Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Web Deploy GitHub Pages
v1.0.0Create and deploy single-page static websites to GitHub Pages with autonomous workflow. Use when building portfolio sites, CV pages, landing pages, or any static web project that needs GitHub Pages deployment. Handles complete workflow from project initialization to live deployment with GitHub Actions automation.
⭐ 7· 6.2k·40 current·41 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name, description, scripts, and templates are coherent: it initializes a static site and deploys it via GitHub Actions/gh. However the registry metadata declares no required binaries or credentials even though the runtime scripts clearly require the GitHub CLI (gh) and git and depend on an authenticated GitHub session. That mismatch between claimed requirements and actual needs is noteworthy.
Instruction Scope
SKILL.md and the provided scripts stay within the stated purpose: they generate files, create a git repo, create/push a GitHub repo, configure Pages, and rely on a GitHub Actions workflow. The docs include absolute example paths (e.g., /root/clawd/...) which are only examples but could mislead an autonomous agent to use system-root locations; otherwise the instructions do not try to read unrelated system files or exfiltrate data.
Install Mechanism
This is an instruction-only skill (no package install step). Files are included in the bundle and nothing is downloaded or extracted from arbitrary URLs during install — lower install risk.
Credentials
The skill declares no required env vars or primary credential, yet its scripts call 'gh' and use 'gh api' and rely on 'gh auth status' (which uses local credentials/tokens). That means GitHub authentication (an OAuth token or local gh credential) is implicitly required but not declared. The metadata should at least list required binaries (gh, git) and note that an authenticated GitHub account with appropriate scopes is necessary.
Persistence & Privilege
The skill does not request permanent inclusion (always:false) and does not modify other skills or global agent settings. It does perform operations in the user's GitHub account (creating repos, pushing), which is consistent with its purpose but is a potentially impactful action when invoked autonomously.
What to consider before installing
This skill will run local scripts that use git and the GitHub CLI (gh) to create repositories, push code, and call the GitHub API. Before installing or running it:
- Understand it requires the gh CLI and git to be installed and the gh CLI to be authenticated (it will use your gh credentials/token). The skill metadata does not list these dependencies — verify them yourself.
- Review the included scripts (init_project.sh and deploy_github_pages.sh) to confirm they do what you expect (they create repos, push to origin, and call gh api to configure Pages).
- If you allow autonomous invocation, the agent could create public repositories and push content in your GitHub account; consider using a throwaway/test GitHub account or verifying gh auth scopes (pages, repo) before granting access.
- The documentation contains absolute example paths (/root/...), which are examples only — ensure the agent executes scripts in a safe working directory.
- If you need stricter control, run the scripts manually rather than giving the agent autonomous permission, or inspect and run them yourself after confirming dependencies and desired repository visibility.
If you want, I can produce a short checklist of safe steps to run this in a disposable account or help you inspect the scripts line-by-line.Like a lobster shell, security has layers — review code before you run it.
latestvk97abb27wvnztc553tqcb98r5x805wmy
License
MIT-0
Free to use, modify, and redistribute. No attribution required.