releaseguard

Scan, harden, sign, and verify release artifacts with ReleaseGuard — the artifact policy engine for dist/ and release/ outputs.

Safety Notice

This listing is from the official public ClawHub registry. Review SKILL.md and referenced scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "releaseguard" with this command: npx skills add asiridalugoda/releaseguard

ReleaseGuard Skill

ReleaseGuard is an artifact policy engine. Use it to scan build outputs for secrets, misconfigurations, and supply-chain risks; harden and fix them; generate SBOMs; sign artifacts; and verify release integrity.

Install ReleaseGuard

Preferred — Homebrew (macOS / Linux, no remote script execution):

brew install Helixar-AI/tap/releaseguard

Alternative — manual download from GitHub Releases (review before running):

# 1. Review the install script before executing:
curl -sSfL https://raw.githubusercontent.com/Helixar-AI/ReleaseGuard/main/scripts/install.sh | less

# 2. If satisfied, run it:
curl -sSfL https://raw.githubusercontent.com/Helixar-AI/ReleaseGuard/main/scripts/install.sh | sh

Alternative — direct binary download (no shell script):

# Replace VERSION, OS, and ARCH as appropriate (linux/darwin, amd64/arm64)
curl -sSfL https://github.com/Helixar-AI/ReleaseGuard/releases/latest/download/releaseguard-VERSION-OS-ARCH.tar.gz \
  | tar -xz releaseguard
sudo mv releaseguard /usr/local/bin/releaseguard

Note: The install script is MIT-licensed and open-source at https://github.com/Helixar-AI/ReleaseGuard/blob/main/scripts/install.sh Review it before executing in sensitive environments.

External Services

Some commands interact with external services. This is documented per-command below. No data is sent externally unless you explicitly invoke the relevant flag or mode:

FeatureExternal ServiceTriggered by
CVE enrichmentOSV.dev (read-only, no auth)sbom --enrich-cve or vex
Keyless signingSigstore / Fulcio (requires OIDC token)sign --mode keyless
Cloud obfuscationReleaseGuard Cloud APIobfuscate --level medium/aggressive
SLSA Provenance L3ReleaseGuard Cloud APICloud plan only

Credentials: Keyless signing requires an OIDC token (available in GitHub Actions, GitLab CI, etc.). Local signing requires a private key file you supply with --key. Cloud features require RELEASEGUARD_CLOUD_TOKEN. No credentials are used by default for check, fix, sbom, pack, report, or verify.

Commands

Check / Scan — releaseguard check <path>

Scan an artifact path and evaluate the release policy. No external network calls.

Trigger phrases: "scan", "check", "audit", "analyze release", "inspect dist", "any secrets", "find vulnerabilities"

releaseguard check <path>
releaseguard check <path> --format json
releaseguard check <path> --format sarif --out results.sarif
releaseguard check <path> --format markdown --out report.md
  • Default format: cli (human-readable)
  • Other formats: json, sarif, markdown, html
  • Exit code 0 = PASS, non-zero = FAIL

Fix — releaseguard fix <path>

Apply safe, deterministic hardening transforms. No external network calls.

Trigger phrases: "fix", "harden", "apply fixes", "remediate", "auto-fix release"

releaseguard fix <path>
releaseguard fix <path> --dry-run   # preview without applying

SBOM — releaseguard sbom <path>

Generate a Software Bill of Materials.

Trigger phrases: "sbom", "software bill of materials", "dependencies", "generate bom"

releaseguard sbom <path>                     # no network calls
releaseguard sbom <path> --format spdx
releaseguard sbom <path> --enrich-cve        # fetches CVE data from OSV.dev (read-only)
  • Default format: cyclonedx
  • --enrich-cve makes read-only requests to OSV.dev; no credentials required

Obfuscate — releaseguard obfuscate <path>

Apply obfuscation to release artifacts.

Trigger phrases: "obfuscate", "strip symbols", "protect binary"

releaseguard obfuscate <path> --level light   # OSS — no network calls
releaseguard obfuscate <path> --level medium  # requires RELEASEGUARD_CLOUD_TOKEN
releaseguard obfuscate <path> --dry-run

Levels:

  • none / light — local, no external calls (OSS)
  • medium / aggressive — calls ReleaseGuard Cloud API; requires RELEASEGUARD_CLOUD_TOKEN

Harden — releaseguard harden <path>

Full hardening pipeline: fix + obfuscate + DRM injection.

Trigger phrases: "full harden", "harden release", "full hardening pipeline"

releaseguard harden <path> --obfuscation light    # no network calls
releaseguard harden <path> --obfuscation medium   # requires RELEASEGUARD_CLOUD_TOKEN
releaseguard harden <path> --dry-run

Pack — releaseguard pack <path>

Package an artifact into a canonical archive. No external network calls.

Trigger phrases: "pack", "package artifact", "create archive"

releaseguard pack <path> --out release.tar.gz
releaseguard pack <path> --out release.zip --format zip

Sign — releaseguard sign <artifact>

Sign an artifact and its evidence bundle.

Trigger phrases: "sign", "cosign", "keyless sign", "sign artifact"

# Keyless (Sigstore/Fulcio) — requires OIDC token; use in CI environments
releaseguard sign <artifact> --mode keyless

# Local signing — no external calls; requires private key file
releaseguard sign <artifact> --mode local --key signing.key
  • keyless mode contacts Sigstore's Fulcio CA and Rekor transparency log
  • local mode is fully offline; key stays on disk

Attest — releaseguard attest <artifact>

Emit in-toto and SLSA provenance attestations.

Trigger phrases: "attest", "provenance", "slsa", "in-toto"

releaseguard attest <artifact>

Verify — releaseguard verify <artifact>

Verify artifact signatures and policy compliance. No credentials required for verification.

Trigger phrases: "verify", "check signature", "validate artifact"

releaseguard verify <artifact>

Report — releaseguard report <path>

Export a scan report. No external network calls.

Trigger phrases: "report", "export report", "compliance report"

releaseguard report <path> --format sarif --out results.sarif
releaseguard report <path> --format html --out report.html

VEX — releaseguard vex <path>

Enrich SBOM with VEX vulnerability data. Makes read-only requests to OSV.dev.

Trigger phrases: "vex", "vulnerability data", "enrich sbom"

releaseguard vex <path> --sbom .releaseguard/sbom.cdx.json --out vex.json

Typical Workflows

Quick scan (no network, no credentials)

releaseguard check ./dist

Full pipeline (CI with keyless signing)

releaseguard check ./dist
releaseguard fix ./dist
releaseguard sbom ./dist
releaseguard pack ./dist --out release.tar.gz
releaseguard sign release.tar.gz --mode keyless   # OIDC token required
releaseguard attest release.tar.gz
releaseguard verify release.tar.gz

Offline pipeline (no network, local key)

releaseguard check ./dist
releaseguard fix ./dist
releaseguard sbom ./dist
releaseguard pack ./dist --out release.tar.gz
releaseguard sign release.tar.gz --mode local --key signing.key

Configuration

releaseguard init   # creates .releaseguard.yml

# .releaseguard.yml
version: 2
scanning:
  exclude_paths:
    - test/fixtures
policy:
  fail_on: [critical, high]

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open Registry RecordOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

Security Audit (Sona)

Fail-closed security auditing for OpenClaw/ClawHub skills & repos: trufflehog secrets scanning, semgrep SAST, prompt-injection/persistence signals, and supply-chain hygiene checks before enabling or installing.

Registry SourceRecently Updated
12.2K
Profile unavailable
Security

agent-bom

Security scanner for AI infrastructure and supply chain — discovers MCP clients and servers, scans for CVEs, maps blast radius, generates SBOMs, runs CIS ben...

Registry SourceRecently Updated
0787
Profile unavailable
Security

AgentShield Scanner

Scan AI agent skills, MCP servers, and plugins for security vulnerabilities. Use when: user asks to check a skill/plugin for safety, audit security, scan for...

Registry SourceRecently Updated
065
Profile unavailable