Shadows Deploy Guardian
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This deploy-check skill is purpose-aligned, but it will run your project’s test/build/lint commands and may display secret-like matches, so use it only in trusted repositories and secure terminals.
Before installing, confirm you trust the repository where this will run. It is suitable as a deployment checklist, but test/build/lint commands can execute project code, and secret-scan matches should be handled privately.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used on an untrusted repository or pull request, those scripts could run unwanted code on the user’s machine.
The deployment gates intentionally run project tests and build scripts, which can execute code from the repository.
npm test 2>&1 ... python -m pytest -v 2>&1 ... cargo test 2>&1 ... npm run build 2>&1
Run this skill only in trusted repositories or a sandbox, and review project scripts before allowing test or build commands.
A project with compromised or unexpected Node tooling could run code during type checking or linting.
The skill uses npx-based tooling; depending on local npm behavior and installed dependencies, this can execute package-provided binaries and may rely on package provenance.
[ -f tsconfig.json ] && npx tsc --noEmit 2>&1 ... npx eslint . 2>&1
Prefer pinned, locally installed project dependencies and consider using no-install/local-only npm execution settings for deployment checks.
Secret-like values could become visible in terminal logs, screen shares, or shared command transcripts.
The secrets scan is purpose-aligned, but the artifact itself warns that credential-like values may be printed to terminal output.
Command output may display matched secret-like patterns in the terminal. Run this gate in a secure terminal session where output is not logged to shared systems.
Run the secrets gate in a private terminal and avoid logging or sharing raw output if matches are found.