Clawhub Skill Deploy Pilot

The skill is classified as suspicious due to a critical Remote Code Execution (RCE) vulnerability. The `deploy-pilot.py` script uses `subprocess.run(..., shell=True)` to execute user-defined pre/post deployment hooks and custom health check scripts. These script commands are loaded from the `stacks.json` configuration file, which can be modified by the agent via `deploy-pilot hook` and `deploy-pilot config` commands. An attacker who can influence the agent's input or directly modify `stacks.json` could inject arbitrary shell commands, leading to RCE on the host system. While the skill's stated purpose involves running custom scripts, the use of `shell=True` without proper input sanitization constitutes a severe vulnerability, not intentional malice by the developer.