Web Hosting
PassAudited by ClawScan on May 10, 2026.
Overview
This skill is coherent for deploying websites, but it can publish code and change cloud hosting accounts, so users should review each step carefully.
Before installing or using this skill, review the dependent skills, install only the deploy path you need, use least-privilege credentials, choose repository visibility carefully, check the project for secrets or private files, and confirm any domain/DNS or production deployment action before proceeding.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may create a GitHub repo, push code, and deploy a production site.
The skill directs account-changing and production deployment actions. These actions fit the hosting purpose, but they can publish local code and affect live services.
Git Inception ... initialize git if needed, create remote repository via `github-api`, set origin, commit, and push branch. ... Deployment Trigger ... `vercel --prod` ... `netlify deploy --prod`.
Confirm the target repository, visibility, files to be pushed, and deployment provider before allowing the workflow to proceed.
Credentials may let the agent create repos, deploy sites, and manage provider resources.
The skill requires provider credentials and delegated account access. That is expected for deployment, but it gives the workflow authority over connected services.
Mandatory: `MATON_API_KEY` ... Vercel path: logged in `vercel login` or `VERCEL_TOKEN` ... Netlify path: logged in `netlify login` or `NETLIFY_AUTH_TOKEN`.
Use scoped tokens where possible, verify which account is logged in, and revoke unused tokens after deployment.
Running the setup commands could install or update skills beyond the immediate deployment path.
The setup instructions install latest-version dependent skills and include a broad update-all command. This is disclosed setup, not hidden execution, but it can change the behavior of other installed skills.
npx -y clawhub@latest install github-api ... npx -y clawhub@latest install api-gateway ... npx -y clawhub@latest update --all
Install only the dependencies you need, review each dependent skill, and avoid `update --all` unless you intentionally want to update all installed skills.
A later accidental commit or push could redeploy the live site.
The skill may establish CI/CD behavior where future repository pushes automatically trigger deployments. This is expected for hosting but can propagate later mistakes to production.
return CI/CD update path (future pushes redeploy automatically)
Understand the CI/CD trigger, protect production branches, and review changes before pushing.