ClawHub
Back to skill
v0.1.0

Cicd Pipeline Generator

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 4:57 AM.

Analysis

This is a coherent CI/CD template skill with no hidden behavior, but users should review the deployment and secret-handling parts before copying the generated pipelines.

GuidanceThis skill appears safe to use as a CI/CD template reference. Before copying a generated workflow into a real repository, review deployment triggers, require approvals for production, restrict secrets to the minimum needed permissions, and consider pinning external CI tools or actions.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusNote
assets/github-actions-nodejs.yml
on:
  push:
    branches: [ main, develop ]
...
deploy:
  name: Deploy to Production
  if: github.ref == 'refs/heads/main' && github.event_name == 'push'
...
  vercel-args: '--prod'

The provided GitHub Actions template would deploy to production on pushes to main once copied into a repository and configured with secrets. This is purpose-aligned for CI/CD, but it is a high-impact automated action.

User impactIf adopted as-is, a push to the main branch could publish a production deployment.
RecommendationBefore using the template, confirm branch protections, required environment approvals, deployment targets, and rollback procedures.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
assets/gitlab-ci-nodejs.yml
- npm install -g vercel
- vercel --token $VERCEL_TOKEN --prod

The GitLab CI template installs the Vercel CLI from npm during deployment without pinning an exact version. This is common and purpose-aligned, but it relies on external package supply chain behavior at pipeline runtime.

User impactFuture changes to the external CLI package could affect deployments or build behavior.
RecommendationPin deployment tool versions where practical and review third-party CI actions or packages before enabling production deployments.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
Required Secrets:
- `VERCEL_TOKEN`
- `VERCEL_ORG_ID`
- `VERCEL_PROJECT_ID`
...
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

The skill instructs users to configure deployment and cloud credentials as CI secrets. This is expected for deployment pipelines, but those credentials can grant significant account access.

User impactOverly broad or long-lived deployment tokens could allow unwanted changes to hosting or cloud resources if the CI workflow is misconfigured or compromised.
RecommendationUse least-privilege tokens, environment-scoped secrets, protected branches, and regular secret rotation.