docker-ci-release-pipeline
v1.0.0Docker镜像构建测试与GitHub Actions发布全链路流水线,自动构建、测试、安全扫描并推送至镜像仓库
⭐ 0· 17·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The skill claims to produce production-ready Dockerfiles, tests, and GitHub Actions workflows and the README/workflow.json/SKILL.md all align with that purpose. However, it composes other skills (docker-expert, testing-patterns, github-actions-templates, github) that in real usage will typically require credentials and environment configuration (e.g., GITHUB_TOKEN, registry credentials) which this skill does not declare.
Instruction Scope
Runtime instructions are limited to analyzing a project directory, generating Dockerfile/docker-compose/.github workflows and tests, and validating CI runs. They do not instruct the agent to read unrelated system files or exfiltrate data. The only scope concern is that verifying workflow execution (the 'github' step) implies API access to external services.
Install Mechanism
Instruction-only skill with no install spec or downloaded code — lowest install risk. Nothing is written to disk by an installer, though the skill will generate files in the user's project when invoked.
Credentials
The skill declares no required environment variables, but practical operation will need credentials: GitHub API token(s) for workflow verification and pushing to GHCR (or other registry auth), and possibly Snyk/Trivy credentials or third-party action tokens. The lack of declared env vars is a gap — confirm which tokens/secrets are required and that they are provided via appropriate secret stores (e.g., GitHub Secrets), not hard-coded.
Persistence & Privilege
always is false and there are no config-path or system modifications requested. The skill does not request persistent, elevated platform privileges.
Assessment
This skill appears to do what it says (generate Dockerfiles, tests and GitHub Actions workflows). Before installing or running it: 1) Expect to provide GitHub and registry credentials (GITHUB_TOKEN, GHCR or Docker registry credentials) and any Snyk/Trivy credentials the workflow/actions require — verify where and how those are supplied (use GitHub Secrets). 2) Review any generated .github/workflows/*.yml before committing to ensure they don't echo secrets or push to production unintentionally. 3) Confirm the downstream skills it composes (docker-expert, github, testing-patterns, github-actions-templates) are trusted and understand their own credential requirements. 4) If you need higher assurance, ask the publisher for an explicit list of required env vars/permissions and a sample generated workflow so you can audit actions and permissions.Like a lobster shell, security has layers — review code before you run it.
latestvk97cyvspwff3z2j70kpqjbyksd850177
License
MIT-0
Free to use, modify, and redistribute. No attribution required.