xCloud Docker Deploy
ReviewAudited by ClawScan on May 1, 2026.
Overview
This instruction-only deployment skill is coherent and purpose-aligned, but users should carefully review the generated CI/CD and deployment files before applying them.
Install/use appears reasonable for an xCloud deployment helper. Before applying its output, review generated Dockerfiles, docker-compose.yml, .env.example, and GitHub Actions workflows; confirm public GHCR images are acceptable; and ensure no secrets or private files are included in Docker build contexts.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A wrong generated compose file or workflow could break a deployment or expose the wrong service.
The skill directs the agent to generate deployment automation and modified project configuration. This is central to the stated DevOps purpose, but these files can change how the project is built and deployed.
Generate `.github/workflows/docker-build.yml` using `assets/github-actions-build.yml` template
Review all generated files as code changes, test in staging when possible, and do not let the agent apply deployment changes without user approval.
If the workflow is misconfigured or changed later, it could publish unwanted container images under the repository’s package namespace.
The generated workflow uses the repository GITHUB_TOKEN with package write permission to publish container images to GHCR. This is expected for the deployment workflow, but it is still delegated write authority.
permissions:
contents: read
packages: write
...
password: ${{ secrets.GITHUB_TOKEN }}Use least-privilege GitHub Actions permissions, protect the main branch, review workflow changes, and confirm GHCR publishing is intended.
A bad commit or generated configuration could automatically build and redeploy a broken application.
The generated CI workflow can automatically build images on pushes to main and optionally trigger xCloud deployment when the webhook secret exists. This is purpose-aligned, but errors can propagate to a live site.
on:
push:
branches: [main]
...
- name: Trigger xCloud deploy
if: ${{ secrets.XCLOUD_DEPLOY_WEBHOOK != '' }}Use branch protection, staging environments, manual approvals, or workflow_dispatch-only deployment if production changes should not happen automatically.
Public container images may reveal application files included in the image layers.
The deployment path tells users to publish images in a public registry, which appears necessary for xCloud’s Docker flow but can expose container contents if the image includes proprietary code or secrets.
Make GHCR Image Public
Before making images public, confirm the Docker build context excludes secrets and unwanted files, add a .dockerignore, and avoid baking credentials into images.