CI/CD Pipeline
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A generated workflow could publish releases or otherwise modify repository state when matching tags or events occur.
The skill includes workflow templates that can create GitHub releases and require repository write permissions. This is coherent with CI/CD release automation, but it is a high-impact capability if applied without review.
### Deploy to production on tag ... permissions:
contents: write ... - uses: softprops/action-gh-release@v2Review workflow triggers and permissions before committing. Use least-privilege permissions, protected branches/tags, environment approvals, and manual gates for production or release workflows.
If a workflow or referenced action is misconfigured or compromised, repository secrets or token permissions could be used to deploy, publish, or access protected resources.
The workflow examples use GitHub Actions secrets and the GitHub token for deployment and package publishing. This is expected for CI/CD, but it gives workflows delegated authority.
DEPLOY_TOKEN: ${{ secrets.DEPLOY_TOKEN }} ... password: ${{ secrets.GITHUB_TOKEN }}Store only necessary secrets, scope tokens narrowly, prefer environment-scoped secrets and OIDC where possible, and avoid exposing secrets to untrusted pull-request contexts.
A changed or compromised third-party action could run code in CI with the workflow's available permissions and secrets.
The templates reference third-party GitHub Actions by tags rather than immutable commit SHAs. This is common in CI/CD examples, but those actions execute in the workflow environment.
- uses: dtolnay/rust-toolchain@stable
- uses: Swatinem/rust-cache@v2 ... - uses: softprops/action-gh-release@v2Prefer trusted actions, review their permissions and maintainers, pin security-sensitive workflows to commit SHAs, and use dependency update tooling to manage action versions.