Clawdship
ReviewAudited by ClawScan on May 10, 2026.
Overview
Clawdship looks purpose-built for deployment, but the helper script should be reviewed because unvalidated inputs could cause unintended local file uploads while publishing a site.
Use this only if you are comfortable uploading the selected project to clawdship.dev. Before running it, choose a normal hostname-safe slug, deploy from a clean build folder such as ./dist, exclude secrets like .env files, ensure CLAWDSHIP_API is not set to an unexpected host, and keep the returned API key private.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A bad site name could make the agent transmit unintended local files to the deployment endpoint, even if the chosen deploy folder was correct.
The first argument is inserted into curl -F form fields without slug validation or --form-string. In curl, form values beginning with file metacharacters such as @ can cause local file reads/uploads, so a malformed or prompt-influenced slug could send files outside the intended deployment directory.
SLUG="${1:?Usage: ./deploy.sh <slug> <path> [api-key]}" ... CURL_ARGS+=(-F "name=${SLUG}" -F "type=static" -F "slug=${SLUG}" -F "archive=@${ARCHIVE}")Validate slugs to a safe hostname pattern, use curl --form-string for text fields, and confirm the deployment folder contents before uploading.
An unexpected CLAWDSHIP_API value could redirect deployments away from the documented clawdship.dev API.
The upload destination can be changed by an environment variable. This can be legitimate for testing, but if set unexpectedly it changes where the site archive is sent.
# CLAWDSHIP_API — API base URL (default: https://api.clawdship.dev) ... API_BASE="${CLAWDSHIP_API:-https://api.clawdship.dev}"Check or unset CLAWDSHIP_API before running the script unless you intentionally use a trusted alternate endpoint.
Anyone with the API key may be able to manage the deployed site, and the deployment can lead to paid hosting after the trial.
The skill handles the provider API key, creates a persistent hosted site, and exposes billing/payment information. This is disclosed and purpose-aligned, but it is sensitive account authority.
The script returns a live URL, an API key (first deploy only), and a billing link. ... Site is on a 7-day free trial, then $5/month
Store the API key securely, share the billing link only with the intended human, and require explicit user approval before payments, redeploys, custom-domain changes, or deletions.