Codeberg
ReviewAudited by ClawScan on May 1, 2026.
Overview
This is a coherent Codeberg CLI helper, but users should use a least-privilege Codeberg token and review broad API or Actions commands before running them.
Before installing, make sure tea comes from a trusted source, create a dedicated least-privilege Codeberg token, and review any tea api or Actions/secrets command before allowing it to run.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the token is broad, the agent and tea CLI could access or act on more Codeberg resources than intended.
The skill expects a user-provided Codeberg token and configured login. This is purpose-aligned for Codeberg access, but the token grants whatever repository or account permissions the user gives it.
tea login add --name codeberg --url https://codeberg.org --token <your-token>
Use a dedicated least-privilege Codeberg token, limit repository scopes where possible, and avoid sharing command output that may reveal account or login details.
A broad API command may expose repository or account data beyond a narrow issue or PR lookup if used carelessly.
The raw API command is intentionally broad and useful for advanced Codeberg queries. It is purpose-aligned, but it bypasses narrower issue/PR subcommands and depends on the token's permissions.
The `tea api` command is useful for accessing data not available through other subcommands.
Review tea api endpoints and options before use, prefer narrower tea subcommands when they are sufficient, and ask for confirmation before any non-read-only operation.
The agent may display sensitive repository configuration metadata to the conversation if asked to run this command.
The skill includes an Actions command for listing repository secrets. This is consistent with CI/CD management, but secret names or related metadata can still be sensitive.
tea actions secrets list --repo owner/repo
Only run Actions secrets or variables commands for repositories where the user intends to inspect CI/CD configuration, and avoid exposing results unnecessarily.
Different users or install times may receive different tea CLI versions.
The Go install path uses a floating @latest version. Installing tea is central to the skill, but this does not pin the exact version that will be installed.
"module": "code.gitea.io/tea@latest"
Prefer the packaged Homebrew formula or pin a known-good tea version if reproducible installation is important.