ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Circleci

v1.0.0

CircleCI CI/CD — manage pipelines, workflows, jobs, and insights via REST API

0· 649·3 current·3 all-time
by@aiwithabidi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the code and declared requirement (CIRCLECI_TOKEN). The CLI implements pipeline, workflow, job, insights, contexts, and env-var endpoints on the CircleCI v2 API, which is coherent with the stated purpose.
Instruction Scope
SKILL.md describes the CLI commands precisely. The bundled script will also attempt to read CIRCLECI_TOKEN from an .env file at WORKSPACE or ~/.openclaw/workspace/.env if the environment variable is not set; this behavior is not documented in SKILL.md (minor mismatch) but is limited to credential lookup only. The CLI accepts full URLs for requests (path starting with "http"), which is a flexible feature but could be used to target non-CircleCI endpoints if a caller supplies such a URL.
Install Mechanism
No install spec; instruction-only skill with a single stdlib Python script. No external downloads or package installs are performed.
Credentials
Only CIRCLECI_TOKEN is required (declared as primaryEnv). The script's fallback to reading an .env in WORKSPACE or ~/.openclaw/workspace is reasonable for convenience but means a local file can supply the token even if not exported — this filesystem access is not declared in the manifest.
Persistence & Privilege
always is false and no config paths are declared. The skill does not request permanent/privileged platform presence or modify other skills' configs.
Assessment
This appears to be a straightforward CircleCI CLI and is coherent with its declared purpose. Before installing, check these points: (1) supply a CircleCI token with least privilege needed (avoid using an all-scopes personal token); (2) be aware the script will try to read CIRCLECI_TOKEN from WORKSPACE or ~/.openclaw/workspace/.env if the env var is absent — remove or audit any .env files you do not trust; (3) the CLI supports full-URL requests, so only run commands you trust (avoid passing arbitrary URLs that could send your token to other endpoints); (4) the skill is instruction-only and uses only Python stdlib, but it comes from an unverified source — if you need higher assurance, review the full script locally or run it in an isolated environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk974wthkt8g52c3mjaxw0r4pcx81k3ee

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔄 Clawdis
EnvCIRCLECI_TOKEN
Primary envCIRCLECI_TOKEN

Comments