Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Manage Secrets
v1.0.0Set or update environment secrets via the set-secret GitHub Actions workflow. Use when the user asks to update, rotate, or set a secret/token/API key for thi...
⭐ 0· 42·0 current·0 all-time
byXin@aehrt55
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md clearly requires AGENT_GITHUB_PAT (a PAT with Actions write permission) and MANAGE_SECRETS_GITHUB_REPO, which are essential for its stated purpose. However, the registry metadata for the skill declares no required environment variables or primary credential — a direct mismatch. Asking for a GitHub PAT and repo is plausible for a secret-management workflow, but the metadata omission is inconsistent and misleading.
Instruction Scope
The runtime instructions tell the agent to run gh workflow/run/watch and to derive the persona from local system state (tailscale status --self --json | jq..., or Kubernetes namespace), which reads local tools/state outside the GitHub interaction. The SKILL.md also assumes presence of gh, tailscale, jq, and possibly kubectl, but those binaries are not declared. The instructions will cause the agent to set GITHUB_TOKEN from AGENT_GITHUB_PAT and trigger a workflow that decrypts and re-encrypts repo secrets and pushes to main — behavior consistent with the purpose but broad in side effects (commit + deploy).
Install Mechanism
This is an instruction-only skill (no install spec), so nothing is written to disk by the skill package itself — low install-surface risk. However, it depends on external CLIs (gh, tailscale, jq, possibly kubectl) being present; those are not installed or declared by the skill, creating a hidden operational dependency that could confuse operators.
Credentials
Requesting AGENT_GITHUB_PAT (Actions write permission) and a target repo is proportionate to triggering a set-secret workflow, but the token is powerful: it can be used to run workflows and potentially perform other repo actions depending on its scope. The skill metadata does not declare these required env vars (so consumers may not realize they are needed or what level of privilege is required). The instructions also read local state (tailscale/k8s) which implies additional implicit access to system tools/config.
Persistence & Privilege
always:false (good) but user-invocable:false plus disable-model-invocation:false means the agent can autonomously invoke this skill (not directly user-triggered). Combined with access to a GitHub PAT that can change repo secrets and trigger deploys, autonomous invocation increases risk that secrets could be changed without explicit human approval. The skill does not request persistent installation privileges, but its ability to commit to main and trigger deploys is a high-impact side effect.
What to consider before installing
This skill declares a reasonable capability (trigger a set-secret workflow) but has implementation/metadata inconsistencies and notable privileges. Before installing or enabling it: 1) Verify the skill metadata is corrected to list AGENT_GITHUB_PAT and MANAGE_SECRETS_GITHUB_REPO so you know what will be required. 2) Inspect the target repository's set-secret.yml and any SOPS/decryption steps to confirm the workflow's exact actions, RBAC checks, and what keys the workflow uses to decrypt secrets. 3) Ensure the PAT you provide is minimal-scoped (fine-grained, limited to the specific repo and Actions permissions only) and not an org-wide or user-admin token; consider using a machine user with constrained rights. 4) Consider requiring human approval / making the skill user-invocable (or disabling autonomous invocation) so secrets are not rotated/changed automatically. 5) Confirm which CLIs the agent will call (gh, tailscale, jq, kubectl) and whether you are comfortable allowing the agent to access local tailscale/k8s state to determine persona. 6) Test in a non-production repo/environment first, and rotate the PAT after testing. If you cannot inspect the workflow source or cannot supply a tightly-scoped PAT, do not enable this skill.Like a lobster shell, security has layers — review code before you run it.
latestvk976ypbwfezp566rv2ypbtekxd84cvxb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.