Back to skill
Skillv3.2.0
ClawScan security
Site Deployer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 19, 2026, 5:59 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- Instruction-only skill that scaffolds static HTML and runs a Vercel deploy; overall coherent with minor omissions (it doesn't declare required CLI tooling and the README claims other hosts but only shows a Vercel workflow).
- Guidance
- This skill is an instruction-only deploy helper that scaffolds a static site and runs a Vercel deploy. Before using it: (1) ensure you have the Vercel CLI (and other tools like grep/dig) installed and understand that 'vercel deploy' will upload your site content using your Vercel auth; (2) run the included grep checks to avoid accidentally publishing API keys or secrets; (3) if you intend to use Netlify or GitHub Pages, know that the README gives DNS tips but does not include full deploy commands for those hosts; (4) run these commands from a safe/test directory or review the generated files before executing the deploy to avoid publishing unintended content.
Review Dimensions
- Purpose & Capability
- noteThe skill's stated purpose is to deploy static sites to Vercel, Netlify, or GitHub Pages. The SKILL.md provides a complete Vercel workflow (scaffold + vercel deploy), but it does not provide equivalent step-by-step commands for Netlify or GitHub Pages despite claiming support. The metadata declares no required binaries, yet the instructions assume standard POSIX tools (mkdir, cat, grep, dig) and the Vercel CLI are available—this is an inconsistency but not a direct malicious signal.
- Instruction Scope
- okThe instructions are concrete shell commands that create files and run 'vercel deploy --prod --yes'. They do not instruct reading unrelated system files or exfiltrating data to third-party endpoints beyond the expected deploy target. Note: running the deploy will upload your site content to Vercel (expected behavior for a deploy tool).
- Install Mechanism
- okNo install specification or downloadable code is included; this is instruction-only. That minimizes on-disk risk. However the skill implicitly requires the Vercel CLI and standard shell tools which the metadata does not list.
- Credentials
- noteThe skill requests no environment variables or secrets. That is proportionate. Be aware that 'vercel deploy' requires the user's Vercel authentication (stored or provided at runtime) and the deploy will use that credential to upload the site. The skill does not attempt to access other credentials or config paths.
- Persistence & Privilege
- okThe skill is not set to always:true, is user-invocable, and does not request persistent privileges or modify other skills. Autonomous invocation is allowed by default but not combined with other concerning flags here.