ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nm Minister Release Health Gates

v1.0.0

Standardize release approvals with GitHub-aware checklists and deployment gate validation

0· 42·1 current·1 all-time
by@athola
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared purpose (standardize release approvals, GitHub-aware checklists) matches the instructions: PR snippets, checks, and gate categories are coherent. However, the skill repeatedly references external systems (GitHub APIs and a 'tracker') without declaring required credentials or configuration for those systems, which is an unexplained gap.
!
Instruction Scope
SKILL.md explicitly instructs the agent to read GitHub checks/endpoints, attach comments to PRs, use tracker CSV exports, and persist rollout scorecards. Those actions are within the stated purpose but the instructions do not specify how to authenticate to GitHub or the tracker, nor where tracker data is stored—this ambiguity could lead to unexpected access or failures.
Install Mechanism
No install spec and no code files (instruction-only) — this is the lowest-risk install surface. Nothing is downloaded or written to disk by a packaged installer.
!
Credentials
The skill declares no required environment variables or primary credential, yet it expects access to GitHub checks/commits and to read/write a 'tracker'. Accessing those systems normally requires credentials (e.g., GITHUB_TOKEN, tracker API keys) or configured integrations. The absence of declared credentials is disproportionate and should be clarified.
Persistence & Privilege
The skill does not request always:true and is user-invocable (normal). It instructs persisting a rollout scorecard into a tracker, which is a reasonable operational action for this purpose, but it implies write permissions to an external system—verify that the agent or environment will limit writes appropriately.
What to consider before installing
This skill appears to do what it says (generate GitHub-aware release checklists and persist gating data), but it references GitHub API calls and a separate 'tracker' for reading/writing release state while declaring no credentials or configuration. Before installing or enabling it: - Ask the author which credentials/integrations the skill expects (e.g., GITHUB_TOKEN, tracker API key) and demand they be explicitly declared in the metadata. - Confirm where 'tracker' lives (self-hosted spreadsheet, issue tracker, project management tool) and what credentials and scopes are required to read/write it. - If you provide credentials, restrict them to the minimum scope (repo read/checks and PR comment/write only if needed). Avoid supplying broad org-level or cloud credentials. - Test the skill in a sandbox repository with minimal privileges and review any sample tracker writes to ensure no unexpected data exfiltration. If the author provides explicit integration details and required env vars that align with the described actions (e.g., a GITHUB_TOKEN limited to the repo, a named tracker endpoint), this assessment could be upgraded to benign. Without that info, the mismatch between declared requirements and the actions instructed is a notable risk.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🦞 Clawdis
latestvk9721awhb536tdtg0k8peka2es84vdc0
42downloads
0stars
1versions
Updated 6d ago
v1.0.0
MIT-0
@athola
latest
Download

Night Market Skill — ported from claude-night-market/minister. For the full experience with agents, hooks, and commands, install the Claude Code plugin.

Release Health Gates

Purpose

Standardize release approvals by expressing gates as GitHub-aware checklists. Ensure code, docs, comms, and observability items are green before deployment.

Gate Categories

  1. Scope & Risk – Are all blocking issues closed or deferred with owners?
  2. Quality Signals – Are required checks, tests, and soak times satisfied?
  3. Comms & Docs – Are docs merged and release notes posted?
  4. Operations – Are runbooks, oncall sign-off, and rollback plans ready?

Workflow

  1. Load skill to access gate modules.
  2. Attach Release Gate section to deployment PR.
  3. Use tracker data to auto-fill blockers and highlight overdue tasks.
  4. Update comment as gates turn green; require approvals for any waivers.

Outputs

  • Release Gate markdown snippet (embed in PR/issue).
  • QA Handshake summary referencing GitHub Checks.
  • Rollout scorecard that persists in tracker data for retros.

Exit Criteria

  • All release gates evaluated and documented.
  • Any blocking gates have waiver approvals recorded.
  • Deployment PR contains embedded Release Gate snippet.
  • Rollout scorecard saved for post-release retrospective.

Troubleshooting

Common Issues

Command not found Ensure all dependencies are installed and in PATH

Permission errors Check file permissions and run with appropriate privileges

Unexpected behavior Enable verbose logging with --verbose flag

Comments

Loading comments...