Render Deploy
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: render-deploy Version: 1.0.0 The skill bundle is benign. All files, including the SKILL.md instructions for the AI agent, consistently describe a legitimate Render deployment workflow. Strong explicit guardrails are present, such as 'Do not attempt opaque credential discovery or unrelated environment inspection' and 'Never call undeclared endpoints or infer hidden credentials'. The skill explicitly states it does NOT read unrelated credentials, scrape dotfiles, or send project files to undeclared third-party endpoints. Data sent to declared Render endpoints (dashboard.render.com, mcp.render.com, api.render.com) is limited to repository URLs, service configuration, and environment variable names, which is necessary for its stated purpose. Local memory usage in `~/render-deploy/` requires user consent and stores only deployment-related history and preferences, not sensitive values unless explicitly provided by the user.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used incorrectly, the agent could create or modify cloud services or deployment configuration in your Render workspace.
The skill can direct an agent to create Render services and update environment variables, which are account-mutating deployment actions.
`list_services`, `create_web_service`, `update_environment_variables`, and `list_deploys` map to Render MCP operations
Review the planned service name, repo, branch, plan, region, and environment variables before approving provisioning or updates.
A valid Render credential gives the agent delegated access to perform deployment and workspace operations.
The skill requires a Render API key or authenticated Render CLI session to act in the user's Render account.
Required env vars: RENDER_API_KEY ... Primary credential: RENDER_API_KEY
Use a properly scoped Render API key where possible and avoid sharing unrelated credentials; rotate the key if you no longer need the integration.
Installing the CLI adds a third-party local binary that the agent may use for deployment operations.
The install path depends on the external Render CLI package installed through Homebrew.
brew | formula: render | creates binaries: render
Install the Render CLI from the expected trusted package source and keep it updated.
Local memory may retain project names, workspace choices, repository/deployment context, and environment-variable names that influence later deployments.
The skill can persist deployment context locally for reuse across future sessions.
Store durable context only: ... Workspace and method preference ... Stable env var inventory (names and ownership, not secret values unless user asks)
Allow memory only if you want persistent deployment context, and do not store secret values there unless you explicitly intend to.
Deployment configuration and workspace-scoped metadata may be sent to Render's MCP service during direct provisioning.
The skill discloses an MCP-based provisioning path that sends service configuration and workspace metadata to Render.
https://mcp.render.com | Service creation/config requests and workspace-scoped metadata | MCP direct provisioning
Confirm the selected Render workspace and service configuration before using MCP direct creation.