Skip to content

ci: daily registry monitor workflow (scheduled ClawHub sweep + report)#14

Merged
Ap6pack merged 1 commit into
mainfrom
claude/daily-registry-monitor
Jul 6, 2026
Merged

ci: daily registry monitor workflow (scheduled ClawHub sweep + report)#14
Ap6pack merged 1 commit into
mainfrom
claude/daily-registry-monitor

Conversation

@Ap6pack

@Ap6pack Ap6pack commented Jul 6, 2026

Copy link
Copy Markdown
Owner

Description

Makes the "scan the registry every 24h and produce a report" behavior real. Until now the monitoring capability existed (malwar crawl monitor, snapshot engine, diff engine) but nothing invoked it on a schedule — no cron workflow existed. This adds one.

.github/workflows/registry-monitor.yml runs daily at 06:00 UTC (plus manual workflow_dispatch):

  1. Crawls the whole ClawHub registry and fast-scans every skill, escalating flagged skills to the LLM layer.
  2. Diffs the result against the previous snapshot (added / removed / modified / verdict-changed / newly-malicious).
  3. Commits the snapshot + JSON diff to a dedicated registry-monitor branch, so git log -p registry-monitor is a permanent, auditable day-over-day record.

Why a dedicated data branch, not main

main is protection-gated (PR + required test check), so a scheduled bot cannot push to it. The snapshot history lives on its own long-running registry-monitor branch, created automatically on the first run. The baseline (latest.json) is restored from that branch before each sweep so the daily diff chains correctly.

Secret required

The LLM escalation reads a repository secret MALWAR_ANTHROPIC_API_KEY. Without it the sweep still runs on the rule engine + threat intel; only the LLM second opinion on flagged skills is skipped.

Type of Change

  • Infrastructure / CI

Checklist

  • Workflow YAML validated
  • No changes to application code or tests
  • MALWAR_ANTHROPIC_API_KEY added as a repository secret (see note below)

Action needed before the LLM layer works: the key is currently an environment secret. Re-add it under Settings → Secrets and variables → Actions → New repository secret so the unattended scheduled job can read it.

🤖 Generated with Claude Code

https://claude.ai/code/session_01DNoTXU8k3pfSBzR7aJubqL


Generated by Claude Code

Adds a scheduled GitHub Actions workflow that runs 'malwar crawl monitor'
once a day (06:00 UTC, plus manual dispatch): crawls the whole ClawHub
registry, fast-scans every skill (escalating flagged ones to the LLM),
diffs against the previous snapshot, and commits the snapshot + JSON diff
to a dedicated 'registry-monitor' branch for an auditable day-over-day
history.

Uses a data branch rather than main because main is protection-gated
(PR + required checks), so a scheduled bot cannot push to it. The LLM
layer reads a MALWAR_ANTHROPIC_API_KEY repository secret; without it the
sweep still runs on the rule engine + threat intel.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01DNoTXU8k3pfSBzR7aJubqL
@Ap6pack Ap6pack merged commit 3aa5854 into main Jul 6, 2026
5 checks passed
@Ap6pack Ap6pack deleted the claude/daily-registry-monitor branch July 6, 2026 01:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants