Deploy Contracts
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is purpose-aligned, but it can use your Aptos CLI account to deploy contracts with no-confirm commands and an ambiguous default profile, including for workflows that mention mainnet.
Review carefully before installing or invoking. Only use this skill with an explicitly chosen Aptos profile, verify the target network and signer address, avoid `--assume-yes` for real deployments, and require manual approval before any transaction that publishes or upgrades contracts—especially on mainnet.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent following the workflow could deploy or publish using the configured Aptos profile without the CLI's normal confirmation prompt.
The skill's default deployment command publishes contract code using the Aptos CLI while suppressing interactive confirmation. For a skill that also describes mainnet deployment, this is high-impact unless the agent first gets explicit user confirmation of the package, address, account, network, and cost.
aptos move deploy-object \
--address-name my_addr \
--profile default \
--assume-yesDo not use `--assume-yes` as the default for deployment, especially for mainnet. Require an explicit human approval step showing the target network, profile, signer address, package hash/name, and expected fees before running any publish/deploy command.
The skill could cause actions to be signed by the wrong Aptos account or sent to the wrong network if the user's default profile is not what the workflow assumes.
The workflow relies on local Aptos CLI profiles and the `default` profile, which represent signing authority for an account. The registry metadata declares no primary credential or required config path, and the visible instructions do not require verifying that `default` points to the intended account and network before deployment.
aptos config show-profiles # If no profile exists, initialize one aptos init --network testnet --assume-yes ... aptos account balance --profile default
Declare the Aptos CLI profile/config requirement, avoid relying on `default`, and require the user to select and confirm the exact profile, network, account address, and balance before any transaction-signing command.
Some safety guidance depends on files or skills outside the reviewed artifact set.
The skill references another skill and a relative SECURITY.md file that are not included in the provided one-file manifest. This is not malicious by itself, but users cannot verify those referenced checks from the supplied artifact alone.
Security audit completed (use `security-audit` skill) ... See [SECURITY.md](../../../patterns/move/SECURITY.md)
Verify that the referenced security-audit skill and SECURITY.md guidance are available and trusted before relying on this deployment checklist.