ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Devops Platform Skill

Manage and query DevOps platform data, including applications, iterations, releases, and statistics via configured API access with user token authorization.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 21 · 1 current installs · 1 all-time installs
by@yuanqiuqian
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description match the code: this is a CLI to query a DevOps platform via a user-provided base URL and token. Requiring a base URL and token (stored in a config file) is proportionate. Minor mismatch: registry lists 'No install spec / instruction-only', but the package actually contains multiple executable JS files, package.json, package-lock.json and a setup.sh — not consistent with an instruction-only skill.
Instruction Scope
SKILL.md and the CLI commands are scoped to querying the described API endpoints and managing local config. However the project documentation and AI_BRAINSTORM_DOC state 'local encrypted storage' and security defaults; the actual JS code writes the token and baseUrl to a plaintext JSON file at ~/.devops-platform-config.json. That is a concrete mismatch between stated security behavior and implementation. The CLI also prints debug request URLs/params and full error responses which could reveal internal URLs/IDs; this increases information leakage risk.
Install Mechanism
No registry install spec was provided (metadata showed 'no install spec'), but INSTALL.md and package files indicate npm-based installation and copying into OpenClaw skills directory; a setup.sh (3035 bytes) is present. There are no remote download URLs in the reviewed files, so no obvious arbitrary external installer, but you should inspect setup.sh and package.json before running any install steps (setup.sh might perform operations requiring privilege).
Credentials
The skill does not request unrelated environment variables or external credentials in metadata. It legitimately needs a base API URL and a user token. Those are stored in a local config file rather than environment variables. That is proportionate — but see the storage/handling concern above (plaintext config).
Persistence & Privilege
The skill is not force-included (always:false) and does not request platform-wide privileges. Its persistent presence is limited to writing/reading a config file in the user's home directory (~/.devops-platform-config.json), which is expected for a CLI but should be understood as storing credentials on disk.
What to consider before installing
This skill appears to implement the documented DevOps API queries, but there are red flags you should address before installing or using it: - Do not assume the token is encrypted: the shipped JS writes the token in plaintext to ~/.devops-platform-config.json despite documentation claiming 'local encrypted storage'. Treat the saved token as sensitive and avoid using high-privilege tokens. - Inspect setup.sh and package.json before running any install or sudo/copy commands. setup.sh could run arbitrary commands with elevated privileges. - Because the package logs request URLs/parameters and full error responses, it can leak internal API paths and response bodies to stdout/stderr — avoid running it in shared logs or CI without review. - If you decide to use it, run it in a controlled environment (VM/container) first and prefer a least-privilege token (read-only if possible). After testing, rotate the token you provided to limit exposure. - If you require stronger protection for the token, do not install until the author implements secure storage (encrypted at rest) or provide an alternative secret injection mechanism (OS keyring, env var managed by your secrets manager). If you want, I can: (1) extract and show the contents of setup.sh and package.json; (2) point out exact lines where the token is written/read; or (3) recommend minimal hardening changes to the code (e.g., using OS keyring, avoid printing sensitive debug info).
bin/devops-platform-enhanced.js:21
Environment variable access combined with network send.
bin/devops-platform-simple.js:18
Environment variable access combined with network send.
bin/devops-platform-v3-complete.js:21
Environment variable access combined with network send.
bin/devops-platform-v3.js:21
Environment variable access combined with network send.
!
bin/devops-platform-enhanced.js:33
File read combined with network send (possible exfiltration).
!
bin/devops-platform-simple.js:30
File read combined with network send (possible exfiltration).
!
bin/devops-platform-v3-complete.js:33
File read combined with network send (possible exfiltration).
!
bin/devops-platform-v3.js:33
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97dp6y4qh1e85z7j0fj9n2t9183wpf7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

DevOps Platform Skill

管理DevOps效能平台,提供完整的DevOps平台API访问功能。

配置

使用前需要配置:

  1. 后端接口地址
  2. 用户的Open Token

功能

📊 应用管理

  • 查询应用列表
  • 获取应用详细信息
  • 按状态筛选应用

🔄 迭代管理

  • 查询研发迭代列表
  • 查询我的研发迭代列表
  • 查询迭代下的应用列表
  • 收藏/取消收藏迭代
  • 查询收藏的迭代列表

📅 发布管理

  • 查询发布窗口列表
  • 查询发布任务列表
  • 查询发布记录列表
  • 查询染色环境应用列表

📈 统计信息

  • 平台统计信息概览

使用方法

初始化配置

devops-platform config --base-url <后端地址> --token <用户token>

查看配置状态

devops-platform status

应用相关命令

# 查询应用列表
devops-platform apps [--page <页码>] [--size <每页大小>] [--status <状态>]

# 获取应用详细信息
devops-platform app-detail --id <应用ID>

# 查询染色环境应用列表
devops-platform staging-apps [--page <页码>] [--size <每页大小>]

迭代相关命令

# 查询研发迭代列表
devops-platform iterations [--page <页码>] [--size <每页大小>] [--search <搜索词>] [--status <状态>]

# 查询我的研发迭代列表
devops-platform my-iterations [--page <页码>] [--size <每页大小>]

# 查询迭代下的应用列表
devops-platform iteration-apps --plan-id <迭代ID> [--page <页码>] [--size <每页大小>]

# 收藏迭代
devops-platform favorite-iteration --plan-id <迭代ID>

# 取消收藏迭代
devops-platform favorite-iteration --plan-id <迭代ID> --remove

# 查询收藏的迭代列表
devops-platform favorites [--page <页码>] [--size <每页大小>]

发布相关命令

# 查询发布窗口列表
devops-platform pub-windows [--page <页码>] [--size <每页大小>] [--status <状态>] [--window-date <日期>]

# 查询发布任务列表
devops-platform pub-tasks [--page <页码>] [--size <每页大小>] [--plan-id <迭代ID>] [--status <状态>]

# 查询发布记录列表
devops-platform pub-records [--page <页码>] [--size <每页大小>] [--task-id <任务ID>] [--status <状态>]

统计信息

# 获取平台统计信息
devops-platform stats

帮助信息

# 显示所有命令
devops-platform help-all

API 详情

基于OpenAPI 3.0规范,支持以下接口:

应用管理接口

  • GET /application/app/list - 查询应用列表
  • GET /application/app/{id} - 获取应用详细信息

迭代管理接口

  • GET /publish/publishplan/list - 查询研发迭代列表
  • GET /publish/publishplan/myplanlist - 查询我的研发迭代列表
  • GET /publish/publishplan/applist - 查询迭代下应用列表
  • POST /publish/publishplan/favorite - 收藏迭代
  • POST /publish/publishplan/unfavorite - 取消收藏迭代
  • GET /publish/publishplan/myfavoritelist - 查询收藏的迭代列表
  • GET /publish/publishplan/stagingapplist - 查询染色环境应用列表

发布管理接口

  • GET /publish/pubwindow/list - 查询发布窗口列表
  • GET /publish/pubtask/list - 查询发布任务列表
  • GET /publish/pubrecord/list - 查询发布记录列表

请求头

所有接口都需要以下请求头:

  • authorization: Bearer {用户token}
  • from: openapi
  • content-type: application/json

错误处理

  • 配置缺失时会提示用户先进行配置
  • 网络错误会显示详细错误信息
  • API错误会显示状态码和响应数据
  • 支持超时设置(15秒)

Files

13 total
Select a file
Select a file to preview.

Comments

Loading comments…