Sigmaflow Deploy
WarnAudited by ClawScan on May 10, 2026.
Overview
This deployment skill matches its stated purpose, but it embeds a GitLab write token and can commit and push all local changes to the main branch, so it needs careful review before use.
Install or run this only if you own the SigmaFlow repository and understand that it can write to the GitLab repo. Rotate the exposed token, replace it with a properly managed secret, review the exact diff before pushing, and run the build in a controlled environment.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with access to the skill can recover or reuse the token to push to the SigmaFlow repository, and the token may also leak through process listings, logs, or network exposure.
The script embeds a repository token and uses it to authenticate Git pushes. This grants write authority without per-user authorization or secret management, and the token is placed in an HTTP URL.
TOKEN="c865b793f09a3b79b65ebdfbd75c5b17395188d2" ... git push "http://$TOKEN@git.homelab:3000/vitali/SigmaFlow-Svelte.git" "$BRANCH"
Rotate the exposed token, remove it from the skill, require a user-provided secret or OAuth flow, use HTTPS, and limit the token to the minimum required repository permissions.
Unintended local changes or generated files could be committed and pushed to the main branch, potentially triggering deployment or CI/CD changes for the trading frontend.
The default behavior stages every changed file, commits automatically, and pushes to main unless a branch is supplied. There is no built-in confirmation, diff review, file allowlist, or merge-request workflow.
BRANCH="${2:-main}" ... git add . ... git commit -m "$COMMIT_MESSAGE" ... git push "http://$TOKEN@git.homelab:3000/vitali/SigmaFlow-Svelte.git" "$BRANCH"Add a dry-run mode, require explicit user confirmation after showing the diff, restrict staged paths, avoid pushing directly to main by default, and prefer merge requests or protected branch workflows.
Running the deployment can execute code from the repository and its npm dependencies.
The script runs package installation and build commands from the cloned repository. This is expected for a SvelteKit deployment workflow, but it executes repository and dependency scripts on the local machine.
npm install ... npm run build
Run the script only in a trusted, isolated environment, review package scripts and lockfiles, and pin or audit dependencies before deployment.