ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nm Attune Workflow Setup

v1.0.0

Configure GitHub Actions CI/CD workflows for automated testing, linting, and deployment pipelines

0· 15·1 current·1 all-time
by@athola
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the instructions: the SKILL.md describes creating and validating GitHub Actions workflows. However, the skill does not declare required binaries or environment variables even though the instructions call out gh/act, python, and template/engine utilities (ProjectDetector, engine.render_file, templates_dir). This mismatch is disproportionate to the stated purpose.
Instruction Scope
Instructions direct reading and writing of .github/workflows/ files, running shell and Python checks, and using an unspecified ProjectDetector and template rendering engine. That is within the scope of setting up workflows, but the instructions assume filesystem writes and tools that can modify repo state and potentially overwrite existing workflows — the skill should explicitly warn and offer dry-run/backups.
Install Mechanism
No install spec and no code files are present (instruction-only), which minimizes installer risk. There is no downloader or packaging step in the manifest.
!
Credentials
The skill declares no required env vars or credentials, yet it expects CLI tools (gh, act), Python, and project-specific template directories and rendering engines to exist. It also references other skills/commands (e.g., /attune:upgrade-project, /pensive:shell-review) without declaring those dependencies. The lack of declared requirements is inconsistent and could cause unexpected behavior or privilege escalation (e.g., using the user's authenticated gh CLI).
Persistence & Privilege
always is false and there is no persistent install behavior. The skill will only act when invoked; autonomous invocation is allowed by default but not combined here with other high-privilege requests.
What to consider before installing
This skill is intended to create/update GitHub Actions workflows and the instructions generally match that purpose, but it omits declaring tools it expects. Before using: (1) inspect the workflow templates and SKILL.md to confirm what files will be created/overwritten; run it in a throwaway branch or fork first; (2) ensure you have the gh/act/Python tools installed and understand which account/token the gh CLI will use (avoid exposing personal or org tokens); (3) verify where templates_dir and engine.render_file come from — the skill assumes a template engine and project detector that are not included; (4) backup .github/workflows/ (or use git) and prefer a dry-run; (5) if you want the skill to be safer, ask the author to declare required binaries and to add explicit dry-run, confirmation prompts, and a list of exact filesystem changes.

Like a lobster shell, security has layers — review code before you run it.

latestvk9734zekqqjppdcd08f9464ztx84j4n4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🦞 Clawdis

Comments