Caprover CI Deployments
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: caprover-ci-deploys Version: 1.0.0 The skill is classified as suspicious due to significant vulnerabilities in credential handling and external command execution, despite no clear evidence of malicious intent. The `SKILL.md` and `scripts/deploy.py` explicitly describe and implement storing highly sensitive credentials (CapRover master password, GitHub Personal Access Token) in a local `config.json` file, making them vulnerable to local compromise. Additionally, `scripts/deploy.py` executes the `caprover` CLI via `subprocess.run`, which, while using a list of arguments to mitigate shell injection, still carries risks of argument injection or vulnerabilities within the `caprover` CLI itself.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If these credentials are misused or exposed, an attacker or mistaken agent action could trigger deployments or affect private repositories and CapRover apps.
The skill asks for persistent storage of high-privilege deployment credentials, including a CapRover master password and broad GitHub PAT scopes. This is purpose-related, but the authority is broad and not minimized to per-app or fine-grained tokens.
All credentials live in a `config.json` file in the skill directory (gitignored) ... "password": "YOUR_MASTER_PASSWORD" ... "token": "ghp_YOUR_GITHUB_PAT" ... For private repos, the GitHub token needs `repo` + `workflow` scopes
Prefer per-app CapRover deploy tokens over the master password, use fine-grained GitHub tokens with only the required repository/action permissions, and document these credentials in the skill metadata.
Deploy tokens could be accidentally revealed to other local users, logs, or chat history, enabling unauthorized deploy triggers.
CapRover webhook URLs and app tokens are secret-bearing deploy credentials. Printing part of the webhook URL and passing the app token as a command-line argument can expose secrets in terminal logs, agent transcripts, or local process listings.
print(f" URL: {webhook_url[:60]}...") ... "--appToken", app_tokenRedact webhook URLs completely in output, avoid placing tokens in process arguments when possible, and use a secret manager or environment-based credential passing with careful log masking.
A vague or mistaken deploy request could deploy the wrong app, branch, or environment.
The skill directly triggers GitHub workflow dispatches, CapRover webhooks, or CLI deploys. This is the advertised purpose, but it changes deployment state and should be treated as a high-impact action.
When user says "deploy X" ... Choose strategy ... Execute and report result
Require explicit confirmation of app, branch/ref, environment, and strategy before triggering a deployment, especially for production.
A compromised or changed upstream action could affect future deployments.
The generated CI workflow depends on external GitHub Actions referenced by version tags. This is normal for CI/CD templates, but tag-based references can move compared with immutable commit SHAs.
uses: docker/login-action@v3 ... uses: docker/build-push-action@v5 ... uses: caprover/deploy-from-github@v1
Review the referenced actions and consider pinning them to immutable commit SHAs for production repositories.