Skillv1.0.0

ClawScan security

VPS Deploy · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 8, 2026, 5:40 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The instructions are generally coherent for a VPS deployment tool, but they request highly sensitive inputs (SSH credentials, local .env files), include risky practices (curl | sh installer, creating a NOPASSWD sudo user, copying root keys), and do not declare or constrain those inputs — proceed with caution and review before use.
Guidance: This skill appears to implement a full manual deployment workflow and will ask you to share sensitive data: server SSH credentials (root or keys) and local .env files containing secrets. Before using it: (1) prefer using an SSH key specifically created for the deployment and remove/rotate it afterwards; (2) do not hand over your main root password if avoidable — use a temporary sudo-capable key; (3) review any remote scripts before running (curl https://get.docker.com | sh is convenient but risky); (4) avoid copying .env files with production secrets unless you understand where they will be stored and who can read them; (5) reconsider granting NOPASSWD sudo and docker-group membership — it's convenient but increases risk; (6) test steps in a non-production server first and ensure you have console/IP access in case SSH is misconfigured. If you are not comfortable reviewing these actions yourself, consider using a vetted deployment tool or managed service instead.

Review Dimensions

Purpose & Capability: okThe name/description match the runtime instructions: the SKILL.md describes step-by-step server setup, Docker, Nginx, SSL, and app deployment. Nothing in the instructions is unrelated to deploying an app to a VPS.
Instruction Scope: concernThe instructions explicitly ask the agent to collect SSH credentials (root password or private key path), to read local project files and environment files (.env.local, .env.example), and to run remote commands as root. These are necessary for deployment but involve collecting and handling highly sensitive data; the SKILL.md gives broad discretion to copy keys and secrets to the server (e.g., copying root's authorized_keys and transferring .env files). There is no limit or safe-handling guidance for secrets beyond brief notes.
Install Mechanism: noteThis is an instruction-only skill (no install spec). However, the runtime instructions call out-of-band installs like piping https://get.docker.com into sh, and installing packages via apt. The Docker install URL is the official get.docker.com host (expected) but piping remote scripts into sh is inherently risky and should be vetted by the user.
Credentials: concernAlthough the registry metadata lists no required env vars, the skill expects the user to provide SSH root/sudo credentials and to expose local environment files and potentially database passwords. Those are highly sensitive and no mechanisms (e.g., ephemeral keys, encrypted transfer, or explicit minimization) are enforced or suggested by the SKILL.md.
Persistence & Privilege: concernThe skill does not request platform-level persistent privileges (always:false), which is good. However, the instructions create a 'deploy' user with NOPASSWD sudo and add it to the docker group, and copy root authorized_keys — those changes give long-lived elevated privileges on the target server and increase blast radius if the deploy account or server is compromised. The SKILL.md does not recommend least-privilege alternatives.