RobotX Deploy CLI
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent RobotX deployment helper, but it relies on an external CLI install, RobotX credentials, and commands that can deploy or publish applications.
Before installing, verify the RobotX CLI source and avoid blindly running remote install scripts. Use least-privilege RobotX credentials, protect ~/.robotx.yaml, and only allow the agent to run deploy or publish commands after you confirm the target application, build, and environment.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the CLI this way runs remote code on the user's machine, so a compromised or changed upstream script could affect the local environment.
The skill directs users to run an unpinned remote install script from GitHub; this is a user-directed setup step for the CLI, but the downloaded script is outside the provided artifacts and was not statically reviewed.
curl -fsSL https://raw.githubusercontent.com/haibingtown/robotx_cli/main/scripts/install.sh | bash
Review the install script first, prefer pinned releases or checksums when available, and run installation in a controlled environment.
Anyone or any agent process with access to those credentials may be able to view or change RobotX projects according to the key's permissions.
The skill requires RobotX account credentials to perform API actions. This is expected for a deployment tool, but those credentials grant access to RobotX resources.
Set credentials by config file (`~/.robotx.yaml`) or env vars: `ROBOTX_BASE_URL`, `ROBOTX_API_KEY`
Use least-privilege API keys, avoid sharing credentials in chat, prefer environment variables in CI, and rotate keys if they are exposed.
A mistaken command could update or publish the wrong RobotX application or build.
The documented CLI can create or update deployments and optionally publish them. This matches the skill's purpose, but it is a high-impact operation if run against the wrong path, project, or account.
robotx deploy [path] --name "My App" [--publish] [--wait=true]
Require explicit user confirmation before deploy or publish actions, verify the target path/project/build IDs, and use non-production projects for testing.