ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

xCloud Docker Deploy

v1.2.1

Deploy any project to xCloud hosting — auto-detects stack (WordPress, Laravel, PHP, Node.js, Next.js, NestJS, Python, Go, Rust), routes to native or Docker d...

0· 363·0 current·0 all-time
byAsif@asif2bd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name/description (xCloud Docker deployment, stack detection, Dockerfile/compose/GHA generation) matches the files present and the runtime instructions. There are no unrelated required binaries, config paths, or credentials requested. Templates and references (Dockerfiles, compose templates, GitHub Actions workflow) are directly relevant to the stated goal.
Instruction Scope
SKILL.md instructs the agent to scan the project directory, detect stack signals, and produce modified docker-compose.yml, GitHub Actions workflows, and .env.example — all within the deployment scope. The agent is expected to read repository files (DETECT.md, compose, Dockerfile, package/composer/requirements files) which is appropriate for this task. The only network-related actions are in generated CI templates (e.g., docker login, optional curl to xCloud webhook) which run in GitHub Actions or on xCloud, not by the skill itself.
Install Mechanism
No install spec or executable code is provided; this is instruction-only. There are no download/install steps that would fetch arbitrary code or write binaries to disk. That minimizes installation risk.
Credentials
The skill itself declares no required environment variables or primary credential — appropriate for an instruction-only skill. Generated artifacts reference standard CI secrets (GITHUB_TOKEN, optional XCLOUD_DEPLOY_WEBHOOK) and expect repo secrets to be added by the user; this is reasonable for the workflow but users should be aware the generated workflows will use GitHub secrets and may ask them to make GHCR packages public or add the xCloud webhook secret.
Persistence & Privilege
The skill does not request permanent inclusion (always:false) and does not modify other skills or system-wide agent settings. It merely provides instructions and templates to be applied by the agent or user.
Assessment
This skill appears coherent and focused on adapting docker-compose and producing GitHub Actions for xCloud. Before you use it: 1) Review any generated GitHub Actions workflow before committing — it will push images to GHCR and optionally call an xCloud webhook; ensure the webhook URL and any secrets are trustworthy. 2) Do not commit real secrets (.env) to the repo; the skill correctly advises generating .env.example and storing secrets in GitHub secrets or xCloud UI. 3) If you make GHCR packages public (required by xCloud), confirm you are comfortable with public images. 4) Verify the optional curl trigger to XCLOUD_DEPLOY_WEBHOOK is only present when you add that secret. 5) Because the agent will read your repository files to detect stack and extract env var names, ensure you are comfortable granting the agent access to the repo contents and review outputs before pushing the changes. Overall the files and instructions are consistent with the described deployment workflow.

Like a lobster shell, security has layers — review code before you run it.

ci-cdvk979tyvmbffwaqb6ktdqa7evs982669adeploymentvk979tyvmbffwaqb6ktdqa7evs982669adevopsvk979tyvmbffwaqb6ktdqa7evs982669adockervk979tyvmbffwaqb6ktdqa7evs982669adocker-composevk979tyvmbffwaqb6ktdqa7evs982669agithub-actionsvk979tyvmbffwaqb6ktdqa7evs982669ahostingvk979tyvmbffwaqb6ktdqa7evs982669ainfrastructurevk979tyvmbffwaqb6ktdqa7evs982669alaravelvk979tyvmbffwaqb6ktdqa7evs982669alatestvk97as49xa08vkfvspt9nwqp18x826d3rnextjsvk979tyvmbffwaqb6ktdqa7evs982669anodejsvk979tyvmbffwaqb6ktdqa7evs982669apythonvk979tyvmbffwaqb6ktdqa7evs982669awordpressvk979tyvmbffwaqb6ktdqa7evs982669axcloudvk979tyvmbffwaqb6ktdqa7evs982669a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments