Gitea
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent Gitea CLI helper, but it relies on a local Gitea token and broad tea/API commands that users should scope carefully.
This skill appears appropriate for working with Gitea through the official Tea CLI. Before installing, make sure you trust the `tea` CLI source, use a least-privilege Gitea token, and ask the agent to keep API calls and repository actions narrowly scoped to the task.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with a broad token, the agent may be able to read or act on many Gitea resources available to that account.
The skill explicitly instructs the user to configure a Gitea token, giving the CLI delegated access to whatever repositories and actions that token permits.
tea login add --name my-gitea --url https://gitea.example.com --token <your-token>
Use a least-privilege Gitea token, choose a scoped login intentionally, and review any write or administrative actions before allowing them.
A broadly scoped API command could access Gitea data outside the specific issue or pull request the user had in mind.
The skill exposes a broad API command beyond the narrower issue, PR, and Actions workflows. This is purpose-aligned, but it can reach more repository or account data than the examples show.
The `tea api` command is useful for accessing data not available through other subcommands.
Prefer narrow `tea issue`, `tea pr`, and `tea actions` commands when possible, and use `tea api` only with explicit endpoints and user intent.
The installed CLI version may vary depending on when installation occurs.
One install path fetches the latest version of the external Tea CLI rather than a pinned version. Installing the CLI is central to the skill, but the exact installed version may change over time.
"module": "code.gitea.io/tea@latest"
Install `tea` from a trusted package manager and consider pinning or verifying the version in sensitive environments.