ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

essesseff DevOps ALM

v1.0.2

Interact with the essesseff DevOps platform — call the essesseff Public API (templates, organizations, apps, deployments, images, image lifecycle, environmen...

0· 59·0 current·0 all-time
by@adamdurst
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the manifest and SKILL.md. Required binaries (curl, bash, git, jq, kubectl) and environment variables (essesseff API key, account slug, GitHub PATs, ArgoCD machine-user token/email, template/app names, K8s namespace) are consistent with the two stated functions (direct API calls and running the onboarding shell utility).
Instruction Scope
SKILL.md instructs only API calls and the onboarding shell workflow (cloning templates, string replacement, creating repos, writing .env files for Argo CD, calling setup scripts). It explicitly documents what secrets are used and which are copied to per-repo .env files. It does not ask the agent to read unrelated system files or transmit secrets to unknown endpoints.
Install Mechanism
This is an instruction-only skill with no install spec and no archive downloads — lowest-risk install profile. All behavior comes from packaged docs and referenced shell scripts in the repo.
Credentials
The skill requests multiple sensitive credentials (ESSESSEFF_API_KEY, ESSESSEFF_ACCOUNT_SLUG, GITHUB_ORG_ADMIN_PAT, GITHUB_TOKEN, ARGOCD_MACHINE_USER/EMAIL). These appear justified by the two operation modes (subscriber mode requires essesseff API key and account slug; non-subscriber app creation requires an org-admin PAT; Argo CD setup requires a machine-user token/email). Users should ensure tokens use minimal scopes (prefer fine-grained PATs) and understand which token is used for which operation.
Persistence & Privilege
The skill is not always-enabled and does not request elevated agent-wide persistence. It writes per-repo .env files and may write a local .essesseff config file when running the onboarding utility — behavior expected and documented. It does not modify other skills or system-wide agent settings.
Assessment
This skill appears internally consistent with its stated purpose, but it needs several powerful credentials and access to your GitHub org and Kubernetes context to run the onboarding flows. Before installing: (1) only proceed if you trust the essesseff project and its GitHub repo; (2) use least-privilege tokens (prefer fine‑grained GitHub PATs with exact scopes, rotate them after use); (3) keep .essesseff out of version control and follow the README guidance to delete notifications-secret.yaml after applying it; (4) run the onboarding utility in a controlled environment (correct kubectl context) and review the onboarding scripts in the cloned repo before executing; (5) if you only need read-only API operations, avoid providing org-admin PATs or running the create-app flows.

Like a lobster shell, security has layers — review code before you run it.

latestvk974yas752tgpna7fvc7z4npz183sbnf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🦞 Clawdis
Binscurl, bash, git, jq, kubectl
EnvESSESSEFF_API_KEY, ESSESSEFF_ACCOUNT_SLUG, GITHUB_ORG, APP_NAME, GITHUB_TOKEN, ARGOCD_MACHINE_USER, ARGOCD_MACHINE_EMAIL, GITHUB_ORG_ADMIN_PAT, TEMPLATE_NAME, TEMPLATE_IS_GLOBAL, K8S_NAMESPACE
Primary envESSESSEFF_API_KEY

Comments