Web Deploy
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: web-deploy Version: 1.0.0 The skill bundle provides standard commands and instructions for building and deploying web applications to various platforms (Vercel, Railway, GitHub Pages, and a local Clawdbot workspace). All commands, including file system operations like `cp -r ./dist/* ~/clawd/canvas/my-project/`, are directly aligned with the stated purpose of web deployment and involve common CLI tools. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, obfuscation, or prompt injection attempts designed to harm the agent or its environment. The file system access is limited to copying build artifacts to a designated local deployment path, which is a legitimate function for a deployment skill.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run against the wrong project, branch, or account, these commands could change a live site or service.
These are high-impact deployment or repository-changing commands. They are expected for a web deployment skill, but they can publish production changes or push rollbacks.
npx vercel --prod railway up git revert HEAD && git push
Confirm the target project, account, branch, build output, and user intent before running production deploy, rollback, or push commands.
Commands may act with the permissions of the logged-in Vercel, Railway, or GitHub account.
These instructions rely on provider account sessions and deployment secrets. This is disclosed and purpose-aligned for deployment, but it uses account privileges.
railway login npx vercel link npx vercel env add SECRET_KEY railway variables set SECRET_KEY=value
Use the least-privileged account or project scope available, verify which account is logged in, and avoid entering real secrets unless the target platform and project are correct.
The commands may download or execute third-party CLI packages from the npm ecosystem.
The examples invoke external npm/npx packages without pinned versions. This is common for web tooling, but it means the exact package version is resolved at use time.
npx http-server ./dist -p 8080 -c-1 npx vercel npm install -D gh-pages npx serve dist
Prefer trusted package sources, pin versions where practical, and review project package files before installing or running deployment tools.