← Back to Skills Marketplace
codingadai

yunxiao-devops

by Xiaodong Dai · GitHub ↗ · v2.5.0 · MIT-0
cross-platform ⚠ suspicious
170
Downloads
1
Stars
0
Active Installs
5
Versions
Install in OpenClaw
/install yunxiao-devops
Description
与阿里云云效(Yunxiao)DevOps 平台交互,覆盖八大核心能力:项目协作 Projex、 代码管理 Codeup、流水线 Flow、应用交付 Appstack、制品仓库 Packages、 测试管理 Testhub、效能洞察 Insight、知识库 Thoughts。 当用户提到云效、Projex、Cod...
Usage Guidance
This skill appears to implement a full Yunxiao/DevOps integration and will need your Yunxiao personal access token and organization ID to work — but the registry entry did not declare those environment variables, so confirm them before enabling. Before installing: (1) Inspect the included scripts (they will clone/push repos, create/delete repositories, merge MRs, trigger pipelines, and post notifications). (2) Provide only least-privilege Yunxiao tokens (avoid permanent tokens). (3) Verify whether you want the skill to read global agent config (~/.openclaw/openclaw.json) — that file may contain other service credentials; prefer explicitly supplying FEISHU_* env vars instead of allowing fallback reads. (4) Run the skill in an isolated environment or audit runtime logs during first runs. (5) Ask the publisher to update registry metadata to list required env vars and explain fallback config reads; if they refuse or cannot justify reading ~/.openclaw/openclaw.json, treat it as higher-risk.
Capability Analysis
Type: OpenClaw Skill Name: yunxiao-devops Version: 2.5.0 The skill bundle provides a comprehensive suite for Alibaba Yunxiao DevOps automation but contains a hardcoded Personal Access Token (PAT) and Feishu OpenID in `scripts/mr-action.mjs`, which is a major security vulnerability. Additionally, `scripts/bug-fix-flow.mjs` performs high-risk operations including automated SSH key generation, registration of the public key to the Yunxiao platform, and the execution of AI-generated code via Claude Code. While these features are aligned with the stated purpose and include some safeguards (such as privilege dropping to a non-root user), the combination of leaked credentials and broad system/repository access warrants a suspicious classification.
Capability Assessment
Purpose & Capability
Name/description and the included scripts and API reference files are coherent with a Yunxiao (阿里云云效) DevOps integration (projects, code, pipelines, app delivery, test, etc.). However the registry metadata lists no required credentials while SKILL.md clearly requires YUNXIAO_TOKEN and YUNXIAO_ORG_ID — an important mismatch between declared requirements and the actual runtime needs.
Instruction Scope
SKILL.md instructs the agent to run many local scripts (node/.py) that perform broad DevOps actions (clone, push, create/delete repos, create/merge MRs, trigger pipelines, post Feishu cards, etc.). That scope is expected for a DevOps skill, but the instructions also reference reading configuration files outside the skill (e.g., ~/.openclaw/openclaw.json) if FEISHU credentials are not set — this is scope creep because it accesses global agent configuration belonging to other tools/skills.
Install Mechanism
No install spec is provided (instruction-only style), which is lower risk than arbitrary downloads. However, the package contains many executable scripts that the agent will run from the workspace path (/root/.openclaw/workspace/skills/...). There is no explicit installer step listed, so the skill expects the agent to already host these files — verify their origin and integrity before execution.
Credentials
SKILL.md requires sensitive credentials (YUNXIAO_TOKEN, YUNXIAO_ORG_ID) and optional FEISHU credentials; none of these were declared in the registry 'Required env vars' summary, creating an omission. The instructions also allow falling back to reading FEISHU_APP_ID/FEISHU_APP_SECRET from ~/.openclaw/openclaw.json — accessing a global config file from another tool increases blast radius and may expose unrelated secrets. Ensure the skill only receives least-privilege tokens and confirm which paths/variables it will read.
Persistence & Privilege
The skill does not request always:true and does not declare itself as modifying other skills, which is good. However it reads/writes local config/cache (e.g., .env.local, ~/.yunxiao-devops.json, references/workflow-transitions.json) and will execute long-lived flows (polling pipeline/appstack). The most notable issue is reading ~/.openclaw/openclaw.json (global agent config) which gives it access to other stored credentials; that combination increases risk if tokens are over-permissive.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install yunxiao-devops
  3. After installation, invoke the skill by name or use /yunxiao-devops
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.5.0
修复 poll-pipeline/poll-appstack-stage 错误处理;release-flow 改用 spawn+unref 真正后台化;移除 workspace/scripts 重复脚本,统一到 skill 目录;新增 mr-action.mjs;SKILL.md 启动命令改为 nohup+disown
v2.4.0
修复 poll-pipeline/poll-appstack-stage 错误处理;release-flow 改用 spawn+unref 真正后台化;移除 workspace/scripts 重复脚本,统一到 skill 目录;新增 mr-action.mjs;SKILL.md 更新启动命令为 nohup+disown
v1.0.3
移除所有 MCP 依赖:appstack-card/poll-pipeline/poll-appstack-stage 全部改用纯 REST API;删除 yunxiao-mcp.mjs / mcp_client.py / references/tools.md;工作项描述图片嵌入支持 jsonMLValue 格式
v1.0.2
skill 完全自包含:将 poll-pipeline.py / poll-appstack-stage.py / yunxiao-mcp.mjs 移入 skill 目录,移除所有 workspace 绝对路径依赖;凭证全部从 .env.local 或环境变量读取;移除个人 quick-ack 依赖。
v1.0.1
初始发布:阿里云云效 DevOps 全流程自动化 skill。含工作项/迭代/MR/流水线/AppStack 等 20+ 飞书卡片脚本。支持跨项目查询「我的工作项」,自动识别用户 ID,无需预配置。
Metadata
Slug yunxiao-devops
Version 2.5.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 5
Frequently Asked Questions

What is yunxiao-devops?

与阿里云云效(Yunxiao)DevOps 平台交互,覆盖八大核心能力:项目协作 Projex、 代码管理 Codeup、流水线 Flow、应用交付 Appstack、制品仓库 Packages、 测试管理 Testhub、效能洞察 Insight、知识库 Thoughts。 当用户提到云效、Projex、Cod... It is an AI Agent Skill for Claude Code / OpenClaw, with 170 downloads so far.

How do I install yunxiao-devops?

Run "/install yunxiao-devops" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is yunxiao-devops free?

Yes, yunxiao-devops is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does yunxiao-devops support?

yunxiao-devops is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created yunxiao-devops?

It is built and maintained by Xiaodong Dai (@codingadai); the current version is v2.5.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments