Automatically monitor CI/CD pipeline status of new push across GitHub and GitLab in one place. Auto DevOps this is the way 🦞!
Security Analysis
medium confidenceThe skill's description promises automatic, cross‑repo CI/CD monitoring, but the provided instructions only show manual CLI commands and a user-added git alias — and the skill fails to declare required tooling; these mismatches warrant caution.
The README/SKILL.md claim 'automatically monitor CI/CD pipeline status of new push' across GitHub and GitLab, but there is no mechanism for background monitoring, webhooks, or a service that watches remote pushes. The only automation described is a local git alias that the user must add and run manually after pushing. Also, the instructions depend on 'gh' and 'glab' CLIs (and git) but the skill package metadata did not declare any required binaries — an inconsistency.
Instructions are limited to running git, gh, and glab commands and adding a git alias to ~/.gitconfig that runs a shell snippet after push. This is within the stated goal (monitoring pipeline status after a push) but the alias uses a shell invocation ('!f() { ... }; f') which will execute arbitrary shell commands when invoked — this is expected for a git alias but users should review it before adding to their config. The SKILL.md does not instruct reading unrelated files or exfiltrating data.
No install spec and no code files — the skill is instruction-only. That reduces risk because nothing is automatically downloaded or written by the skill package itself.
The skill requests no environment variables or credentials in metadata, which matches the absence of code. However, practical use requires authenticated 'gh' and/or 'glab' sessions (tokens/configs) to access workflows/pipelines. The skill does not mention or declare that those CLIs and credentials must exist, which is a documentation/metadata omission that could confuse users.
No special persistence privileges are requested (always is not set, model invocation flags are default). The skill cannot be invoked autonomously by the model beyond the normal platform behavior.
Guidance
This skill is instruction-only and doesn't install anything, but it is inconsistent with its marketing. Before using it: (1) understand it does not create a background watcher or webhook — it only documents CLI commands and offers a manual git alias that you must add yourself; (2) inspect the alias carefully before adding it to ~/.gitconfig since git aliases starting with '!' run shell code; (3) ensure you have and are logged into the 'gh' and/or 'glab' CLIs (they are required in practice even though not declared); (4) if you need true automatic monitoring across pushes (server-side), use webhooks or a CI integration rather than this local alias; (5) if you want the package to be more trustworthy, ask the publisher to declare required binaries and explain authentication requirements and provide a real homepage/source for review.
Latest Release
v1.0.4
- Documentation updated: the wrapper script for post-push CI/CD monitoring was removed, and instructions now focus solely on the git alias method. - No changes to the skill's functionality or code.
More by @okoddcat
Published by @okoddcat on ClawHub
