ClawHub

Static App

Deploy static websites to Static.app hosting. Use when the user wants to deploy, upload, or host a static site on Static.app. Triggers on phrases like "deploy to static.app", "upload to static", "host on static.app", "static.app deploy", or when working with the Static.app hosting service.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
2 · 1.1k · 0 current installs · 0 all-time installs
by@Akellacom
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The code and SKILL.md match the described purpose (deploy, list, delete, download sites on Static.app). However the skill metadata declares no required environment variables and no required binaries, while the runtime explicitly requires a STATIC_APP_API_KEY and Node.js to run the scripts — this mismatch is incoherent and should be corrected before trusting the skill.
!
Instruction Scope
The SKILL.md and scripts direct the agent to read arbitrary files from the directory you run the deploy script in, create a zip archive, and POST it to api.static.app. By default deploy.js zips the current directory ('.'), so if run from a high-level path it may include unintended or sensitive files. download.js writes extracted sites into a workspace/staticapp path derived relative to the script location. These behaviors are expected for a deploy tool but grant the skill broad file-read/write scope and could lead to accidental data upload if the user is not careful.
Install Mechanism
There is no network install spec embedded in the registry entry (lowest risk), but the package includes package.json and package-lock.json and instructs users to run `cd scripts && npm install`. Dependencies are from the public npm registry (archiver, adm-zip, form-data, node-fetch) — standard for this task. No suspicious external download URLs or extract-from-arbitrary-server steps were found.
!
Credentials
The runtime requires a single API key (STATIC_APP_API_KEY or passed with -k) to authenticate to Static.app — that is appropriate. However the registry metadata does not declare this required environment variable or Node as a required binary, which is an important omission. The skill does not request unrelated credentials.
Persistence & Privilege
The skill is not marked always:true and does not request persistent system-wide privileges. It writes deployment artifacts and extracted sites into workspace-relative directories only; it does not attempt to modify other skills or system configurations.
What to consider before installing
What to check before installing/use: - Confirm Node.js is available where the skill will run (these are Node scripts). The registry metadata should declare this; it currently does not. - The scripts require an API key (STATIC_APP_API_KEY, starting with sk_). Set this securely (not in checked-in files). The skill will send that key to https://api.static.app — that's expected for deploying, but ensure you trust the source of the skill. - The deploy script zips whatever directory you point it at (default: current directory '.'). To avoid accidentally uploading secrets or many files, run the script from a clean project folder (or pass the specific SOURCE_DIR). Also review and, if needed, tighten the exclude list before running. - Review the included package-lock.json/package.json and consider running npm install in an isolated environment to inspect dependencies for supply-chain risk. - The metadata omission (no required env var/binary declared) is an inconsistency — prefer a version of the skill that declares STATIC_APP_API_KEY and Node as requirements. Given these issues, the skill looks like it performs its stated function, but the metadata omissions and the potential for accidental upload justify caution. If you depend on this skill, request or verify an updated manifest that accurately lists required env vars and Node, and audit the scripts yourself before running them.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.4
Download zip
latestvk97edq76epj6bscbg6py39bh0n80t1b9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Static.app Deployment Skill

Deploy static websites and applications to Static.app hosting directly from OpenClaw.

Workspace Structure

All Static.app operations in your workspace use a dedicated folder structure:

workspace/
└── staticapp/              # Main folder for all Static.app operations
    ├── new-site/           # New sites created locally
    └── {pid}/              # Downloaded existing sites (by PID)
  • New sites: Created in staticapp/ subfolders before deployment
  • Downloaded sites: Extracted to staticapp/{pid}/ for editing

How Static.app Handles Files

Static.app automatically creates clean URLs from your filenames:

FileURL
index.html/ (homepage)
about.html/about
portfolio.html/portfolio
contact.html/contact

No subdirectories needed! Just create .html files in the root folder.

Project Structure

Simple Multi-Page Site

my-site/
├── index.html          # Homepage → /
├── about.html          # About page → /about
├── portfolio.html      # Portfolio → /portfolio
├── contact.html        # Contact → /contact
├── style.css           # Stylesheet
├── js/                 # JavaScript files
│   ├── main.js
│   └── utils.js
└── images/             # Images folder
    ├── logo.png
    └── photo.jpg

JavaScript App (React, Vue, etc.)

For JS apps, build first, then deploy the dist (or build) folder:

# Build your app
npm run build

# Deploy the dist folder
node scripts/deploy.js ./dist

Prerequisites

  1. Get API Key: Go to https://static.app/account/api and create an API key (starts with sk_)
  2. Set Environment Variable: Store the API key in STATIC_APP_API_KEY env var

Usage

Deploy Multi-Page Site

# Create your pages
echo '<h1>Home</h1>' > index.html
echo '<h1>About</h1>' > about.html
echo '<h1>Portfolio</h1>' > portfolio.html

# Deploy
node scripts/deploy.js

Deploy Specific Directory

node scripts/deploy.js ./my-site

Update Existing Site

node scripts/deploy.js . --pid olhdscieyr

List All Sites

node scripts/list.js

List Site Files

node scripts/files.js YOUR_PID

Options:

  • --raw — Output raw JSON
  • -k <key> — Specify API key

Delete Site

node scripts/delete.js YOUR_PID

Options:

  • -f, --force — Skip confirmation prompt
  • -k <key> — Specify API key

Download Site

Download an existing site to your workspace for editing:

node scripts/download.js YOUR_PID

This will:

  1. Fetch the download URL from Static.app API
  2. Download the site archive
  3. Extract it to staticapp/{pid}/

Options:

  • -p, --pid — Site PID to download
  • -o, --output — Custom output directory (default: ./staticapp/{pid})
  • -k <key> — Specify API key
  • --raw — Output raw JSON response

Example:

# Download site to default location
node scripts/download.js abc123

# Download to custom folder
node scripts/download.js abc123 -o ./my-site

Script Options

node scripts/deploy.js [SOURCE_DIR] [OPTIONS]

Arguments:
  SOURCE_DIR          Directory to deploy (default: current directory)

Options:
  -k, --api-key       API key (or set STATIC_APP_API_KEY env var)
  -p, --pid           Project PID to update existing site
  -e, --exclude       Comma-separated exclude patterns
  --keep-zip          Keep zip archive after deployment

Default Exclusions

The following are automatically excluded from deployment:

  • node_modules
  • .git, .github
  • *.md
  • package*.json
  • .env
  • .openclaw

Important Notes

✅ What Works

  • Static HTML sites — Any number of .html pages
  • CSS & JavaScript — Frontend frameworks, vanilla JS
  • Images & Assets — Place in images/ folder or root
  • JavaScript files — Place in js/ folder or root
  • Built JS Apps — Deploy dist/ or build/ folder after npm run build

❌ What Doesn't Work

  • Node.js Server Apps — No server-side rendering, no Express.js, no API routes
  • PHP, Python, Ruby — Static.app only serves static files
  • Databases — Use client-side storage or external APIs

JavaScript Apps Workflow

# 1. Build your React/Vue/Angular app
npm run build

# 2. Deploy the build output
node scripts/deploy.js ./dist --pid YOUR_PID

API Reference

Deploy Site

  • Endpoint: POST https://api.static.app/v1/sites/zip
  • Auth: Bearer token (API key)
  • Body: Multipart form with archive (zip file) and optional pid

List Sites

  • Endpoint: GET https://api.static.app/v1/sites
  • Auth: Bearer token (API key)
  • Headers: Accept: application/json

List Site Files

  • Endpoint: GET https://api.static.app/v1/sites/files/{pid}
  • Auth: Bearer token (API key)
  • Headers: Accept: application/json

Delete Site

  • Endpoint: DELETE https://api.static.app/v1/sites/{pid}
  • Auth: Bearer token (API key)
  • Headers: Accept: application/json

Download Site

  • Endpoint: GET https://api.static.app/v1/sites/download/{pid}
  • Auth: Bearer token (API key)
  • Headers: Accept: application/json
  • Response: Returns download URL for the site archive

Dependencies

  • archiver — Zip archive creation
  • form-data — Multipart form encoding
  • node-fetch — HTTP requests
  • adm-zip — Zip extraction

Install with: cd scripts && npm install

Response

On success, the script outputs:

✅ Deployment successful!
🌐 Site URL: https://xyz.static.app
📋 PID: abc123

STATIC_APP_URL=https://xyz.static.app
STATIC_APP_PID=abc123

Workflow

  1. Check for STATIC_APP_API_KEY env var or --api-key
  2. Create zip archive from source directory (with exclusions)
  3. Upload to Static.app API
  4. Parse response and output URLs
  5. Clean up temporary zip file

Error Handling

  • Missing API key → Clear error with instructions
  • Network issues → HTTP error details
  • Invalid PID → API error message

Files

8 total
Select a file
Select a file to preview.

Comments

Loading comments…