DevPlaza SDLC Process Guardian
ReviewAudited by ClawScan on May 14, 2026.
Overview
The skill is mostly coherent for DevPlaza workflow automation, but it tells the agent to read local .env credentials at session start even though no credential or environment-variable requirements are declared.
Review the skill's credential behavior before installing. If you use it, run it only in a workspace whose .env file contains DevPlaza-specific, least-privilege credentials, and verify every run or deploy trigger before approving it.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could read and use DevPlaza credentials from the user's local workspace before explicitly asking, and users may not realize this from the install metadata.
This directs the agent to access local credential material automatically, including JWTs or username/password authentication, while the registry metadata declares no required env vars or primary credential.
At session start, resolve runtime config from local workspace files before asking the user. Read `.env` first... If `.env` already contains `BASE_URL` and auth (`JWT` or `AUTH_EMAIL` + `AUTH_PASSWORD`), do not ask for them again.
Declare the expected credential variables in metadata, ask before reading .env files, limit parsing to the specific DevPlaza keys, and recommend a least-privilege DevPlaza token instead of account passwords.
If used, the skill may start DevPlaza runs or deployment-stage tooling under the user's account, which can affect real projects.
The skill can perform write or trigger operations against DevPlaza workflows, including deployment-related actions, but it also includes user-intent and confirmation guardrails.
Prefer read-first behavior unless user explicitly asks for a write/trigger operation. Require explicit confirmation before production-impacting actions.
Users should confirm the target tenant, product, stage, and environment before allowing trigger or deploy actions.
A SonarQube API token may be used during governance checks, so improper configuration or logging could expose access to code-quality data.
The skill handles a SonarQube API token from task-tool configuration and sends it to a DevPlaza product endpoint for governance evaluation. This appears purpose-aligned, but it is sensitive token handling.
SonarQube tools use a separate evaluation path: call `POST /api/v1/product/sonarqube/last/status` with `{ componentId, link, apiToken }` from task-tool config.Keep SonarQube tokens scoped to read-only status checks where possible and ensure outputs never include the token.