maven-central-publish
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches a Maven Central publishing workflow, but its settings template unexpectedly redirects Maven dependency downloads through an Aliyun mirror while also handling publishing and signing credentials.
Before using this skill, review the template files rather than copying them blindly. Remove the Aliyun Maven mirror unless you intentionally trust it, keep publishing and GPG credentials out of source control, and use the recommended manual review step before publishing artifacts.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Future builds may download dependencies and plugins through an unexpected third-party repository mirror, changing the trust and provenance of build inputs.
The settings template redirects Maven Central dependency resolution to a third-party mirror. This is not described in SKILL.md and can persistently affect future Maven builds if copied to ~/.m2/settings.xml.
<mirror><id>aliyunmaven</id><mirrorOf>central</mirrorOf><url>https://maven.aliyun.com/repository/public</url></mirror>
Remove the Aliyun mirror unless you intentionally need and trust it, or clearly disclose it and limit the setting to projects where it is required.
Anyone who can read this settings file may be able to misuse publishing credentials or the signing key passphrase.
The workflow asks users to place Central Portal publishing credentials and a GPG signing passphrase in Maven settings. This is purpose-aligned for publishing but grants sensitive signing and release authority.
<username>USER_TOKEN_USERNAME</username> ... <password>USER_TOKEN_PASSWORD</password> ... <gpg.passphrase>YOUR_GPG_PASSPHRASE</gpg.passphrase>
Use least-privilege Central tokens, protect ~/.m2/settings.xml permissions, avoid committing it, and consider Maven password encryption or CI secret storage.
Running the command can upload artifacts to your Maven Central staging/deployment area and may lead to public release after approval.
The skill instructs Maven to deploy artifacts to the Central Portal. This is expected for the skill, and autoPublish=false provides a manual review step before final publication.
Run the deploy command with the `release` profile active: `mvn clean deploy -P release` ... `<autoPublish>false</autoPublish>`
Run deployment only from the intended project, verify artifact coordinates and contents first, and keep autoPublish=false for initial releases.