render
ReviewAudited by ClawScan on May 10, 2026.
Overview
This Render deployment skill is mostly coherent, but it can directly create or change cloud services with a Render API key without a dashboard confirmation step.
Install only if you want the agent to help deploy to Render. Before giving it RENDER_API_KEY or enabling mcporter, make sure it will ask before creating, redeploying, or changing services, and review the target workspace, plan, repo, branch, environment variables, and any possible costs.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could create or redeploy Render resources in the user's account, potentially exposing an app publicly or incurring cloud costs if the user has not reviewed the exact action.
This selects direct API/MCP deployment when a token is present and explicitly removes the dashboard click, while the artifacts do not require a final user approval before account-changing cloud actions.
If `RENDER_API_KEY` is set → Prefer REST API or MCP (fastest; no user click).
Require explicit user confirmation before any POST/create/redeploy operation, including the target workspace, repository, branch, plan, region, environment variables, and estimated cost.
A valid Render API key may let the agent inspect workspaces and create or manage services depending on the token's permissions.
The skill uses a Render bearer token to list account/workspace owners and perform service operations. This is expected for Render deployment, but it is privileged account access.
curl -s "https://api.render.com/v1/owners" \ -H "Authorization: Bearer $RENDER_API_KEY"
Use a least-privilege Render key where possible, set it only for sessions that need deployment, and review any proposed account changes before allowing execution.
Deployment details and account-authorized actions may pass through the Render MCP integration rather than only local files or the dashboard.
The skill can route deployment actions and credentials through an external MCP server via mcporter. The endpoint is disclosed and purpose-aligned, but it expands the data/control path.
Render provides an official MCP server at **`https://mcp.render.com/mcp`**... `mcporter call render.create_web_service` ... Auth: set `RENDER_API_KEY` in the environment
Use MCP only when the user has configured and trusts that integration, and confirm which MCP tool will be called before creating or changing services.