DevPlaza SDLC Tool Chain Setup
ReviewAudited by ClawScan on May 14, 2026.
Overview
This is a coherent instruction-only DevPlaza admin setup skill, but it handles sensitive credentials and can change or delete toolchain bindings, so users should confirm scope carefully.
Install only if you intend an agent to help configure DevPlaza SDLC toolchain bindings. Check that any .env credentials, JWTs, passwords, and provider tokens are scoped to the correct tenant and project, and review every create, update, or delete confirmation before approving it.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may authenticate to DevPlaza using local credentials and operate with admin-level setup permissions.
The skill may use local authentication/session secrets and tenant/product/project identifiers to operate as a Team Admin or Company Admin. This is relevant to the stated setup purpose, but users should recognize it as sensitive account authority.
Read `.env` first for `BASE_URL`, `JWT`, `AUTH_EMAIL`, `AUTH_PASSWORD`, `TENANT_ID`, `PRODUCT_ID`, `PROJECT_ID`.
Use least-privileged admin credentials, ensure the .env file is intended for this tenant/project, and avoid sharing or exposing JWTs, passwords, or provider tokens.
A confirmed action could change the SDLC toolchain for a product/project or permanently remove a binding.
The skill documents API operations that create, update, and permanently delete DevPlaza tool bindings. These operations are expected for toolchain setup and include explicit confirmation requirements, but they can materially change project configuration.
`POST /api/v1/product/task-tools/`, `PUT /api/v1/product/task-tools/:id`, and `DELETE /api/v1/product/task-tools/:id` ... `Always ask explicit confirmation with binding name + id before deleting. Permanent — cannot be undone.`
Before confirming any write or delete, verify the tenant, product, project, tool, binding name, and binding ID.
Provider API keys or tokens may be validated and saved into DevPlaza configuration.
The skill collects and stores provider credentials as part of task-tool binding setup, while also instructing the agent to mask them. This is purpose-aligned but involves sensitive third-party account access.
`toolsConfig` — provider credentials object ... `Never print credentials (apiToken, botToken, apiKey, appKey, token) in responses. Mask all credential values in output.`
Provide only credentials intended for DevPlaza integration, prefer scoped/rotatable tokens, and confirm that masked credentials are not printed in responses.