ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

devopsellence

Install the devopsellence CLI, initialize project config, deploy the current app, inspect status, and manage secrets or bring-your-own nodes from OpenClaw.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 28 · 0 current installs · 0 all-time installs
byElvin Efendi@elvinefendi
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the instructions: this is a helper for the devopsellence CLI to init, deploy, inspect status, manage secrets, and assign nodes. That functionality reasonably explains the commands shown. One minor note: the skill does not declare any required credentials despite covering secrets and node bootstrapping; the CLI will likely request credentials at runtime, which is not surfaced in the skill metadata.
!
Instruction Scope
The SKILL.md instructs the agent/user to run devopsellence commands in the user's project directory and to manage secrets and nodes. Most steps are scoped to the deployment task, but the doc also tells the user to run a remote installer via 'curl -fsSL https://www.devopsellence.com/lfg.sh | bash' and to bootstrap/assign nodes — both of which can execute arbitrary code on the host and may change host configuration or run long‑lived agents. The instructions do remind the user to avoid leaking secrets, but they give broad discretion to install and run code from the vendor without guidance to verify the installer.
!
Install Mechanism
There is no formal install spec in the skill metadata; the SKILL.md recommends piping a script from the vendor website directly into bash. Download-and-pipe installs are high risk because they execute remote code with the user's privileges and the skill provides no checksum, release-host justification, or alternative vetted install method.
Credentials
The skill declares no required env vars or credentials. That is not inconsistent by itself, but the actions described (managing secrets and bootstrapping nodes) normally require credentials or elevated access. The lack of declared credentials means the user won't see what will be requested before installing; expect the CLI to prompt for keys/tokens or ask to log in when used.
Persistence & Privilege
The skill is not flagged as always:true and it doesn't request config paths or to modify other skills. The primary persistence/privilege concern comes from the installer and node-bootstrap steps (they may create services/agents), but that behavior is driven by the devopsellence CLI itself rather than the skill metadata.
What to consider before installing
This skill appears to be a usage guide for a third-party deployment CLI, but it asks you to run a remote installer with 'curl | bash' and to bootstrap/manage nodes and secrets. Before installing or following these steps: 1) Do not blindly run 'curl | bash' — inspect the script at https://www.devopsellence.com/lfg.sh, prefer a package manager or a signed release with checksum, or ask the vendor for verification. 2) Understand what credentials the CLI will need and where they will be stored; the skill metadata doesn't declare them. 3) Treat node bootstrap commands as potentially creating long‑lived agents or services on your machines — run them in a test VM or isolated environment first. 4) If you must proceed, limit privileges (use least-privilege account), back up important data, and review the vendor docs and the installer contents. If you want, I can fetch the installer script URL (as text) and summarize what it does before you run it — but I will not execute it for you.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.0
Download zip
latestvk97chqrbgpa90116asdapr83a183t2bj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

devopsellence

Use this skill when the user wants to deploy an app with devopsellence, check deployment state, manage secrets, or bootstrap and assign their own nodes.

Default flow

  1. Work in the app directory the user wants to deploy.
  2. Check whether the CLI is already installed:
command -v devopsellence

If the command is missing, install the latest compatible CLI:

curl -fsSL https://www.devopsellence.com/lfg.sh | bash
  1. Validate local state before changing anything:
devopsellence doctor
  1. If the project is not initialized yet, run:
devopsellence init

If the user already knows the target workspace values, prefer explicit flags:

devopsellence init --org acme --project shop --env staging
  1. Deploy the app:
devopsellence deploy

If the user wants to deploy an existing image digest instead of building locally:

devopsellence deploy --image docker.io/example/app@sha256:...
  1. Verify the result:
devopsellence status --json

Secrets

Prefer stdin over literal secret values in prompts or shell history:

printf '%s' "$VALUE" | devopsellence secret set --service web --name NAME --stdin
devopsellence secret list
devopsellence secret delete --service web --name NAME

Bring your own node

Use these when the user wants to run on their own machine or VM:

devopsellence node bootstrap
devopsellence node list --json
devopsellence node assign <id>
devopsellence node unassign <id>

Heuristics

  • Prefer devopsellence doctor before devopsellence deploy.
  • If Docker is missing or not running, surface the problem clearly, or switch to devopsellence deploy --image ... when the user already has a pushed image digest.
  • If the workspace is not a git checkout and the CLI needs git metadata, stop and ask before creating a repo or commit.
  • Keep secrets out of logs and chat output. Use environment variables plus --stdin.
  • After installing this skill from ClawHub, start a new OpenClaw session if the current session does not pick it up.

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…