Nm Minister Release Health Gates
AdvisoryAudited by Static analysis on May 9, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If connected to tracker tools, the agent may change task status or effort records that teammates rely on.
The skill instructs updates to tracker records, which is an account/workflow mutation even though it fits the release-readiness purpose.
- Update tracker tasks to `Done` and log actual effort.
Require human confirmation for tracker updates and limit changes to the specific release scope.
A connected GitHub token or account could expose repository check and deployment information to the workflow.
The skill references GitHub repository and deployment data sources; using these with connected tools may rely on repository/account permissions.
| Checks | `GET /repos/{owner}/{repo}/commits/{sha}/check-suites` | ... |
| Deployments | `GET /repos/{owner}/{repo}/deployments` | ... |Use least-privilege GitHub access and keep the skill scoped to the intended repository or organization.
Release status, waiver, and retrospective information may remain in tracker records and be reused later.
The skill explicitly stores release-gate outputs in persistent tracker data for later reuse.
Rollout scorecard that persists in tracker data for retros.
Verify tracker visibility and retention settings, and avoid storing sensitive details beyond what the release process needs.