ClawHub

GitFlow

v1.0.4

Automatically monitor CI/CD pipeline status of new push across GitHub and GitLab in one place. Auto DevOps this is the way 🦞!

⭐ 3· 4k·21 current·22 all-time
by@okoddcat
MIT-0
Download zip
LicenseMIT-0 Β· Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report β†’
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The README/SKILL.md claim 'automatically monitor CI/CD pipeline status of new push' across GitHub and GitLab, but there is no mechanism for background monitoring, webhooks, or a service that watches remote pushes. The only automation described is a local git alias that the user must add and run manually after pushing. Also, the instructions depend on 'gh' and 'glab' CLIs (and git) but the skill package metadata did not declare any required binaries β€” an inconsistency.
β„Ή
Instruction Scope
Instructions are limited to running git, gh, and glab commands and adding a git alias to ~/.gitconfig that runs a shell snippet after push. This is within the stated goal (monitoring pipeline status after a push) but the alias uses a shell invocation ('!f() { ... }; f') which will execute arbitrary shell commands when invoked β€” this is expected for a git alias but users should review it before adding to their config. The SKILL.md does not instruct reading unrelated files or exfiltrating data.
βœ“
Install Mechanism
No install spec and no code files β€” the skill is instruction-only. That reduces risk because nothing is automatically downloaded or written by the skill package itself.
β„Ή
Credentials
The skill requests no environment variables or credentials in metadata, which matches the absence of code. However, practical use requires authenticated 'gh' and/or 'glab' sessions (tokens/configs) to access workflows/pipelines. The skill does not mention or declare that those CLIs and credentials must exist, which is a documentation/metadata omission that could confuse users.
βœ“
Persistence & Privilege
No special persistence privileges are requested (always is not set, model invocation flags are default). The skill cannot be invoked autonomously by the model beyond the normal platform behavior.
What to consider before installing
This skill is instruction-only and doesn't install anything, but it is inconsistent with its marketing. Before using it: (1) understand it does not create a background watcher or webhook β€” it only documents CLI commands and offers a manual git alias that you must add yourself; (2) inspect the alias carefully before adding it to ~/.gitconfig since git aliases starting with '!' run shell code; (3) ensure you have and are logged into the 'gh' and/or 'glab' CLIs (they are required in practice even though not declared); (4) if you need true automatic monitoring across pushes (server-side), use webhooks or a CI integration rather than this local alias; (5) if you want the package to be more trustworthy, ask the publisher to declare required binaries and explain authentication requirements and provide a real homepage/source for review.

Like a lobster shell, security has layers β€” review code before you run it.

latestvk97f45kkj82p1g456h1qs9mzbd80d23q

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments