Gitea
PassAudited by ClawScan on May 10, 2026.
Overview
This is an instruction-only Gitea CLI helper with no hidden code, but it relies on your logged-in tea account and documents commands that can change or delete repositories.
Before using this skill, install `tea` from a trusted source, log in with the least privileges needed, double-check the target repository or instance, and require explicit confirmation before running destructive or mutating commands such as repository deletion, releases, secrets, variables, or webhooks.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the logged-in account has broad permissions, the agent could perform broad Gitea actions when asked.
The skill expects the user to authenticate the `tea` CLI, so actions run with the permissions of that Gitea account.
Add a login once to get started: `tea login add`
Use a least-privileged Gitea account or token, and specify the intended `--repo` and `--login` when running commands.
A mistaken command could delete or modify important repository data.
The documented CLI examples include destructive repository management, including a forced delete option.
Delete a repository: `tea repos delete --name my-repo --owner myuser --force`
Require explicit user confirmation before destructive or account-mutating commands, especially delete, release, webhook, secret, and variable operations.
The skill will use whatever `tea` executable is available in the user's environment, or fail if it is not installed.
The metadata does not declare the `tea` CLI dependency or provide an install source, even though SKILL.md relies on it.
Required binaries (all must exist): none ... No install spec — this is an instruction-only skill.
Install `tea` from a trusted source and verify the binary before using this skill.
Repository activity may be shared with the configured webhook endpoint.
Webhook creation can send repository event data to an external URL.
Create a webhook: `tea webhooks create https://example.com/hook --events push,pull_request`
Only create webhooks for trusted endpoints and select the minimum required events.