Render Deploy Diff
v1.0.0Detect config drift between required local env keys and a Render service before deploy; fails when required keys are missing remotely.
⭐ 0· 274·0 current·0 all-time
byDaniel Lummis@daniellummis
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the script and SKILL.md. Required binaries (bash, curl, python3) and RENDER_API_KEY are reasonable and proportionate for querying the Render API and parsing local files.
Instruction Scope
The runtime instructions and script only read explicit local env template files (default .env.example,.env.production or files you pass), optional offline JSON, and call the Render API to fetch env-vars. They do not attempt to read other system paths. Note: the script supports an override RENDER_API_BASE_URL (for testing) which means requests (and the Authorization header) will be sent to whatever URL you configure.
Install Mechanism
Instruction-only skill with an included shell script; no installation, downloads, or archive extraction. This has a low install risk surface.
Credentials
Only RENDER_API_KEY is required. Other inputs (SERVICE_ID/NAME, REQUIRED_ENV_KEYS/FILES, RENDER_ENV_VARS_JSON_PATH, RENDER_API_BASE_URL) are optional and make sense for the stated use-cases (live vs offline testing). Be aware RENDER_API_BASE_URL can redirect the token to an arbitrary endpoint if set by the user.
Persistence & Privilege
The skill does not request persistent presence (always is false), does not modify other skills or system configuration, and does not write persistent secrets.
Assessment
This skill appears coherent and implements its stated purpose. Before using it: (1) avoid pointing RENDER_API_BASE_URL at untrusted endpoints — the script will send your RENDER_API_KEY as a Bearer token to that URL; (2) prefer offline testing with RENDER_ENV_VARS_JSON_PATH when possible; (3) limit the privileges of the Render API key you provide (use a token with minimal required scope if possible); and (4) review any local .env.* files you allow the script to parse to make sure they don't contain secrets you don't want read. If you have concerns, run the script in a disposable environment or with a non-production token first.Like a lobster shell, security has layers — review code before you run it.
Runtime requirements
Binsbash, curl, python3
EnvRENDER_API_KEY
latest
Daniel Lummis@daniellummis
DownloadRender Deploy Diff
Use this skill before deploy to compare required environment keys with what is currently configured on a Render service.
What this skill does
- Resolves a target Render service by
RENDER_SERVICE_IDorRENDER_SERVICE_NAME - Reads required env keys from
REQUIRED_ENV_KEYSor local env template files - Fetches configured env keys from Render API
- Prints two drift sets:
- required but missing on Render
- present on Render but not required locally
- Exits non-zero when required keys are missing on Render
Inputs
RENDER_API_KEY(required unless using mock JSON)- one of:
RENDER_SERVICE_IDRENDER_SERVICE_NAME
- optional:
RENDER_API_BASE_URL(defaulthttps://api.render.com/v1)REQUIRED_ENV_KEYS(comma-separated explicit required keys)REQUIRED_ENV_FILES(comma-separated files to parse, default.env.example,.env.production)RENDER_ENV_VARS_JSON_PATH(path to saved Render env-var API JSON for offline testing)
Run
bash scripts/render-deploy-diff.sh
With explicit required keys:
RENDER_SERVICE_NAME=my-service \
REQUIRED_ENV_KEYS="DATABASE_URL,DIRECT_URL,SHADOW_DATABASE_URL,NEXT_PUBLIC_APP_URL" \
bash scripts/render-deploy-diff.sh
Offline test with saved API response:
REQUIRED_ENV_KEYS="DATABASE_URL,NEXT_PUBLIC_APP_URL" \
RENDER_ENV_VARS_JSON_PATH=./fixtures/render-env-vars.json \
bash scripts/render-deploy-diff.sh
Output contract
- Prints service identity, required key count, remote key count, and drift summary
- Returns exit code
0when all required keys exist on Render - Returns exit code
1when required keys are missing or inputs are invalid
Comments
Loading comments...