Back to skill
Skillv1.0.0
ClawScan security
CICD工作流程技能 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 13, 2026, 3:54 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill is internally consistent with its stated CI/CD purpose: it provides pipeline templates, docs generator, and a notification script and does not request unrelated credentials or install arbitrary software, but you should still review any CI secrets/webhook URLs before use.
- Guidance
- This skill appears to do what it says — generate CI/CD configs and docs for Java+Vue projects. Before installing/using it: (1) review the provided Jenkinsfile/.gitlab-ci.yml and scripts to ensure they match your security policies, (2) never paste live kubeconfig, registry passwords, or private keys into a public repo — store them as CI credentials or secret files, (3) vet any WEBHOOK_URLs you configure (notify.sh will POST build details to them), (4) test in a non-production environment first (staging) and review the scripts locally, and (5) if you need more assurance, inspect the full Jenkinsfile and pipeline steps for any commands you don't expect before running pipelines in CI.
Review Dimensions
- Purpose & Capability
- okName and description describe GitLab/Jenkins CI/CD templates for Java+Vue; included assets (Jenkinsfile, .gitlab-ci.yml, Dockerfiles, k8s manifests) and helper scripts directly support that purpose. The files and instructions are proportionate to the stated functionality.
- Instruction Scope
- noteSKILL.md guides interactive generation of pipeline configs and instructs how to configure CI variables and credentials (kubeconfig, docker registry credentials, webhook URL). These steps are expected for a CI/CD skill but involve handling sensitive data; the instructions do not attempt to read unrelated host files or exfiltrate data, but they do tell CI jobs to decode and write kubeconfig and to POST to user-supplied WEBHOOK_URLs.
- Install Mechanism
- okNo install spec is present (instruction-only + included static assets and two helper scripts). No network downloads or extract/execute steps are embedded in an installer; risk from installation is low. The two scripts are plain and used for documentation generation and webhook notifications.
- Credentials
- noteThe skill itself declares no required env vars, which is coherent for an instruction-only skill, but the provided CI templates and scripts expect many sensitive CI variables (KUBE_CONFIG / kubeconfig, CI_REGISTRY_USER/CI_REGISTRY_PASSWORD, WEBHOOK_URL, Docker credentials, Jenkins credential IDs). Those variables are appropriate for CI/CD use but are sensitive — users must not paste real secrets into untrusted places and should provision credentials in the CI system (not embed them in public repos).
- Persistence & Privilege
- okSkill metadata does not request always:true and contains no install-time actions that modify other skills or platform-wide settings. Autonomous invocation is allowed by default (normal) but the skill does not request elevated platform privileges.