ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

CI/CD Templates Generator

v1.0.0

Generate production-ready CI/CD workflow files for GitHub Actions, GitLab CI, or Jenkins tailored to chosen language, framework, tests, deploy, and release o...

0· 10·0 current·0 all-time
by@shenghoo123-png
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the code and SKILL.md: included Python package files implement generators for GitHub Actions, GitLab CI and Jenkins and the CLI supports the documented flags. Required resources (none) are proportionate to the stated purpose.
!
Instruction Scope
SKILL.md instructs the agent to generate and optionally write CI/CD workflow files — that matches the code. However the generated templates contain steps that run external network commands (e.g., curl | bash for Codecov and GoReleaser) and many placeholders for CI secrets; while expected for CI configs, these steps will execute arbitrary remote code in a CI environment if the user commits them without inspection.
Install Mechanism
This is an instruction-first skill with no install spec. The package files present implement a pure-Python generator and require only pyyaml per setup.py — no unusual download/install behavior in the skill itself.
Credentials
The skill requests no environment variables at install/runtime. Generated outputs reference many CI secret variables (DOCKERHUB_TOKEN, CODECOV_TOKEN, AZURE_CREDENTIALS, AWS_ACCESS_KEY_ID, NPM_TOKEN, CI_REGISTRY_* etc.). Those are expected placeholders for CI pipelines, but they mean the produced workflows assume access to potentially sensitive credentials in the CI environment — users should not copy these into untrusted repos or expose secrets without review.
Persistence & Privilege
always is false, agent invocation is normal and there are no indications the skill modifies other skills or system-wide configs. It only writes files into project directories when asked.
What to consider before installing
This skill appears to do what it says: generate CI/CD workflow files. Before using or committing generated files, inspect them carefully — especially any step that downloads and executes remote scripts (e.g., 'curl | bash') and any use of secrets/placeholders. Prefer --print-only to review output locally, run generated workflows in a safe/test repository or branch, and replace generic secret placeholders with properly-scoped CI secrets. If you do not want remote installers in your pipelines, search and remove any 'curl ... | bash' or similar lines (Codecov and GoReleaser appear in templates). If you need higher assurance, run the unit tests locally and review the generator source (it is included) before installation.

Like a lobster shell, security has layers — review code before you run it.

latestvk977fdxy079d8f7r6tr4ar3f4984ar55

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments