ClawHub

Launchthatbot Git Team Ops

v1.0.4

Role-based GitOps skill for OpenClaw agents with junior and senior operating modes.

2· 429·0 current·0 all-time
by@launchthatbot
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (role-based GitOps) align with the package contents: README, SKILL.md, templates for workflows and CODEOWNERS, and guidance for GitHub App/PAT modes. Minor metadata/version mismatch (registry lists 1.0.4 while SKILL.md/package.json show 0.1.3) — likely benign but worth noting.
Instruction Scope
SKILL.md only instructs the agent to validate repo access, create branches/PRs, and copy commit templates; it does not direct reading unrelated system files or exporting secrets. It does reference platform-managed endpoints for onboarding tokens. One security-relevant behavior is intentional: senior agents are allowed to add/update workflow files in the repository — this is within scope but can be abused if not controlled.
Install Mechanism
No install spec and no code files beyond templates and docs; instruction-only packages carry minimal disk/write footprint from the skill itself.
Credentials
The skill declares no required env vars. It documents reasonable authentication flows (managed-app, BYO app requiring App ID/installation ID/private key, and PAT as fallback). Requested credentials are proportional to GitHub access, but any private key or PAT you supply must be protected.
Persistence & Privilege
always:false and default autonomous invocation settings are used (normal). The skill does not request persistent system-wide config changes; its intended persistent effect is copying workflow templates into a target repo (expected for senior role).
Assessment
This skill appears coherent and low-risk as long as you follow operational controls: 1) Review the included workflow templates (senior-release-control.yml grants write permissions) before allowing a senior agent to install them — workflows can be used to run code with repo-level permissions. 2) Prefer managed-app mode and short-lived installation tokens; avoid giving long-lived PATs. 3) If using BYO App, protect the App private key (PEM) and Installation ID; never store onboarding tokens or private keys in repo files. 4) Enforce branch protections and require senior human review when granting merge/workflow-creation rights. 5) Test the skill in a staging/test repository first to confirm behavior. 6) Note the version metadata mismatch (registry vs package) and verify the package origin (homepage and repository URL) if provenance is important.

Like a lobster shell, security has layers — review code before you run it.

latestvk975cehqpvgd5j6xe24yssp55581vrnm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛠️ Clawdis

Comments