Forgejo
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent Forgejo CLI helper, but users should use a limited Forgejo token because it can access repository, Actions, and API data through the tea CLI.
Before installing, make sure tea comes from a trusted source, use a dedicated low-privilege Forgejo token, and be careful with tea api and Actions commands because they can access repository and CI/CD information allowed by that token.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the token has broad permissions, the agent could access or act on Forgejo repositories within that token's scope when asked to use this skill.
The skill expects a user-provided Forgejo token and then uses that configured login for tea commands, meaning actions run with whatever account and repository permissions that token has.
tea login add --name my-forgejo --url https://forgejo.example.com --token <your-token>
Use a dedicated, least-privilege Forgejo token and avoid admin or organization-wide tokens unless truly needed.
The agent may retrieve repository CI/CD configuration or other API data if the user requests those operations and the token allows them.
The documented commands can access Actions configuration metadata and arbitrary Forgejo API paths. This is aligned with the skill's Forgejo administration purpose, but it is broader than simple issue or pull request viewing.
tea actions secrets list --repo owner/repo ... The `tea api` command is useful for accessing data not available through other subcommands.
Review repository and login targets before running Actions or API commands, and require explicit confirmation for any write, delete, merge, secret, or administrative operation.
A future upstream CLI change could alter behavior compared with what was reviewed here.
The Go install path uses @latest, so the installed tea CLI version is not pinned. Installing tea is expected for this skill, but the exact code may change over time.
go | module: code.gitea.io/tea@latest | creates binaries: tea
Prefer a trusted package source and pin or record the tea version in controlled environments.