ClawHub

Static App

v1.0.4

Deploy static websites to Static.app hosting. Use when the user wants to deploy, upload, or host a static site on Static.app. Triggers on phrases like "deploy to static.app", "upload to static", "host on static.app", "static.app deploy", or when working with the Static.app hosting service.

2· 1.3k·1 current·1 all-time
by@akellacom
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The code and SKILL.md match the described purpose (deploy, list, delete, download sites on Static.app). However the skill metadata declares no required environment variables and no required binaries, while the runtime explicitly requires a STATIC_APP_API_KEY and Node.js to run the scripts — this mismatch is incoherent and should be corrected before trusting the skill.
!
Instruction Scope
The SKILL.md and scripts direct the agent to read arbitrary files from the directory you run the deploy script in, create a zip archive, and POST it to api.static.app. By default deploy.js zips the current directory ('.'), so if run from a high-level path it may include unintended or sensitive files. download.js writes extracted sites into a workspace/staticapp path derived relative to the script location. These behaviors are expected for a deploy tool but grant the skill broad file-read/write scope and could lead to accidental data upload if the user is not careful.
Install Mechanism
There is no network install spec embedded in the registry entry (lowest risk), but the package includes package.json and package-lock.json and instructs users to run `cd scripts && npm install`. Dependencies are from the public npm registry (archiver, adm-zip, form-data, node-fetch) — standard for this task. No suspicious external download URLs or extract-from-arbitrary-server steps were found.
!
Credentials
The runtime requires a single API key (STATIC_APP_API_KEY or passed with -k) to authenticate to Static.app — that is appropriate. However the registry metadata does not declare this required environment variable or Node as a required binary, which is an important omission. The skill does not request unrelated credentials.
Persistence & Privilege
The skill is not marked always:true and does not request persistent system-wide privileges. It writes deployment artifacts and extracted sites into workspace-relative directories only; it does not attempt to modify other skills or system configurations.
What to consider before installing
What to check before installing/use: - Confirm Node.js is available where the skill will run (these are Node scripts). The registry metadata should declare this; it currently does not. - The scripts require an API key (STATIC_APP_API_KEY, starting with sk_). Set this securely (not in checked-in files). The skill will send that key to https://api.static.app — that's expected for deploying, but ensure you trust the source of the skill. - The deploy script zips whatever directory you point it at (default: current directory '.'). To avoid accidentally uploading secrets or many files, run the script from a clean project folder (or pass the specific SOURCE_DIR). Also review and, if needed, tighten the exclude list before running. - Review the included package-lock.json/package.json and consider running npm install in an isolated environment to inspect dependencies for supply-chain risk. - The metadata omission (no required env var/binary declared) is an inconsistency — prefer a version of the skill that declares STATIC_APP_API_KEY and Node as requirements. Given these issues, the skill looks like it performs its stated function, but the metadata omissions and the potential for accidental upload justify caution. If you depend on this skill, request or verify an updated manifest that accurately lists required env vars and Node, and audit the scripts yourself before running them.

Like a lobster shell, security has layers — review code before you run it.

latestvk97edq76epj6bscbg6py39bh0n80t1b9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments