cron-worker-guardrails
使用场合:强化 OpenClaw cron/后台工作程序(POSIX shell:bash/sh)以防止脆弱的引用, cwd/env 漂移和错误的管道故障(SIGPIPE、pipefail + head)。 不要使用when:问题是应用程序逻辑而不是执行包装器的可靠性。 输出:脚本优先的强化检查表 + 安全模式(成功时静默、确定性 cwd/env、回滚友好)。
安装 / 下载方式
TotalClaw CLI推荐
totalclaw install totalclaw:totalclaw~phenomenoner-cron-worker-guardrailscURL直接下载,无需登录
curl -fsSL https://skills.taituai.com/api/skills/totalclaw%3Atotalclaw~phenomenoner-cron-worker-guardrails/file -o phenomenoner-cron-worker-guardrails.md## 概述(中文)
使用场合:强化 OpenClaw cron/后台工作程序(POSIX shell:bash/sh)以防止脆弱的引用,
cwd/env 漂移和错误的管道故障(SIGPIPE、pipefail + head)。
不要使用when:问题是应用程序逻辑而不是执行包装器的可靠性。
输出:脚本优先的强化检查表 + 安全模式(成功时静默、确定性 cwd/env、回滚友好)。
## 原文
# Cron Worker Guardrails (POSIX)
A reliability-first checklist for **OpenClaw cron workers** and any unattended automation.
## Scope (important)
- This skill is **POSIX-focused** (bash/sh examples).
- The *principles* are portable, but if you're on Windows/PowerShell you'll need equivalent patterns.
## The `NO_REPLY` convention
Many OpenClaw setups treat emitting exactly `NO_REPLY` as "silent success" (no human notification).
- If your runtime does not support `NO_REPLY`, interpret it as: **print nothing on success**.
## Quick Start
1) **Scripts-first:** move logic into a repo script (recommended: `tools/<job>.py` or `tools/<job>.sh`).
2) **One command in cron:** cron should run *one short command* (no multi-line `bash -lc '...'`).
3) **Deterministic cwd/env:** `cd` to the repo (or have the script do it), and document required env vars.
4) **Silent on success:** print nothing (or exactly `NO_REPLY`) when OK; only emit a short alert when broken.
Also see:
- `references/cron-agent-contract.md`
- `references/pitfalls.md`
## Why this skill exists
Cron failures are rarely "logic bugs". In practice they're often:
- brittle shell quoting (`bash -lc '...'` nested quotes)
- command substitution surprises (`$(...)`)
- one-liners that hide escaping bugs (`python -c "..."`)
- cwd/env drift ("works locally, fails in cron")
- pipelines that fail for the wrong reason (`pipefail` + `head` / SIGPIPE)
The fix is boring but effective: **scripts-first + deterministic execution + silent-on-success**.
## Portability rules (still apply)
Even on POSIX, do **not** hardcode deployment-specific absolute paths tied to one machine.
Prefer:
- repo-relative paths
- environment variables you document
- minimal wrappers that `cd` into the repo
## Common failure patterns -> fixes
### 1) `unexpected EOF while looking for matching ')'`
Likely causes:
- unclosed `$(...)` from command substitution
- broken nested quotes in `bash -lc ' ... '`
Fix pattern:
- Replace the whole multi-line shell block with a script.
- Cron calls exactly one short command, for example:
- `python3 tools/<job>.py`
### 2) False failure from `pipefail` + `head` (SIGPIPE)
Symptom:
- command exits non-zero even though the output you wanted is fine
Fix pattern:
- avoid `pipefail` when piping into `head`
- or better: do the filtering in a script (read only what you need)
### 3) "Works locally, fails in cron"
Common causes:
- wrong working directory
- missing env vars
- different PATH
Fix pattern:
- `cd` into the repo (or have the script do it)
- keep dependencies explicit and documented
## Git footgun: `git push` rejected (non-fast-forward)
Symptom:
- `! [rejected] ... (non-fast-forward)` when automation pushes to a **long-lived PR/feature branch**.
Conservative fix (no force-push):
- On rejection, fetch the remote branch, transplant your new local commits onto it (cherry-pick), then retry push once.
## Copy/paste hardening header (portable)
Use this near the top of a cron prompt (2 lines, low-noise):
- **Hardening (MUST):** follow `references/cron-agent-contract.md` (scripts-first, deterministic cwd, silent-on-success).
- Also apply the `cron-worker-guardrails` skill. If parsing/multi-step logic is needed, write/run a small `tools/*.py` script.