ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Codeberg

v0.1.0

Interact with Codeberg using the `tea` CLI. Use `tea issue`, `tea pr`, `tea actions`, and `tea api` for issues, PRs, Actions, and advanced queries.

0· 1k·0 current·0 all-time
by@razzeee
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill advertises interacting with Codeberg via the 'tea' CLI and the SKILL.md only instructs using 'tea' subcommands (issues, PRs, actions, api). The declared install options (brew formula and go module for 'tea') are appropriate for providing the required binary.
Instruction Scope
Instructions stay within the stated purpose (running tea commands). Minor issues: examples use 'jq' for filtering but 'jq' is not listed as a required binary; the SKILL.md shows how to add a login token but does not document the necessary token scopes/permissions or warn about handling tokens securely.
Install Mechanism
Install options are standard package sources: Homebrew formula 'tea' and the upstream Go module 'code.gitea.io/tea@latest'. Neither is a URL download/extract from an untrusted host. Building via 'go' compiles local binary (expected for a CLI).
Credentials
The skill requests no environment variables or config paths. It instructs the user to provide a Codeberg token via 'tea login add'—this is appropriate and proportional to the skill's purpose (no unrelated credentials requested).
Persistence & Privilege
always is false and model invocation is allowed (default). The skill does not request persistent system-wide changes or access to other skills' configs in its instructions.
Assessment
This skill is coherent for interacting with Codeberg using the tea CLI, but review a few small items before installing: 1) The examples use 'jq' but jq isn't declared as a required binary—install jq if you plan to use those examples. 2) The skill shows how to add a Codeberg token; only provide a token you trust and limit its scope to the minimum permissions needed (e.g., read-only vs admin) and do not paste tokens into chat logs. 3) Installing via Homebrew or building the Go module will create a local binary—verify you trust those package sources (check the Homebrew formula and the Go module repo) before installing. 4) Some commands (e.g., actions secrets list) require elevated repo permissions and may reveal metadata about secrets (names) but not secret values; only run them if you have appropriate repository access. If you want more assurance, ask the publisher for a homepage/source URL or inspect the brew/go package contents before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cypmvpqq1sq3mp49wr63dan80v0mr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏔️ Clawdis
Binstea

Install

Install Tea CLI (brew)
Bins: tea
brew install tea
Install Tea CLI (go)
Bins: tea
go install code.gitea.io/tea@latest

Comments