Gitea Workflow Dispatch
Trigger Gitea/Forgejo workflow_dispatch via API.
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 279 · 0 current installs · 0 all-time installs
byTom@Qizhou-Guo
MIT-0
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description, required env vars (GITEA_URL, GITEA_TOKEN), inputs, and index.js behavior align with a Gitea workflow dispatcher. The code constructs the expected Gitea API URL and sends an Authorization header with the provided token, which is proportionate to the stated purpose.
Instruction Scope
SKILL.md and metadata declare only 'node' as a required binary, but index.js spawns the external 'curl' command to perform the HTTP request. The instructions/examples do not mention curl or network behavior beyond the Gitea URL. The skill will execute a child process and inherit the agent's full environment when spawning curl, which is not documented in the SKILL.md.
Install Mechanism
No install spec or remote downloads are present; this is an instruction-only skill with a small included index.js file. Nothing is fetched from arbitrary URLs or installed at runtime by the skill package itself.
Credentials
Only GITEA_URL and GITEA_TOKEN are required and declared as the primary credential — these are appropriate for calling a Gitea API. The code uses the token only to set the Authorization header to the provided GITEA_URL endpoint. No unrelated secrets are requested.
Persistence & Privilege
The skill is not always-enabled and doesn't request elevated/persistent system privileges or modify other skills. It simply runs when invoked.
What to consider before installing
This skill appears to do what it says (trigger a Gitea/Forgejo workflow) and only needs GITEA_URL and GITEA_TOKEN. However, index.js uses spawn('curl', ...) even though the metadata and SKILL.md only list 'node' as a required binary — you should not install or use the skill until that mismatch is resolved. Actionable precautions:
- Ensure the runtime has curl installed and available on PATH, or update the skill to use a Node HTTP library instead of spawning curl.
- Be aware the skill will send your GITEA_TOKEN to whatever GITEA_URL you configure; only use tokens with the minimal required scope and point GITEA_URL at a trusted server.
- Test first with dryRun: true to inspect the request object without transmitting the token.
- Note that the spawned curl process inherits the agent's environment; avoid running the skill in contexts where other sensitive env vars might be present, or sandbox it.
If you do not control or trust the skill source, prefer reviewing or replacing the implementation (e.g., using native Node HTTP calls) before providing a real GITEA_TOKEN.Like a lobster shell, security has layers — review code before you run it.
Current versionv0.1.2
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🚀 Clawdis
Binsnode
EnvGITEA_URL, GITEA_TOKEN
Primary envGITEA_TOKEN
SKILL.md
Gitea Workflow Dispatch
Trigger Gitea/Forgejo workflow_dispatch via API.
Environment Variables
GITEA_URL- Gitea API URL (e.g.,http://8.137.50.76:10000)GITEA_TOKEN- Gitea API token
Usage
node -e "
const dispatch = require('~/.openclaw/skills/gitea-workflow-dispatch/index.js');
dispatch({
owner: 'gg',
repo: 'web3-mini-game',
workflow: 'deploy-vercel.yml',
ref: 'master'
}).then(r => console.log(r.status, r.ok)).catch(console.error);
"
Inputs
| Field | Type | Required | Description |
|---|---|---|---|
| owner | string | ✅ | Repository owner |
| repo | string | ✅ | Repository name |
| workflow | string | ✅ | Workflow file name |
| ref | string | ❌ | Git ref (default: master) |
| inputs | object | ❌ | Workflow inputs |
| dryRun | boolean | ❌ | Test without sending |
Files
4 totalSelect a file
Select a file to preview.
Comments
Loading comments…