ClawHub

Secure Deployment Pipeline

v1.0.0

Secure a software deployment pipeline against supply chain attacks from benign insiders (mistakes), malicious insiders, and external attackers: map pipeline...

0· 99·0 current·0 all-time
byHung Quoc To@quochungto
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name and description promise a pipeline security assessment and hardening roadmap; the skill is instruction-only and requests no binaries, installs, or credentials — which is appropriate for a purely advisory / assessment skill. The listed dependency on a 'secure-code-review' control is consistent with the documented workflow.
Instruction Scope
SKILL.md confines itself to eliciting pipeline_description and threat_context inputs and then producing threat–mitigation mappings, provenance requirements, policies, and a hardening plan. It does not instruct reading arbitrary files, accessing environment variables, or exfiltrating data. The instructions are prescriptive and scoped to CI/CD security tasks.
Install Mechanism
No install spec and no code files are present. Because the skill is instruction-only, nothing is written to disk or fetched at install time — this is the lowest-risk install footprint and matches the skill's advisory nature.
Credentials
The skill declares no required environment variables, credentials, or config paths. That is proportionate for an assessment/advisory skill and avoids unnecessary access to secrets or external services.
Persistence & Privilege
always is false and disable-model-invocation is false (normal). The skill does not request persistent presence or elevated system privileges. Autonomous invocation is allowed by default for skills and does not by itself increase risk here.
Assessment
This skill appears to be a safe, instruction-only advisory for securing CI/CD pipelines. Before using it: (1) avoid pasting secrets, credentials, or full config files into the pipeline_description or threat_context inputs (the skill does not need secrets to produce architectural recommendations); (2) verify the public GitHub homepage content if you want provenance of the guidance or to confirm the dependency on secure-code-review; (3) treat the output as expert guidance to be reviewed by your security team — do not treat automated recommendations as operational changes without human validation. If you expect the agent to analyze live pipeline configurations, prefer providing redacted diagrams or a high-level description rather than production secrets or service account keys.

Like a lobster shell, security has layers — review code before you run it.

bookforgevk97ezvkbh4bf29408tmbgc1tn584hdehlatestvk97ezvkbh4bf29408tmbgc1tn584hdehtags:vk97ezvkbh4bf29408tmbgc1tn584hdeh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📚 Clawdis

Comments