Install
openclaw skills install @kyriswu/vibecoding-deployment-auditorUse when auditing a local AI / vibecoding website before publication. Generate a redacted, verifiable Deployment Dossier; never directly deploy the server.
openclaw skills install @kyriswu/vibecoding-deployment-auditor内部 Skill 标识:
vibecoding-deployment-auditor
Use the local AI IDE agent as a deployment analyst. It may deeply inspect the local repository using the user’s own model allowance, then creates a compact, evidence-cited Deployment Dossier v1 for a remote deployment service.
This skill does not deploy, run package installation, edit project code, expose secrets, or choose server-specific values. The remote service remains the constrained executor: it validates evidence, allocates ports and names, renders PM2/nginx/DNS configuration, and verifies the public result.
When this Skill is published to a registry, keep its canonical frontmatter identifier (vibecoding-deployment-auditor) stable for cross-skill references and installed workflows. Set a user-facing display name and registry slug at publish time instead—for example, AI 网站上线助手 and ai-website-launch-assistant. Do not rename the internal identifier merely to make a marketing-facing label.
Do not use this to directly SSH, configure PM2/nginx, push DNS, run migrations, install dependencies, or send .env values. Those actions belong to an authenticated server-side executor after it accepts the dossier.
Select exactly one source route after the audit:
git — Git project deploymentUse when an immutable Git remote + commit exists and the remote executor can fetch it. Submit the Git URL, commit SHA, subdirectory (if any), Dossier, and verification contract. The executor independently clones that exact commit, verifies cited evidence, then performs its controlled build/release workflow.
This route is required for a project with an API, SSR, Worker, Cron, database migration, persistent runtime data, server secret, or any other executable server component.
local-static-artifact — simple local static site packagingUse when a project is only browser-delivered static content: a single index.html, a selected HTML/CSS/JS/assets directory, or a locally built static output directory such as dist/. The local agent packages only publishable files plus the Dossier/manifest; the executor safely extracts and hosts it. It never installs dependencies or executes uploaded code in this route.
A Git repository is optional for this route. It is the default for an uncommitted single-page site or a local static project that the user does not want to publish to GitHub.
local-bundle-required — explicitly unsupported by this skillUse this status—not an archive upload—when a non-Git project needs a backend/runtime. It requires a separately designed sandboxed source-build executor and must be blocked until that capability is available.
.env values, cookies, SSH keys, private keys, or raw credential-bearing config.Collect, without modifying the repository:
If the worktree is dirty or the project has no reachable immutable commit, mark it source.type: local-bundle-required. Do not pretend a Git SHA represents uncommitted local code.
A static-only project may use source.type: local-static-artifact instead of Git. It is eligible only when the audit finds no in-repository API/server-rendered service, worker, cron, migration, database, secret-dependent runtime, or unresolved same-origin /api/WebSocket/SSE contract. External browser APIs are allowed only when declared in the dossier. The upload must contain deployable static output—not a runnable source repository.
Use local file search / CLI inspection before asking the LLM to reason. Inventory only metadata and path:line hits:
package.json, workspace files, lockfiles;server/, api/, backend/, services/, apps/, packages/, workers/ and scripts/ at shallow depth;build, start, dev, preview, preinstall, install, postinstall, and prepare scripts;fetch, Axios, WebSocket, EventSource, listen, route registration, cron/queue and migration signatures;.env.example / config variable names only;Exclude node_modules, dist, build output, source maps, full lockfiles, binaries, and actual .env files.
Use the IDE’s local model to inspect decisive source files and produce the following analyses. Every nontrivial conclusion needs path, line range, and a short reason.
Classify every discovered runnable component as exactly one of:
frontend-staticapiserver-rendered-webworkercrondatabase-migrationdevelopment-onlytest-onlyunknownFor each, identify root, production build method, production start method, output directory, port environment variable, and dependencies on other components. A dev command is not production evidence.
Trace every relevant client network call from UI/store/service to its endpoint, method, protocol and base path. Match it to a backend route when the route is local. Explicitly distinguish:
/api/... calls that need same-origin reverse proxying;A project cannot be called static-spa if it contains an in-repository API dependency or unresolved relative /api call.
Identify Node/runtime constraints, required environment-variable names, database/cache/message-queue dependencies, migrations, upload/persistent paths, background jobs, CORS/callback URLs, and health endpoints. Separate required production dependencies from optional developer tooling.
Before finalizing, challenge the proposed topology:
server/, api/, workspace package, worker, or cron missed?Unresolved items must be blockers, not guesses.
For an eligible local-static-artifact project, package only the publishable site:
dist/), not the source tree.artifact-manifest.json
deployment-dossier.json
site/
index.html
assets/...
site/index.html is required.node_modules, .git, .env*, source maps, archives, socket files, symlinks, device files, executable installers, or files outside the selected output root.static-files or spa-fallback; do not include nginx config.The remote service must treat the Coze upload as untrusted temporary staging, then independently enforce archive size/file-count/expansion limits, reject traversal and non-regular files, verify manifest hashes, and unpack into a new isolated release. It must not run npm install, a build, or any artifact-contained executable for this mode.
Use the configured Coze endpoint as a single binary request, never a JSON body or chunk protocol:
curl -X POST 'https://coze-js-api.devtool.uk/file-transfer/upload?filename=<archive>.zip&storage=temp' \\
-H 'Content-Type: application/octet-stream' \\
--data-binary @<archive>.zip
On code: 0, capture data.relativePath, data.size, and the local SHA-256 of the exact uploaded archive in templates/deployment-submission.v1.json. The upload service may rename the file; the returned relativePath is authoritative. Do not trust, persist, or use an arbitrary returned data.url as an executor URL: the server reconstructs a download URL only from its allowlisted https://coze-js-api.devtool.uk/downloads/ base and a validated relative path. Upload success means only that a temporary object exists—it is not evidence that the artifact is safe or deployable.
Do not upload an empty archive. Treat any nonzero code, missing relativePath, mismatch between local archive size and data.size, or post-download SHA-256 mismatch as a blocker.
local-bundle-required for API/server projects is not equivalent to static-artifact mode. It requires a separate sandboxed source-build design and is blocked by this skill unless that executor capability explicitly exists.
Write a concise, schema-shaped JSON document following templates/deployment-dossier.v1.json. For local-static-artifact, begin with templates/static-artifact-dossier.v1.json, place the identical completed Dossier inside the ZIP, and then write a separate templates/deployment-submission.v1.json after Coze returns its generated relativePath. Do not rewrite the embedded Dossier to insert the final ZIP hash; record that hash only in the external submission.
The dossier must include:
Keep source excerpts short. Prefer file path + line range + hash over full files. The normal dossier should remain under 30 KB.
Alongside the JSON, report:
Do not claim deployment success. The correct final state is audit completed or blocked, not deployed.
high confidence only if every discovered production component is classified and every client-facing local API contract is mapped or intentionally excluded with evidence.medium if the topology is likely correct but an external dependency or startup detail needs server-side confirmation.low if source identity, production startup, API destination, or critical runtime dependency is unknown.safeToSubmit may be true only for high or well-explained medium confidence without security blockers.npm run dev with production: use an explicit production build/start command only..env data: record variable names and missing-secret blockers only.POST, not merely GET /..env values