IPaaS VitePress Content Automation
AdvisoryAudited by VirusTotal on Apr 14, 2026.
Overview
Type: OpenClaw Skill Name: ipaas-vitepress-content-automation Version: 1.0.9 The skill bundle is a legitimate automation tool for generating and deploying VitePress documentation. It includes proactive security measures in `script/deploy.sh`, such as validating required environment variables and explicitly forbidding deployments to sensitive system directories (e.g., /etc, /root). The use of shell commands, rsync, and SSH is strictly aligned with the stated purpose of building and synchronizing web content to a remote server.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Generated content and navigation may be written into the VitePress project and published to the configured site.
The skill instructs the agent to modify site content/configuration and then run a shell deployment command. This is consistent with the stated purpose, but it is a high-impact publishing workflow.
`file_write: ./docs/cases/{filename}.md` ... `file_write: ./docs/.vitepress/config.mts` ... `shell: bash ./scripts/deploy.sh`Review the generated Markdown and config changes, then explicitly approve deployment and verify the server/path before allowing the shell step.
If the SSH account has broad permissions or the target path is wrong, the skill could publish to an unintended server location.
Deployment uses SSH authority for the configured remote user and server. This is expected for a deployment skill, but it depends on the user's SSH key permissions.
rsync -avz -e "ssh -p ${SERVER_PORT}" "$BUILD_PATH/" "${REMOTE_USER}@${SERVER_IP}:${REMOTE_DIR}"Use a least-privileged non-root deploy user, restrict write access to the intended VitePress directory, and double-check SERVER_IP, SERVER_PORT, REMOTE_USER, and REMOTE_DIR.
The deployment command may not run the reviewed bundled script as intended.
SKILL.md references `./scripts/deploy.sh`, while the provided manifest contains `script/deploy.sh`. This packaging mismatch may cause failure or cause the agent to look for a differently located helper script.
`shell: bash ./scripts/deploy.sh`
Fix the script path and declare the required binaries/environment variables in the registry metadata so installation and review match runtime behavior.
Running this in an untrusted or unexpected repository could execute project-defined scripts before deployment.
The deployment script runs package installation and build commands. This is normal for a VitePress deployment, but package lifecycle/build scripts execute local project code.
pnpm install && pnpm run docs:build
Use it only in a trusted VitePress project and review package scripts/lockfiles before running the deployment script.