Cnb Cool Git
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent CNB Git/API helper, but it documents powerful repository and pipeline-changing actions using CNB tokens without clear approval or scope limits.
Install only if you want an agent to help operate CNB repositories and pipelines. Use least-privilege CNB tokens, verify the target owner/repo/branch before any mutation, and require explicit confirmation for pushes, MR approvals/merges, labels/reviewers, and pipeline triggers.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used too broadly, the agent could change repository state or start pipeline runs in a CNB project, which may affect code, reviews, builds, or deployments.
The skill documents raw API calls that can merge code and trigger CI/CD pipelines. These actions are purpose-aligned, but the visible instructions do not define confirmation, branch/repository scope, rollback, or containment requirements before executing them.
合并 MR ... curl -X "PUT" ... "https://api.cnb.cool/{owner}/{repo}/-/pulls/{number}/merge" ... Pipeline 触发 ... curl -X "POST" ... "https://api.cnb.cool/{owner}/{repo}/-/trigger"Only install for workspaces where you intend to grant CNB repository authority. Require explicit confirmation before push, merge, approval, label/reviewer changes, or pipeline trigger/retry operations, and use least-privilege tokens where possible.
Anyone using the skill with powerful tokens may give the agent the ability to read, push to, or modify CNB repository resources.
The skill clearly discloses that it uses Git and API tokens. This is expected for CNB Git/API integration, but those credentials can authorize repository reads, writes, and API mutations.
`CNB_COOL_GIT_TOKEN` | Git 访问令牌,用于 clone/push | ... `CNB_COOL_API_TOKEN` | API 令牌,用于调用 CNB Open API
Provide tokens with the minimum required repository/API permissions, rotate them if exposed, and avoid granting organization-wide or admin-level access unless necessary.
A user relying only on registry-level requirements might not realize before reading the skill instructions that CNB tokens are needed.
The bundled metadata declares required secrets, while the registry requirements shown for the skill list no required environment variables or primary credential. This is an under-declared credential contract rather than hidden behavior because SKILL.md also describes the tokens.
"required_secrets": [ "CNB_COOL_GIT_TOKEN", "CNB_COOL_API_TOKEN" ]
The publisher should align registry credential declarations with the skill metadata and documentation so users see required tokens before installation.
Future commits from that workspace may use the configured name and email until changed.
The skill persists Git identity settings in a workspace .env file and global Git configuration. This is disclosed and purpose-aligned, but it can affect later Git commits in the same environment.
用户名/邮箱(非敏感)— 写入 `.env` 文件(放在 `/workspace/.env`) ... git config --global user.name ... git config --global user.email
Confirm the Git name/email are correct, and reset or remove the workspace .env and global Git config if you stop using the skill or switch identities.