Cicd Pipeline Generator

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This is a coherent CI/CD template skill with no hidden behavior, but users should review the deployment and secret-handling parts before copying the generated pipelines.

This skill appears safe to use as a CI/CD template reference. Before copying a generated workflow into a real repository, review deployment triggers, require approvals for production, restrict secrets to the minimum needed permissions, and consider pinning external CI tools or actions.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI02: Tool Misuse and Exploitation

Medium

What this means

If adopted as-is, a push to the main branch could publish a production deployment.

Why it was flagged

The provided GitHub Actions template would deploy to production on pushes to main once copied into a repository and configured with secrets. This is purpose-aligned for CI/CD, but it is a high-impact automated action.

Skill content

on:
  push:
    branches: [ main, develop ]
...
deploy:
  name: Deploy to Production
  if: github.ref == 'refs/heads/main' && github.event_name == 'push'
...
  vercel-args: '--prod'

Recommendation

Before using the template, confirm branch protections, required environment approvals, deployment targets, and rollback procedures.

#ASI03: Identity and Privilege Abuse

Medium

What this means

Overly broad or long-lived deployment tokens could allow unwanted changes to hosting or cloud resources if the CI workflow is misconfigured or compromised.

Why it was flagged

The skill instructs users to configure deployment and cloud credentials as CI secrets. This is expected for deployment pipelines, but those credentials can grant significant account access.

Skill content

Required Secrets:
- `VERCEL_TOKEN`
- `VERCEL_ORG_ID`
- `VERCEL_PROJECT_ID`
...
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

Recommendation

Use least-privilege tokens, environment-scoped secrets, protected branches, and regular secret rotation.

#ASI04: Agentic Supply Chain Vulnerabilities

Low

What this means

Future changes to the external CLI package could affect deployments or build behavior.

Why it was flagged

The GitLab CI template installs the Vercel CLI from npm during deployment without pinning an exact version. This is common and purpose-aligned, but it relies on external package supply chain behavior at pipeline runtime.

Skill content

- npm install -g vercel
- vercel --token $VERCEL_TOKEN --prod

Recommendation

Pin deployment tool versions where practical and review third-party CI actions or packages before enabling production deployments.