CI/CD Pipeline API & Skill Testing Reference

Pipeline API

The ClawProd pipeline runs automatically on every git push via a GitHub Action. You can also trigger and query builds programmatically.

Trigger a Build

Get Build Status

List Builds

Pipeline Stages

Every build runs four stages in order. A failure at any stage stops the pipeline.

1. Lint — Validates skill manifest, metadata fields, and file structure against the OpenClaw skill spec.
2. Test — Runs your test suite in an isolated sandbox. If no custom tests exist, runs the default test suite (manifest validation, permission checks, basic execution).
3. Security Scan — Checks for CVEs in dependencies, excessive permission requests, data exfiltration patterns, and prompt injection vectors.
4. Publish — On pass, bumps version, generates changelog, and publishes to ClawHub. Only runs if publish: true.

Skill Testing Framework

ClawProd includes a built-in testing framework for OpenClaw skills. Tests run in a sandboxed environment with a real OpenClaw instance.

Test File Structure

Default Test Suite

Skills without custom tests still get checked against the default suite:

• Manifest schema validation (required fields, correct types)
• Permission scope verification (no unnecessary permissions)
• Basic execution test (skill loads and responds without error)
• Dependency version check (no known-vulnerable packages)

Security Scanning Reference

The security scanner runs five checks on every build:

• CVE scan — Checks all dependencies against the National Vulnerability Database.
• Permission analysis — Flags skills requesting more permissions than their functionality requires.
• Data exfiltration detection — Identifies patterns like unauthorized network calls, file system reads outside scope, or credential harvesting.
• Prompt injection vectors — Scans for common injection patterns in skill prompts and input handling.
• Custom policies — Enterprise users can define organization-specific security rules.

GitHub Action Setup