ClawHub

Golang Continuous Integration

v1.1.2

Provides CI/CD pipeline configuration using GitHub Actions for Golang projects. Covers testing, linting, SAST, security scanning, code coverage, Dependabot,...

0· 125·0 current·0 all-time
bySamuel Berthe@samber
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name/description match the artifacts and requirements: it supplies GitHub Actions YAML for testing, linting, SAST, release (GoReleaser), dependency automation, and related guidance. Required binaries (go, goreleaser, gh) and the Homebrew install spec are proportional to producing and releasing Go binaries and are expected for this purpose.
Instruction Scope
SKILL.md confines itself to CI/CD tasks: generating or auditing workflow files, advising on secrets and repo settings, and recommending action versions. It asks the agent to read existing workflow files (appropriate for an 'Improve' mode) and to check latest action versions online (reasonable). It does reference standard workflow secrets (GITHUB_TOKEN, CODECOV_TOKEN, DOCKERHUB_TOKEN) used inside GitHub Actions, but does not attempt to exfiltrate or require those secrets at skill runtime.
Install Mechanism
Install uses Homebrew formulas for goreleaser and gh — a standard, low-risk mechanism. No arbitrary downloads, extract-from-URL steps, or unknown package sources are present.
Credentials
The skill declares no runtime environment variables (none are needed). The workflows it provides reference expected repository secrets (GITHUB_TOKEN, CODECOV_TOKEN, DOCKERHUB_TOKEN) which are standard for CI and are meant to be stored in GitHub Secrets, not provided to the skill itself.
Persistence & Privilege
The skill is not forced-always, is user-invocable, and does not request persistent or cross-skill privileges. It does not modify other skills or system-wide agent settings. Note: like many coding skills, it may suggest using web lookups (to find latest Action versions) and the gh CLI locally; these are normal for the task.
Assessment
This skill appears to do what it says — produce and audit GitHub Actions CI for Go projects. Before installing or running it, you should: (1) review any generated workflow YAML for permissions (contents: write, packages: write, pull-requests: write, security-events: write) and only grant the minimum permissions needed; (2) review the Dependabot/auto-merge workflow and ensure the github.actor guard and branch-protection rules match your risk tolerance (auto-merge raises risk if combined with broad workflow permissions); (3) ensure repository secrets referenced by generated workflows (e.g., GITHUB_TOKEN, CODECOV_TOKEN, DOCKERHUB_TOKEN) are stored as GitHub Secrets and rotated appropriately — the skill does not ask you to provide these to the agent; (4) validate any suggested third-party actions and versions before merging; and (5) if you allow the agent to fetch latest action versions, be aware it will perform web lookups. Overall the artifacts and instructions are coherent and proportional to the described CI/CD purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fv2ae3hfx7773cf933jqg4583wp0g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🚀 Clawdis
Binsgo, goreleaser, gh

Install

Homebrew
Bins: goreleaser
brew install goreleaser
Homebrew
Bins: gh
brew install gh

Comments