by 安全扫描
OpenClaw
可疑
medium confidenceThe skill mostly matches its CI/CD description (workflow generation and monitoring) but it claims Jenkins support that isn't implemented in the package and therefore has an unexplained mismatch the user should investigate before trusting it.
评估建议
This package is mostly coherent for generating GitHub Actions and GitLab CI files and for monitoring pipelines. However, SKILL.md and README claim Jenkins support while the repository lacks a Jenkins generator implementation — ask the publisher or inspect sources before trusting the 'Jenkins' capability. Review generated workflow content before committing (they will write to .github/workflows and .gitlab-ci.yml). If you provide API tokens to pipeline_monitor.py, treat them as sensitive and scope...详细分析 ▾
⚠ 用途与能力
The README and SKILL.md claim support for GitHub Actions, GitLab CI, and Jenkins. The package provides implemented generators for GitHub and GitLab plus a pipeline monitor, but there is no scripts/jenkins_pipeline_generator.py or other Jenkins implementation in the file manifest. SKILL.md also declares a jenkins_pipeline_create action and lists python-jenkins in requirements (optional), but no code uses python-jenkins. This is an inconsistency between stated capabilities and actual code.
✓ 指令范围
The runtime instructions and included scripts are narrowly scoped: generators create YAML files (.github/workflows/, .gitlab-ci.yml) and pipeline_monitor.py queries official GitHub/GitLab REST APIs. The monitor takes an optional token and only calls api.github.com and gitlab.com by default. Scripts write files to repository paths (expected for generators) but do not attempt to read unrelated system files or exfiltrate data.
✓ 安装机制
No install spec is present (instruction-only install). Dependencies are standard Python packages listed in requirements.txt (PyYAML, requests, python-jenkins). This is low-risk compared with arbitrary remote downloads.
ℹ 凭证需求
The skill does not require any environment variables or credentials to be set, but the generated workflows reference common CI secrets (e.g., ${ { secrets.DOCKER_PASSWORD } }) and the monitor accepts optional API tokens. Asking for API tokens to query CI status is proportionate, but users should be aware that supplying tokens grants the monitor read access to pipeline metadata for the projects specified.
✓ 持久化与权限
always:false (no forced permanent presence). The skill writes generated workflow/config files to the working directory (normal for a generator) but does not modify other skills or system-wide agent settings.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/17
Initial release of CI/CD Pipeline Toolkit. - Automates CI/CD pipeline management for GitHub Actions, GitLab CI, and Jenkins. - Provides tools to create workflows/configs, check pipeline status, and trigger deployments. - Includes Python examples and scripts for generating and monitoring pipelines. - Supports build, test, and deploy stages across multiple platforms. - Requires Python 3.8+ with dependencies: PyYAML, Requests, and optional python-jenkins.
● 无害
安装命令
点击复制官方npx clawhub@latest install ci-cd-pipeline-toolkit
镜像加速npx clawhub@latest install ci-cd-pipeline-toolkit --registry https://cn.longxiaskill.com 镜像可用