ClawHub
Back to skill
v1.0.2

essesseff DevOps ALM

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:37 AM.

Analysis

This looks like a coherent DevOps skill, but it can run external onboarding scripts and use powerful API/GitHub/Kubernetes credentials to create repositories and deploy to production.

GuidanceInstall only if you trust the essesseff service and the referenced onboarding utility. Use dedicated least-privilege tokens, review or pin the external script before running it, keep `.essesseff`, `.env`, and secret YAML files out of source control, and require explicit approval before any create, update, or production-deploy action.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
references/api-environments.md
POST .../environments/PROD/deploy-stable — Deploy STABLE image to PROD (no OTP required via API)

This documents a direct production-deployment API action with no secondary OTP gate; the artifacts do not add an explicit approval or safety workflow around this high-impact operation.

User impactAn agent with a valid API key could promote an image to production, potentially affecting live services if the wrong app, image, or environment is selected.
RecommendationRequire explicit human confirmation for every mutating API call, especially production deployments, and verify app name, image tag, environment, and rollback plan before execution.
Agentic Supply Chain Vulnerabilities
SeverityMediumConfidenceHighStatusConcern
README.md
git clone https://github.com/essesseff/essesseff-onboarding-utility.git ... chmod +x essesseff-onboard.sh ... ./essesseff-onboard.sh --create-app --setup-argocd dev,qa,staging,prod --config-file .essesseff

The workflow executes shell code fetched from an external repository rather than code bundled with the skill, creating a provenance/review gap for a script that will run with high-value credentials.

User impactA changed or compromised upstream script could run commands using the user’s GitHub, essesseff, or Kubernetes access.
RecommendationReview the onboarding utility source before running it, pin to a trusted commit or release, run it from a clean workspace, and avoid granting tokens more access than the exact task requires.
Cascading Failures
SeverityMediumConfidenceHighStatusConcern
references/onboarding-utility.md
Creates all 9 repos ... Argo CD setup: Configures Argo CD for dev, qa, staging, and/or prod environments.

A single onboarding or setup workflow spans many repositories and deployment environments, so an incorrect input can propagate across source, config, Argo CD, and production-facing systems.

User impactA typo or wrong configuration could create or modify multiple repositories and deployment environments at once.
RecommendationRun scoped operations first, start with non-production environments, confirm generated repo names and target clusters, and keep a cleanup/rollback plan.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityHighConfidenceHighStatusConcern
references/prerequisites.md
Classic PAT — scopes needed: repo — create repos, push code; workflow — create/update .github/workflows files ... Argo CD Machine User PAT (`GITHUB_TOKEN`) ... repo scope ... read:packages scope

The documented credentials can create and push repositories, modify GitHub Actions workflows, and access packages; these privileges are powerful and can affect an organization’s software supply chain.

User impactIf these tokens are over-scoped, misused, or exposed, they could allow broad changes to GitHub repositories, workflows, packages, and deployment automation.
RecommendationUse dedicated least-privilege fine-grained tokens, restrict them to the specific organization/repositories needed, avoid personal admin tokens where possible, and rotate tokens after use.