Cnb Cool Git
CNB 云原生构建平台的 Git 操作技能。使用 git 和 CNB Open API 进行代码克隆、提交、推送、分支管理、Merge Request 管理、流水线触发、流水线结果读取等操作。首次使用需收集用户的 Git 用户名和邮箱信息。
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 47 · 0 current installs · 0 all-time installs
by@twksos
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (CNB git ops) align with the actions described (git clone/push, MR management, pipeline triggers via api.cnb.cool). Required credentials (CNB_COOL_GIT_TOKEN, CNB_COOL_API_TOKEN) and repo/branch/env variables are coherent for this purpose. However, the registry summary at the top reported 'Required env vars: none' while SKILL.md and _meta.json declare required_secrets and required_envs — this metadata inconsistency is unexpected and should be resolved.
Instruction Scope
Instructions tell the agent to: (1) receive secrets via gateway, (2) write non-sensitive username/email to /workspace/.env, (3) run git config --global user.name/email, and (4) clone using an HTTPS URL that embeds the token (git clone https://cnb:${CNB_COOL_GIT_TOKEN}@cnb.cool/...). Embedding tokens in clone URLs risks leaking secrets (remote URL persistence, process args, shell history, logs). Writing .env into /workspace may persist user info and could be accessible to other processes. Changing global git config modifies environment-wide settings. These behaviors are within the skill's stated scope but have privacy/security implications that are not mitigated in the documentation.
Install Mechanism
This is an instruction-only skill with no install spec or code to write to disk, so there is no install-time download or arbitrary code execution risk.
Credentials
The two secrets the skill uses (a Git access token and an API token for CNB) are proportionate to git+API operations. However, the top-level registry metadata claimed 'none' for required envs while _meta.json lists required_secrets and required_envs — this mismatch is concerning. Also, instructions reference numerous CNB pipeline env variables (CNB_*), which are plausible but worth confirming you expect these to be present and that tokens have least privilege (prefer minimal scopes).
Persistence & Privilege
always is false and the skill does not request persistent platform privileges. The only persistent changes suggested are user-local (git global config and writing /workspace/.env); these are not platform-level privileges but can have side effects and should be scoped (repo-local) if possible.
Scan Findings in Context
[no_regex_findings] expected: The repository is instruction-only and the regex scanner had no code files to analyze; absence of findings is expected but not evidence of safety. Manual review of SKILL.md produced the signals described above.
What to consider before installing
What to consider before installing:
- Confirm metadata: SKILL.md and _meta.json require two secrets (CNB_COOL_GIT_TOKEN, CNB_COOL_API_TOKEN) and two non-sensitive envs (user name/email), but the registry summary claimed none — ask the publisher to fix the metadata mismatch before trusting automated tooling.
- Secrets handling: Do NOT embed tokens in clone URLs. That practice can leak tokens into git config, process lists, shell history, and logs. Prefer using a git credential helper, .netrc with secure permissions, or authenticated HTTPS that prompts from a credential store. Verify how OpenClaw's Gateway secrets are injected and that they are never printed or stored in logs.
- Limit token scope: Use the least-privilege token possible (prefer specific REST/API scopes, avoid wide MCP tokens if not needed). Confirm token type requirements and that the tokens cannot be reused elsewhere.
- Avoid global changes: Instead of git config --global, prefer repository-local settings (git config user.name/email in the repo) or set GIT_AUTHOR_NAME/GIT_AUTHOR_EMAIL for single operations so other projects aren't affected.
- Workspace persistence: /workspace/.env may be persisted; do not store sensitive tokens there. Only non-sensitive username/email should be written and you should confirm workspace retention policies.
- Verify origin and trust: The skill has no homepage and an unknown owner ID; ask for publisher/source and prefer skills with a verifiable homepage or source repo. If you must use it, review and test in a restricted environment and audit any generated remotes or files for embedded credentials.
- If possible, request an update to SKILL.md to remove token-in-url examples and to document secure credential usage and cleanup steps.Like a lobster shell, security has layers — review code before you run it.
Current versionv2.0.1
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
CNB Git Skill
在 CNB(cnb.cool)平台上进行 Git 操作和 API 调用。
认证配置
Token(敏感)— 通过 Gateway secrets 注入(不暴露在日志和配置展示中):
| 变量名 | 说明 |
|---|---|
CNB_COOL_GIT_TOKEN | Git 访问令牌,用于 clone/push |
CNB_COOL_API_TOKEN | API 令牌,用于调用 CNB Open API |
⚠️ Token 类型注意:必须使用**经典令牌(Classic Token)**或 REST API 令牌,MCP 读写权限 Token 对 REST API 无效(所有
/-/路径返回 404)。
注入方式:在 OpenClaw openclaw.json 的 env.vars 中配置,密钥部分会被脱敏显示。
用户名/邮箱(非敏感)— 写入 .env 文件(放在 /workspace/.env):
CNB_COOL_GIT_USER_NAME=你的Git用户名
CNB_COOL_GIT_USER_EMAIL=你的Git邮箱
同时设置 Git 全局配置:
git config --global user.name "${CNB_COOL_GIT_USER_NAME}"
git config --global user.email "${CNB_COOL_GIT_USER_EMAIL}"
克隆仓库:
git clone https://cnb:${CNB_COOL_GIT_TOKEN}@cnb.cool/your-group/your-repo.git
API 基础调用
API 服务地址:https://api.cnb.cool
⚠️ Token 类型注意:CNB 的 MCP Token(MCP 读写权限)不支持 REST API,所有接口均返回 404。必须使用**经典令牌(Classic Token)**或具有 REST API 权限的 Personal Access Token。
# 所有 API 调用都需携带以下两个 Header
curl -H "Authorization: ${CNB_COOL_API_TOKEN}" \
-H "Accept: application/vnd.cnb.api+json" \
"https://api.cnb.cool/..."
Merge Request(MR)操作
创建 MR:
curl -X "POST" \
-H "Authorization: ${CNB_COOL_API_TOKEN}" \
-H "Content-Type: application/json" \
-H "Accept: application/vnd.cnb.api+json" \
-d '{
"title": "feat: 功能描述",
"head": "feature/branch-name",
"base": "main",
"body": "变更内容..."
}' \
"https://api.cnb.cool/{owner}/{repo}/-/pulls"
字段说明:
head= 源分支,base= 目标分支(⚠️ 不是source_branch/target_branch)
列出 MR:
# 查看所有 MR
curl "https://api.cnb.cool/{owner}/{repo}/-/pulls" \
-H "Authorization: ${CNB_COOL_API_TOKEN}" \
-H "Accept: application/vnd.cnb.api+json"
# 查看指定 MR
curl "https://api.cnb.cool/{owner}/{repo}/-/pulls/{number}" \
-H "Authorization: ${CNB_COOL_API_TOKEN}" \
-H "Accept: application/vnd.cnb.api+json"
添加评论:
curl -X "POST" \
-H "Authorization: ${CNB_COOL_API_TOKEN}" \
-H "Content-Type: application/json" \
-H "Accept: application/vnd.cnb.api+json" \
-d '{"body": "评论内容"}' \
"https://api.cnb.cool/{owner}/{repo}/-/pulls/{number}/comments"
提交评审:
# APPROVE - 批准
curl -X "POST" \
-H "Authorization: ${CNB_COOL_API_TOKEN}" \
-H "Content-Type: application/json" \
-H "Accept: application/vnd.cnb.api+json" \
-d '{"event": "APPROVE", "body": "LGTM"}' \
"https://api.cnb.cool/{owner}/{repo}/-/pulls/{number}/reviews"
# REQUEST_CHANGES - 需要改进
curl -X "POST" \
-H "Authorization: ${CNB_COOL_API_TOKEN}" \
-H "Content-Type: application/json" \
-H "Accept: application/vnd.cnb.api+json" \
-d '{"event": "REQUEST_CHANGES", "body": "请修复..."}' \
"https://api.cnb.cool/{owner}/{repo}/-/pulls/{number}/reviews"
合并 MR:
curl -X "PUT" \
-H "Authorization: ${CNB_COOL_API_TOKEN}" \
-H "Content-Type: application/json" \
-H "Accept: application/vnd.cnb.api+json" \
-d '{
"merge_method": "merge"
}' \
"https://api.cnb.cool/{owner}/{repo}/-/pulls/{number}/merge"
管理标签和评审人:
# 添加标签
curl -X "POST" \
-H "Authorization: ${CNB_COOL_API_TOKEN}" \
-H "Content-Type: application/json" \
-H "Accept: application/vnd.cnb.api+json" \
-d '{"labels": ["bug", "high-priority"]}' \
"https://api.cnb.cool/{owner}/{repo}/-/pulls/{number}/labels"
# 添加评审人
curl -X "POST" \
-H "Authorization: ${CNB_COOL_API_TOKEN}" \
-H "Content-Type: application/json" \
-H "Accept: application/vnd.cnb.api+json" \
-d '{"reviewers": ["username1", "username2"]}' \
"https://api.cnb.cool/{owner}/{repo}/-/pulls/{number}/reviewers"
Pipeline 构建结果
获取构建历史:
curl "https://api.cnb.cool/{owner}/{repo}/-/builds?page=1&page_size=20" \
-H "Authorization: ${CNB_COOL_API_TOKEN}" \
-H "Accept: application/vnd.cnb.api+json"
获取构建详情和日志:
# 构建详情
curl "https://api.cnb.cool/{owner}/{repo}/-/builds/{build_id}" \
-H "Authorization: ${CNB_COOL_API_TOKEN}" \
-H "Accept: application/vnd.cnb.api+json"
# 构建日志
curl "https://api.cnb.cool/{owner}/{repo}/-/builds/{build_id}/logs" \
-H "Authorization: ${CNB_COOL_API_TOKEN}" \
-H "Accept: application/vnd.cnb.api+json"
Pipeline 触发
手动触发 Pipeline:
# 通过 API 触发流水线
curl -X "POST" \
-H "Authorization: ${CNB_COOL_API_TOKEN}" \
-H "Content-Type: application/json" \
-H "Accept: application/vnd.cnb.api+json" \
-d '{
"branch": "main",
"event": "api_trigger",
"env": {
"KEY": "value"
}
}' \
"https://api.cnb.cool/{owner}/{repo}/-/trigger"
获取触发器列表:
curl "https://api.cnb.cool/{owner}/{repo}/-/triggers" \
-H "Authorization: ${CNB_COOL_API_TOKEN}" \
-H "Accept: application/vnd.cnb.api+json"
重新触发构建:
curl -X "POST" \
-H "Authorization: ${CNB_COOL_API_TOKEN}" \
-H "Accept: application/vnd.cnb.api+json" \
"https://api.cnb.cool/{owner}/{repo}/-/builds/{build_id}/retry"
关键环境变量
| 变量名 | 说明 |
|---|---|
| CNB_REPO_SLUG | 仓库路径(group/repo) |
| CNB_BRANCH | 分支名 |
| CNB_COMMIT | 提交 SHA |
| CNB_BUILD_ID | 构建流水号 |
| CNB_BUILD_STATUS | 构建状态(success/error/cancel) |
| CNB_PIPELINE_STATUS | Pipeline 状态 |
| CNB_BUILD_WEB_URL | 构建日志地址 |
| CNB_PULL_REQUEST | 是否为 PR 触发 |
| CNB_TOKEN | 流水线临时令牌(系统注入) |
最佳实践
- 不要在代码中硬编码访问令牌
- 使用环境变量或密钥仓库存储敏感信息
- 定期轮换令牌
- 不可信事件(PR评论、Issue评论)的流水线权限受限,敏感操作应在可信事件中执行
Files
2 totalSelect a file
Select a file to preview.
Comments
Loading comments…