Astro
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly a coherent Astro/Cloudflare deployment guide, but one included helper script can write files outside its intended blog directory if given a title containing path separators.
This skill appears aligned with building and deploying Astro sites, but review the included helper script before using it. Avoid passing untrusted titles to astro-new-post.py until its filename handling is fixed, and confirm Cloudflare deployment targets before running Wrangler commands.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted post title could cause the helper to create a markdown file outside the intended locale folder, potentially modifying unexpected parts of the local project.
The script derives the output filename from user-controlled title text but does not reject path separators or '..' segments before writing the file.
slug = title.lower().replace(" ", "-").replace("'", "") ... filename = f"{slug}.md" ... filepath = lang_dir / filename ... filepath.write_text(frontmatter, encoding="utf-8")Sanitize slugs with an allowlist such as letters, numbers, and hyphens; reject '/', '\\', and '..'; resolve the final path and verify it remains inside the intended language directory before writing.
If run under the wrong Cloudflare account or project, deployment commands could publish or update the wrong site.
The skill requires Cloudflare account authentication and uses that authority to deploy a site, which is expected for Cloudflare Pages but still grants account-level deployment capability.
- Cloudflare account (free) ... `npx wrangler login` | Authenticate with Cloudflare | ... `npx wrangler pages deploy dist` | Deploy to Cloudflare |
Use a least-privileged Cloudflare account/token where possible, confirm the target Pages project before deploying, and review generated content before publishing.
The exact package code run during setup can change over time, so builds may behave differently or inherit upstream package risk.
The setup and deployment workflow fetches and runs npm-hosted tooling. This is normal for Astro and Wrangler, but the examples use latest/unpinned package resolution.
npm create astro@latest my-site ... npm install @astrojs/cloudflare ... npx wrangler pages deploy dist
Run these commands in a dedicated project directory, review package sources where appropriate, and pin dependency versions for reproducible deployments.