Skillv1.0.0

ClawScan security

ci-cd-pipeline-builder · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 11, 2026, 3:17 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and runtime instructions align with its stated purpose (detect repo stack and generate starter CI pipelines); it requests no credentials and performs only local file inspection and YAML generation.
Guidance: This skill appears coherent and benign, but review its outputs before committing: the scripts read files in the repository and will write YAML to the output path you provide (they will create parent directories and may overwrite existing pipeline files). Inspect generated CI YAML for deploy steps or secrets before enabling in production; run the generator on a copy or branch if you want to avoid accidental overwrites. Note some generated steps use fallbacks like "|| true" or placeholder echo commands when commands are missing—adjust those to avoid masking real failures. If you plan to run these scripts in an automated environment, ensure the repository you point them at is trusted.

Purpose & Capability: okName/description (CI/CD pipeline generation) align with included scripts and references. The two Python scripts detect repo signals and emit GitHub/GitLab YAML; included template docs match the stated capabilities. There are no unrelated binaries or credentials requested.
Instruction Scope: okSKILL.md instructs the agent to run the provided detector and generator against a repository or JSON input; instructions restrict actions to detection, generation, validation, and local write-out. The scripts only read repository files (package.json, pyproject.toml, go.mod, lockfiles, Dockerfile, etc.) and do not attempt to access system secrets, network endpoints, or other unrelated paths.
Install Mechanism: okNo install spec — instruction-only plus included scripts. Nothing is downloaded or extracted from external URLs; scripts are plain Python files. Low install risk.
Credentials: okNo environment variables, credentials, or config paths are required. The scripts operate on repository files and CLI args only. There are no demands for unrelated tokens or secrets.
Persistence & Privilege: okSkill is not always-enabled and does not declare persistent or elevated privileges. It writes pipeline YAML to an output path specified by the user (creates parent directories if needed), which is expected behavior for a generator.