Netlify Deploy
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run against the wrong site, directory, or account, a production deploy could publish unintended changes.
Production deploys can change a live public site, but the artifact includes a clear preview-first and explicit-confirmation guardrail.
Use `npx netlify deploy --prod` only when the user explicitly requests production or confirms readiness.
Keep the preview-first workflow, verify the Netlify site/team and build output, and require explicit user confirmation before any production deploy.
Misuse could overwrite deployment configuration or expose secret values to the Netlify account where they are imported.
The command reference includes Netlify environment-variable operations, including importing a local .env file, which can mutate hosted configuration and send sensitive values to Netlify if used.
npx netlify env:set KEY value npx netlify env:get KEY npx netlify env:import .env
Run environment-variable commands only when explicitly requested, confirm the target site/team/context, and avoid printing or storing secret values in skill memory.
Commands may act with the privileges of the logged-in Netlify user and selected team.
The skill uses the user's Netlify login/session to authenticate CLI actions; this is expected for deployment, but it grants actions under the active Netlify account.
If not authenticated, run `npx netlify login` ... Auth/session data is exchanged with Netlify during `npx netlify login`.
Before deploying, confirm the active Netlify account/team and log out or relink if the CLI is authenticated to the wrong workspace.
CLI behavior and versioning come from the external Netlify CLI environment rather than this instruction-only skill.
The skill depends on invoking the Netlify CLI through npx rather than bundled or pinned code; this is central to the stated purpose but relies on trust in the external CLI package.
npx netlify status
Use the official Netlify CLI, consider pinning or preinstalling a known version for reproducible deployments, and avoid running npx commands from untrusted project directories.
Incorrect saved defaults could steer future deploys toward the wrong project, path, or deploy mode.
The skill persists deployment defaults and project context for future use; this is purpose-aligned, but persistent defaults can become stale or be over-trusted.
Store integration preferences in main memory. ... In `~/netlify-deploy/memory.md`, keep: Preferred default deploy mode ... Frequent project paths and common publish directories
Store only non-secret operational preferences, review the memory file when projects change, and keep production deploy confirmation explicit.