ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Jenkins Executor Skill

Jenkins 任务全生命周期管理工具,支持任务列表获取、远程构建、构建状态实时查询、构建日志全文获取、运行中构建强制终止,适用于 CI/CD 自动化、发布流水线、运维自动化场景。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 11 · 0 current installs · 0 all-time installs
by@jack084015
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The code and requirements align with a Jenkins management tool (uses jenkinsapi, exposes job/list/trigger/status/log/stop). However, SKILL.md instructs the user to provide JENKINS_URL/JENKINS_USER/JENKINS_TOKEN via environment variables, while the actual implementation reads credentials from a local config.json file. requirements.txt includes python-dotenv (suggesting env var support) but the code does not use it. This mismatch is incoherent and could cause incorrect deployment or inadvertent credential storage.
!
Instruction Scope
SKILL.md tells the agent to use environment variables and Basic Auth against Jenkins — which is appropriate — but the runtime instructions are inconsistent with the shipped code: the code ignores environment variables and instead reads config.json inside the skill. The skill's instructions do not mention config.json, so an operator following the docs may think credentials are safe in env vars while the skill will instead attempt to read (and possibly require writing) a local config file.
Install Mechanism
This is an instruction-only skill with a requirements.txt listing openclaw-sdk, jenkinsapi, and python-dotenv. There is no install spec in the package, but installing requirements from PyPI is a likely step; pulling jenkinsapi from PyPI is expected for this functionality (moderate risk). No downloads from arbitrary URLs or extract operations are present.
!
Credentials
Registry metadata declares no required env vars, yet SKILL.md requests JENKINS_URL/JENKINS_USER/JENKINS_TOKEN. The code instead expects credentials in config.json (base_url/username/api_token). This mismatch increases the risk that credentials will be stored in the skill directory (config.json) or otherwise handled in an unexpected way. The requested permissions (network access) are appropriate for Jenkins interaction.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or global settings. It reads a local config.json bundled with the skill and does not appear to persist additional system-wide changes. No elevated persistent privileges are requested.
What to consider before installing
What to consider before installing: - Do not assume credentials are read from environment variables: this skill's code reads credentials from a local config.json (base_url, username, api_token), while the SKILL.md tells you to set JENKINS_URL/JENKINS_USER/JENKINS_TOKEN. Ask the publisher which config method is authoritative and confirm where credentials will be stored. - Avoid placing real Jenkins credentials into the skill package. If the skill requires config.json, do not commit credentials into the package; instead store the file securely on the host with strict permissions or modify the code to read env vars. - Use a least-privilege Jenkins account (service account / token) when granting access. Prefer tokens with limited scopes and separate accounts per integration. - The requirements pull jenkinsapi from PyPI (expected). Verify that your deployment environment installs dependencies from trusted registries and that you are comfortable installing those packages. - Because the publisher/source is unknown, review or run the code in an isolated environment first. If you want the documented env-var behavior, consider modifying the skill to read environment variables (or request the maintainer to fix SKILL.md to match the implementation). If you cannot confirm or fix the config mismatch, treat this skill as risky for production use due to potential accidental credential exposure or misconfiguration.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk974e0q3hc47g96eakt4sp9csx839zbs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Jenkins Executor Skill

功能完整、可直接对接 Jenkins API 进行任务管理

依赖:Python 3.x + requests 库

必须配置:JENKINS_URL、JENKINS_USER、JENKINS_TOKEN

核心功能

  1. 获取 Jenkins 任务列表

    • 列出所有任务名称、URL、是否可构建、当前状态
    • 支持分页与全量拉取

  2. 触发 Jenkins 任务构建

    • 支持参数化构建
    • 支持无参任务直接触发
    • 返回构建队列编号与构建URL

  3. 查询任务最新构建状态

    • 支持查询:构建号、状态、结果、执行时间、执行人
    • 支持 SUCCESS / FAILURE / ABORTED / BUILDING 状态

  4. 获取构建日志

    • 支持获取完整控制台日志
    • 支持增量日志与全文日志
    • 自动处理编码与换行格式

  5. 停止运行中的构建

    • 强制终止正在执行的构建
    • 支持根据任务名 + 构建号精确停止
    • 返回停止结果与状态变更

配置要求

在环境变量中配置以下信息:

  • JENKINS_URL:Jenkins 地址(例如 http://192.168.1.100:8080)
  • JENKINS_USER:Jenkins 登录用户名
  • JENKINS_TOKEN:Jenkins 用户 Token(密码也可,但不推荐)

接口说明

所有功能通过 Jenkins REST API 实现,使用 HTTP Basic Auth 鉴权,支持 Jenkins 2.250+ 所有版本。

异常处理

  • 网络不可达:返回连接失败提示
  • 鉴权失败:返回 401 未授权
  • 任务不存在:返回 404 任务不存在
  • 构建已结束:无法停止,返回状态提示

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…