← ClaudeAtlas

security-issue-fixlisted

Attempt to fix a security issue tracked in `<tracker>` by implementing the change in a public `<upstream>` PR. Runs `security-issue-sync` first to reconcile the issue's state, proposes an implementation plan, and on explicit user confirmation writes the change, opens a PR from the user's fork, and updates the `<tracker>` tracking issue. Public PR content is scrubbed so it does **not** reveal the CVE, the security nature of the change, or any link back to `<tracker>`.
apache/airflow-steward · ★ 19 · AI & Automation · score 80
Install: claude install-skill apache/airflow-steward
<!-- Placeholder convention (see AGENTS.md#placeholder-convention-used-in-skill-files): <project-config> → adopting project's `.apache-steward/` directory <tracker> → value of `tracker_repo:` in <project-config>/project.md (example: airflow-s/airflow-s for the Apache Airflow security team) <upstream> → value of `upstream_repo:` in <project-config>/project.md (example: apache/airflow) Before running any bash command below, substitute these with the concrete values from the adopting project's <project-config>/project.md. --> # security-issue-fix This skill automates the "attempt a fix" step of the security handling process for issues in [`<tracker>`](https://github.com/<tracker>). It composes with the [`security-issue-sync`](../security-issue-sync/SKILL.md) skill — it always runs the sync first so that the issue's state is reconciled with the mail thread and any existing PRs before attempting any new work. **Golden rule:** Every state-changing action — writing files in the local `<upstream>` clone, committing, pushing to the user's fork, opening a public PR, editing or commenting on `<tracker>`, drafting mail on the `security@` thread — is a *proposal* that requires explicit confirmation from the user before it runs. The fact that the user invoked the skill is not a blanket "yes". In particular, **nothing public is pushed without the user explicitly approving the exact PR title, body and diff