Sigmaflow Deploy
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: sigmaflow-deploy Version: 1.0.0 The skill bundle contains a hardcoded GitLab authentication token (c865b793f09a3b79b65ebdfbd75c5b17395188d2) in both SKILL.md and scripts/deploy.sh. While the documentation explicitly acknowledges this security risk and the script targets a local 'homelab' environment, embedding plaintext credentials and passing them via URLs are high-risk practices that facilitate credential exposure. No clear evidence of intentional malice or exfiltration of the user's local secrets was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with access to the skill can recover or reuse the token to push to the SigmaFlow repository, and the token may also leak through process listings, logs, or network exposure.
The script embeds a repository token and uses it to authenticate Git pushes. This grants write authority without per-user authorization or secret management, and the token is placed in an HTTP URL.
TOKEN="c865b793f09a3b79b65ebdfbd75c5b17395188d2" ... git push "http://$TOKEN@git.homelab:3000/vitali/SigmaFlow-Svelte.git" "$BRANCH"
Rotate the exposed token, remove it from the skill, require a user-provided secret or OAuth flow, use HTTPS, and limit the token to the minimum required repository permissions.
Unintended local changes or generated files could be committed and pushed to the main branch, potentially triggering deployment or CI/CD changes for the trading frontend.
The default behavior stages every changed file, commits automatically, and pushes to main unless a branch is supplied. There is no built-in confirmation, diff review, file allowlist, or merge-request workflow.
BRANCH="${2:-main}" ... git add . ... git commit -m "$COMMIT_MESSAGE" ... git push "http://$TOKEN@git.homelab:3000/vitali/SigmaFlow-Svelte.git" "$BRANCH"Add a dry-run mode, require explicit user confirmation after showing the diff, restrict staged paths, avoid pushing directly to main by default, and prefer merge requests or protected branch workflows.
Running the deployment can execute code from the repository and its npm dependencies.
The script runs package installation and build commands from the cloned repository. This is expected for a SvelteKit deployment workflow, but it executes repository and dependency scripts on the local machine.
npm install ... npm run build
Run the script only in a trusted, isolated environment, review package scripts and lockfiles, and pin or audit dependencies before deployment.