Devops Deploy
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent instruction-only DevOps guide, but its deployment, cloud-resource, CLI-install, and secret-management examples should be reviewed before use.
Install or use this skill only if you want help with deployments and infrastructure. Review every command before running it, especially production deploys, paid hosting/domain actions, cloud resource creation, backup retention/deletion, and CLI installs. Keep real secrets out of chat and use provider secret-management tools with least-privilege credentials.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken command could change a live service, create costs, or remove backups.
These documented commands can publish production deployments, create cloud database resources, deploy services, and delete backup objects. That is aligned with the deployment purpose, but it is high-impact if run against the wrong account or environment.
vercel --prod ... railway add --plugin postgresql ... fly deploy ... xargs -I {} aws s3 rm s3://my-backups/{}Require explicit user confirmation before production deploys, resource creation, scaling, rollback, or backup deletion; verify the target project, account, and environment first.
Installing the wrong or compromised CLI could affect the local development environment or cloud credentials.
The reference guide recommends installing external provider CLIs, including unpinned global npm installs and a remote shell installer. These are common provider setup steps, but they execute code from external sources.
npm i -g vercel ... npm i -g @railway/cli ... curl -L https://fly.io/install.sh | sh
Install CLIs from official provider documentation, consider pinned versions where practical, and avoid running curl-to-shell commands without inspecting or trusting the source.
Using broad or wrong-account credentials could expose secrets or modify the wrong production resources.
The skill instructs provider login and production secret configuration. This is expected for deployments, but it involves cloud account authority and sensitive credentials.
railway login ... vercel env add DATABASE_URL production ... railway variables set JWT_SECRET=xxx
Use least-privilege provider accounts or tokens, avoid pasting real secrets into chat, and set production secrets through trusted provider secret-management interfaces.