Web Deploy
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run against the wrong project, branch, or account, these commands could change a live site or service.
These are high-impact deployment or repository-changing commands. They are expected for a web deployment skill, but they can publish production changes or push rollbacks.
npx vercel --prod railway up git revert HEAD && git push
Confirm the target project, account, branch, build output, and user intent before running production deploy, rollback, or push commands.
Commands may act with the permissions of the logged-in Vercel, Railway, or GitHub account.
These instructions rely on provider account sessions and deployment secrets. This is disclosed and purpose-aligned for deployment, but it uses account privileges.
railway login npx vercel link npx vercel env add SECRET_KEY railway variables set SECRET_KEY=value
Use the least-privileged account or project scope available, verify which account is logged in, and avoid entering real secrets unless the target platform and project are correct.
The commands may download or execute third-party CLI packages from the npm ecosystem.
The examples invoke external npm/npx packages without pinned versions. This is common for web tooling, but it means the exact package version is resolved at use time.
npx http-server ./dist -p 8080 -c-1 npx vercel npm install -D gh-pages npx serve dist
Prefer trusted package sources, pin versions where practical, and review project package files before installing or running deployment tools.