Gitea Actions
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its Gitea Actions purpose, but it can start workflows by default and handles an undeclared API token in ways users should review before installing.
Install only if you intend to let this skill trigger workflows in your Gitea/Forgejo repositories. Use your own HTTPS Gitea URL, a least-privilege token, and review any dispatch request before allowing it to run.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or autonomous call that omits the action but includes workflow details could start CI/CD jobs or deployments unexpectedly.
The mutating workflow-dispatch path is selected by default when action is omitted and performs a POST to the dispatch endpoint.
const action = input.action || "dispatch"; ... "-X", "POST", ... url, "-d", body
Require action: "dispatch" explicitly, add user confirmation for workflow dispatches, and document allowed owner/repo/workflow/ref scopes.
Users may not be clearly warned that they are granting repository workflow authority, and using an http URL could expose the token in transit.
The skill requires a sensitive API token and gives a non-HTTPS URL example, while registry metadata declares no env vars or primary credential.
- `GITEA_URL` - Gitea API URL (e.g., `http://8.137.50.76:10000`); - `GITEA_TOKEN` - Gitea API token
Declare GITEA_TOKEN and GITEA_URL in metadata, recommend HTTPS-only URLs, and instruct users to use a least-privilege token limited to the intended repositories and workflow actions.
The skill depends on the local curl binary and PATH environment; if curl is missing or replaced, the skill may fail or run unexpected local code.
The skill launches a local curl process to perform API requests; this is aligned with the purpose but is not reflected in the declared requirements.
const { spawn } = require("node:child_process"); ... const p = spawn("curl", args, { env: process.env });Declare curl as a required binary or replace it with a built-in Node HTTP client, and continue avoiding shell-string execution.