOwner --jq .nameWithOwner)`.

high line 102

Template literal with variable interpolation in command context

SourceSKILL.md

102	- Anything else → log `V4_READINESS_BAD_VAR: ${var}` and exit (no notify, no article).

high line 114

Template literal with variable interpolation in command context

SourceSKILL.md

114	\| `aeon.yml` \| direct read \| `gh api repos/${TARGET}/contents/aeon.yml --jq .content \\| base64 -d` \|

high line 117

Template literal with variable interpolation in command context

SourceSKILL.md

117	\| Custom skills \| `ls skills/` minus skills present in `skills.json` install rows \| `gh api repos/${TARGET}/contents/skills` JSON \|

high line 137

Template literal with variable interpolation in command context

SourceSKILL.md

137	For each custom-skill candidate: confirm it exists on disk (`skills/${name}/SKILL.md`) and is not present in the upstream-fingerprint heuristic (skills with `install: ./add-skill aaronjmars/aeon $

high line 156

Template literal with variable interpolation in command context

SourceSKILL.md

156	Path: `articles/v4-readiness-${today}.md`. Overwrite if exists.

medium line 158

Template literal with variable interpolation in command context

SourceSKILL.md

158	```markdown

medium line 221

Template literal with variable interpolation in command context

SourceSKILL.md

221

```

high line 242

Template literal with variable interpolation in command context

SourceSKILL.md

242	### 8. Log to `memory/logs/${today}.md`

medium line 244

Template literal with variable interpolation in command context

SourceSKILL.md

244

```

high line 266

Template literal with variable interpolation in command context

SourceSKILL.md

266	\| `V4_READINESS_BAD_VAR` \| `${var}` was non-empty, non-`dry-run`, not a `owner/repo` slug \| No \|

high line 272

Template literal with variable interpolation in command context

SourceSKILL.md

272	Remote mode (`var=owner/repo`). Each input read is a single `gh api repos/${TARGET}/contents/${path}` call. `gh` handles auth via the workflow's `GITHUB_TOKEN`, so there is no env-var-in-curl patt

critical line 53

Piping content to bash shell

SourceSKILL.md

53	\| `./notify "message"` interface \| bash \| Operator-facing CLI; documented in CLAUDE.md \|

critical line 57

Piping content to bash shell

SourceSKILL.md

57	\| `gh api` and `gh pr create` usage in skills \| bash \| GitHub CLI is stable; sandbox workaround for env-var-in-headers \|

Scanned on May 30, 2026

View Security Dashboard

Installation guide →

GitHub Stars 14

Rate this skill

Categorydevelopment

UpdatedJune 4, 2026

openclaw backend devops-sre backend-developer technical-pm github development product

aaronjmars/miroshark-aeon