ClawHub

Azure DevOps

v1.0.0

List Azure DevOps projects, repositories, and branches; create pull requests; manage work items; check build status. Use when working with Azure DevOps resources, checking PR status, querying project structure, or automating DevOps workflows.

2· 1.7k·10 current·10 all-time
by@pals-software
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the contained curl/jq commands for listing projects/repos/branches, creating PRs, and checking build/PR status. Requested binaries (curl, jq) are appropriate for the described work.
!
Instruction Scope
SKILL.md instructs the agent to read and write ~/.openclaw/openclaw.json (store the PAT and AZURE_DEVOPS_ORG) and to prompt the user for missing values. That is persistent storage of a secret and is not declared in the registry metadata; the instructions also require AZURE_DEVOPS_ORG though it is not listed as a required env var in the skill metadata.
Install Mechanism
Instruction-only skill with no install spec or downloads. Lowest install risk — nothing is written to disk by an installer other than what the agent is asked to do at runtime.
!
Credentials
Metadata declares only AZURE_DEVOPS_PAT as required, but SKILL.md also requires AZURE_DEVOPS_ORG. The skill directs storing AZURE_DEVOPS_PAT to disk for persistent use; storing a PAT is sensitive and should be justified and documented (scopes, storage protection). No unrelated credentials requested.
Persistence & Privilege
The skill asks to write entries into ~/.openclaw/openclaw.json (its own agent config). Writing to its own config is a normal install-time behavior, but because this involves persisting a secret (PAT) the skill should have declared this config path and explained storage/permissions. always:false and normal invocation are appropriate.
What to consider before installing
This skill appears to do what it says (call Azure DevOps REST APIs via curl), but there are a few mismatches and privacy concerns you should consider before installing: - Metadata vs instructions: The registry only lists AZURE_DEVOPS_PAT, but the SKILL.md also requires AZURE_DEVOPS_ORG and instructs writing both into ~/.openclaw/openclaw.json. Confirm the skill metadata is updated to declare AZURE_DEVOPS_ORG and the config path. - Secret persistence: The skill asks to store your Personal Access Token on disk. Prefer using a PAT with the minimum required scopes, ensure the file (~/.openclaw/openclaw.json) has strict filesystem permissions, or provide the PAT via environment variable at runtime instead of persistent storage. - Unknown source: The skill source/homepage is unknown. Consider whether you trust this package before giving it long-lived credentials. - Safer alternatives: If you only need occasional commands, prefer supplying AZURE_DEVOPS_PAT and AZURE_DEVOPS_ORG as ephemeral environment variables for the session instead of storing them. If you proceed, review the contents and permissions of ~/.openclaw/openclaw.json after the skill stores credentials. If you want, I can suggest safer wording for the SKILL.md (declare the AZURE_DEVOPS_ORG env, explicitly require/configure the config path, and note recommended PAT scopes and file-permission guidance).

Like a lobster shell, security has layers — review code before you run it.

latestvk9789zgcxf1f515hdhgdp3ad0980vaq4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

☁️ Clawdis
Binscurl, jq
EnvAZURE_DEVOPS_PAT
Primary envAZURE_DEVOPS_PAT

Comments