ClawHub
Skill flagged โ€” suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

๐ŸŒ Deploy HTML content to EdgeOne Pages

v1.0.0

Deploy HTML content to EdgeOne Pages, return the public URL.

โญ 1ยท 71ยท0 currentยท0 all-time
by@mcp
MIT-0
Download zip
LicenseMIT-0 ยท Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report โ†’
OpenClawOpenClaw
Suspicious
medium confidence
โ„น
Purpose & Capability
The stated purpose (deploy HTML and return a public URL) matches the instructions to call a remote deploy endpoint. Requiring a CLI (mcporter) is reasonable for this functionality. The claim 'No login required, no API key required' is consistent with anonymous deployment but should be verified against the service's policy.
!
Instruction Scope
The examples instruct running 'npx -y mcporter call ... value="$(cat index.html)"' which reads a local file and sends its contents to an external service. The SKILL.md does not limit which local files may be read nor require explicit user confirmation before reading/sending files. That creates a risk of unintended local data exfiltration if the agent reads files beyond what the user expects.
!
Install Mechanism
The install metadata and examples rely on an npm package (mcporter). The instructions use 'npx -y' which automatically downloads and executes code from the npm registry at runtime โ€” a higher-risk install mechanism because it runs remote code without manual review. The skill does not reference a known, verifiable upstream repository/release for that package in the instructions.
โœ“
Credentials
No environment variables, credentials, or config paths are requested. This is proportionate to the described anonymous deployment use case.
โœ“
Persistence & Privilege
The skill is not 'always' enabled and does not request elevated persistence. It can be invoked normally by the agent; autonomous invocation is allowed by default (not flagged on its own).
What to consider before installing
This skill does what it claims (upload HTML and return a URL) but has two practical risks you should consider before installing: (1) It runs mcporter from npm (the examples use 'npx -y'), which downloads and executes remote code automatically โ€” verify the mcporter package and its maintainer before use. (2) The instructions show reading local files (cat index.html) and sending them to an external host (mcp-on-edge.edgeone.app). Ensure the agent only uploads content you intend to publish and avoid allowing it to read sensitive files. If you need to use this, prefer reviewing the mcporter package source (or install a vetted binary), require explicit confirmation before any local-file reads, and avoid uploading private data. If you want stronger assurance, test in an isolated/sandboxed environment first.

Like a lobster shell, security has layers โ€” review code before you run it.

latestvk97azt0v1hq15hx070szwtya8n83hy7k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

๐ŸŒ Clawdis

Install

Install mcporter (node)
Bins: mcporter
npm i -g mcporter

Comments