Jack Cloud
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is a coherent Jack Cloud deployment guide that clearly discloses its cloud login, source-code upload, and live deployment behavior.
Install this skill only if you intend to use Jack Cloud to deploy live services. Before running commands, verify the npm CLI source, the logged-in account, the project directory, and any production database or secret changes; avoid deploying code or logs that contain unintended sensitive data.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the CLI gives code from the npm package the ability to run on the user’s machine during installation and later CLI use.
The skill instructs installation of a global npm package. This is central to the Jack CLI workflow, but it means the user is trusting external package code.
npm i -g @getjack/jack
Install only from the official package source, review the package/homepage if needed, and keep the CLI updated through trusted channels.
Anyone with access to the local auth token may be able to act as the logged-in Jack Cloud user, depending on Jack’s token controls.
The skill discloses use of OAuth identity and a local persistent auth token for Jack Cloud access.
`jack login` authenticates via browser OAuth (GitHub/Google via WorkOS). Auth token stored at `~/.config/jack/auth.json`
Use the intended account, protect the local config directory, and revoke or rotate the login if the machine or token may be compromised.
A mistaken command could deploy unwanted code, change production data, or affect a live service.
The documented commands can publish live services and mutate cloud database state. This is aligned with the deployment purpose, but it is high-impact.
`jack ship` ... Builds the project and deploys to production; `jack db execute --write "INSERT INTO users ..."`
Confirm the project directory, account, environment, and SQL command before deployment or writes; prefer bounded MCP tools where available.
Private source code, project names, deploy history, and related metadata may leave the local machine and be stored or processed by Jack Cloud and its deployment backend.
The skill discloses that source code and project metadata are transmitted to an external cloud service during deployment.
`control.getjack.org` | Project metadata, source code during deploy | Project management and deployments
Do not deploy repositories containing unintended secrets or confidential code, and review Jack Cloud’s access controls and privacy terms before use.