ClawHub

Doctorbot Ci Validator

v0.1.0

Stop failing in production. Validate your GitHub Actions, GitLab CI & Keep workflows offline with surgical precision. Born from Keep bounty research, perfected for agents.

0· 738·0 current·0 all-time
by@bamontejano
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims to perform offline CI workflow validation (Keep, GitHub Actions, GitLab), and the instructions reference concrete Python scripts (scripts/validate_keep.py, scripts/validate_yaml.py). However, the published package contains no code files and no install specification to provide those scripts. That makes the declared capability unattainable from this bundle and therefore incoherent.
!
Instruction Scope
Runtime instructions tell the agent to run python3 scripts against repository files and directories. Reading repo workflow files is consistent with a validator, but because the scripts aren't included, the instructions effectively instruct the agent to run arbitrary code that isn't present. The instructions do not request network exfiltration or unrelated system access, but they assume the presence of local scripts and Python that are not declared.
!
Install Mechanism
There is no install specification in the bundle even though SKILL.md documents an installation command (openclaw install doctorbot-ci-validator) and describes Python scripts. Without an install spec or bundled code, it's unclear how the referenced scripts would be provided. Lack of an install mechanism is lower direct risk but increases ambiguity about where executable code would come from.
!
Credentials
The skill declares no required binaries or environment variables, yet the instructions explicitly call python3 and expect to run validation scripts (which likely need libraries such as PyYAML or custom dependencies). This mismatch—no declared runtime requirements while requiring Python execution—is disproportionate and unexplained.
Persistence & Privilege
The skill does not request elevated persistence: always is false, and there are no required config paths or credentials. disable-model-invocation is false (normal). There is no evidence the skill tries to modify other skills or request system-wide configuration.
What to consider before installing
Do not install or run this skill as-is. The SKILL.md expects local Python scripts (scripts/validate_keep.py and scripts/validate_yaml.py) but the published package contains no code or install spec; it's therefore incomplete and ambiguous. Before proceeding, ask the publisher or maintainer for: (1) the actual code or a proper install spec that fetches it, (2) an explicit list of required binaries and Python packages, and (3) a README or source tarball you can inspect. If you must test it, fetch the GitHub homepage referenced in the skill, inspect the repository contents and scripts for network calls or credential use, and run any unknown scripts in an isolated sandbox/container with no access to secrets or production repositories.

Like a lobster shell, security has layers — review code before you run it.

latestvk976xsr7vebzefwc24nwf2brhd810ssw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments