ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AppDeploy

v1.0.7

Deploy web apps with backend APIs, database, file storage, AI operations, authentication, realtime, and cron jobs. Use when the user asks to deploy or publis...

8· 3.2k·3 current·3 all-time
by@avimak
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the instructions: the SKILL.md describes calling an AppDeploy HTTP API to get templates, upload files, and manage deployments. It does not request unrelated credentials, binaries, or system paths.
Instruction Scope
Instructions stay within deployment scope (look for .appdeploy in project root, register an API key with api-v2.appdeploy.ai, send files and diffs). This necessarily requires reading project files and transmitting them to the AppDeploy endpoint — expected for a deploy tool but a privacy/exfiltration vector you should consider. The skill also requires calling get_deploy_instructions before generating code (reasonable).
Install Mechanism
No install spec and no code files—instruction-only—so nothing is written to disk by an installer. Low install risk.
Credentials
No environment variables or unrelated credentials are requested. The skill uses an API key stored in a local .appdeploy file, which is appropriate for a hosted deployment service.
Persistence & Privilege
The skill is not always-enabled and does not ask to modify other skills or system settings. It can be invoked autonomously (platform default) which, combined with its ability to upload files, is something you should control via agent permissions but is not inherently incoherent.
Assessment
This skill appears to do what it says (deploy apps) and doesn't request unrelated secrets, but it will: (1) call an external API at api-v2.appdeploy.ai, (2) create/register an API key for you, and (3) upload project files. Before installing or invoking it, verify you trust the AppDeploy service (look for a homepage, docs, or organization), and review what files the agent will send. Prefer running on non-sensitive/test projects first. Be cautious about allowing autonomous invocation — require explicit user approval before the agent registers keys or uploads code. Ensure .gitignore includes .appdeploy and that saved API keys are stored only where you intend. If you need higher assurance, ask the skill author for a homepage, privacy/terms, or an official SDK/release URL to validate the service identity.

Like a lobster shell, security has layers — review code before you run it.

latestvk973qdrqfznw36r7p102rvasmd829dsp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments