← 返回 Skills 市场
yunxiao-devops
作者
Xiaodong Dai
· GitHub ↗
· v2.5.0
· MIT-0
170
总下载
1
收藏
0
当前安装
5
版本数
在 OpenClaw 中安装
/install yunxiao-devops
功能描述
与阿里云云效(Yunxiao)DevOps 平台交互,覆盖八大核心能力:项目协作 Projex、 代码管理 Codeup、流水线 Flow、应用交付 Appstack、制品仓库 Packages、 测试管理 Testhub、效能洞察 Insight、知识库 Thoughts。 当用户提到云效、Projex、Cod...
安全使用建议
This skill appears to implement a full Yunxiao/DevOps integration and will need your Yunxiao personal access token and organization ID to work — but the registry entry did not declare those environment variables, so confirm them before enabling. Before installing: (1) Inspect the included scripts (they will clone/push repos, create/delete repositories, merge MRs, trigger pipelines, and post notifications). (2) Provide only least-privilege Yunxiao tokens (avoid permanent tokens). (3) Verify whether you want the skill to read global agent config (~/.openclaw/openclaw.json) — that file may contain other service credentials; prefer explicitly supplying FEISHU_* env vars instead of allowing fallback reads. (4) Run the skill in an isolated environment or audit runtime logs during first runs. (5) Ask the publisher to update registry metadata to list required env vars and explain fallback config reads; if they refuse or cannot justify reading ~/.openclaw/openclaw.json, treat it as higher-risk.
功能分析
Type: OpenClaw Skill
Name: yunxiao-devops
Version: 2.5.0
The skill bundle provides a comprehensive suite for Alibaba Yunxiao DevOps automation but contains a hardcoded Personal Access Token (PAT) and Feishu OpenID in `scripts/mr-action.mjs`, which is a major security vulnerability. Additionally, `scripts/bug-fix-flow.mjs` performs high-risk operations including automated SSH key generation, registration of the public key to the Yunxiao platform, and the execution of AI-generated code via Claude Code. While these features are aligned with the stated purpose and include some safeguards (such as privilege dropping to a non-root user), the combination of leaked credentials and broad system/repository access warrants a suspicious classification.
能力评估
Purpose & Capability
Name/description and the included scripts and API reference files are coherent with a Yunxiao (阿里云云效) DevOps integration (projects, code, pipelines, app delivery, test, etc.). However the registry metadata lists no required credentials while SKILL.md clearly requires YUNXIAO_TOKEN and YUNXIAO_ORG_ID — an important mismatch between declared requirements and the actual runtime needs.
Instruction Scope
SKILL.md instructs the agent to run many local scripts (node/.py) that perform broad DevOps actions (clone, push, create/delete repos, create/merge MRs, trigger pipelines, post Feishu cards, etc.). That scope is expected for a DevOps skill, but the instructions also reference reading configuration files outside the skill (e.g., ~/.openclaw/openclaw.json) if FEISHU credentials are not set — this is scope creep because it accesses global agent configuration belonging to other tools/skills.
Install Mechanism
No install spec is provided (instruction-only style), which is lower risk than arbitrary downloads. However, the package contains many executable scripts that the agent will run from the workspace path (/root/.openclaw/workspace/skills/...). There is no explicit installer step listed, so the skill expects the agent to already host these files — verify their origin and integrity before execution.
Credentials
SKILL.md requires sensitive credentials (YUNXIAO_TOKEN, YUNXIAO_ORG_ID) and optional FEISHU credentials; none of these were declared in the registry 'Required env vars' summary, creating an omission. The instructions also allow falling back to reading FEISHU_APP_ID/FEISHU_APP_SECRET from ~/.openclaw/openclaw.json — accessing a global config file from another tool increases blast radius and may expose unrelated secrets. Ensure the skill only receives least-privilege tokens and confirm which paths/variables it will read.
Persistence & Privilege
The skill does not request always:true and does not declare itself as modifying other skills, which is good. However it reads/writes local config/cache (e.g., .env.local, ~/.yunxiao-devops.json, references/workflow-transitions.json) and will execute long-lived flows (polling pipeline/appstack). The most notable issue is reading ~/.openclaw/openclaw.json (global agent config) which gives it access to other stored credentials; that combination increases risk if tokens are over-permissive.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install yunxiao-devops - 安装完成后,直接呼叫该 Skill 的名称或使用
/yunxiao-devops触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.5.0
修复 poll-pipeline/poll-appstack-stage 错误处理;release-flow 改用 spawn+unref 真正后台化;移除 workspace/scripts 重复脚本,统一到 skill 目录;新增 mr-action.mjs;SKILL.md 启动命令改为 nohup+disown
v2.4.0
修复 poll-pipeline/poll-appstack-stage 错误处理;release-flow 改用 spawn+unref 真正后台化;移除 workspace/scripts 重复脚本,统一到 skill 目录;新增 mr-action.mjs;SKILL.md 更新启动命令为 nohup+disown
v1.0.3
移除所有 MCP 依赖:appstack-card/poll-pipeline/poll-appstack-stage 全部改用纯 REST API;删除 yunxiao-mcp.mjs / mcp_client.py / references/tools.md;工作项描述图片嵌入支持 jsonMLValue 格式
v1.0.2
skill 完全自包含:将 poll-pipeline.py / poll-appstack-stage.py / yunxiao-mcp.mjs 移入 skill 目录,移除所有 workspace 绝对路径依赖;凭证全部从 .env.local 或环境变量读取;移除个人 quick-ack 依赖。
v1.0.1
初始发布:阿里云云效 DevOps 全流程自动化 skill。含工作项/迭代/MR/流水线/AppStack 等 20+ 飞书卡片脚本。支持跨项目查询「我的工作项」,自动识别用户 ID,无需预配置。
元数据
常见问题
yunxiao-devops 是什么?
与阿里云云效(Yunxiao)DevOps 平台交互,覆盖八大核心能力:项目协作 Projex、 代码管理 Codeup、流水线 Flow、应用交付 Appstack、制品仓库 Packages、 测试管理 Testhub、效能洞察 Insight、知识库 Thoughts。 当用户提到云效、Projex、Cod... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 170 次。
如何安装 yunxiao-devops?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install yunxiao-devops」即可一键安装,无需额外配置。
yunxiao-devops 是免费的吗?
是的,yunxiao-devops 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
yunxiao-devops 支持哪些平台?
yunxiao-devops 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 yunxiao-devops?
由 Xiaodong Dai(@codingadai)开发并维护,当前版本 v2.5.0。
推荐 Skills