ClawHub

Convex Deploy Env Doctor

v0.1.0

Validate and fix Convex deployment configuration for skills/apps. Use when debugging Convex URL/callback/env issues, OAuth callback mismatches, .site vs .clo...

0· 40·0 current·0 all-time
by@okikesolutions
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (Convex deployment/env doctor) match the instructions: locate Convex URLs/callbacks, check .env and docs, validate callbacks and connectivity. The skill doesn't request unrelated credentials, binaries, or install steps.
!
Instruction Scope
Instructions explicitly tell the agent to read .env/.env.example, runtime defaults in source, and provide file+line evidence and exact file-level patches. That is in-scope for configuration validation, but it increases the risk of exposing secrets. The workflow also includes 'safe HTTP reachability' checks that will cause outbound requests to discovered endpoints — appropriate for verification but not constrained (no allowlist or explicit sanitization steps). The SKILL.md includes a guardrail 'Never print secrets' but does not require masking when producing file-level evidence or transmitting results.
Install Mechanism
Instruction-only skill with no install spec or bundled code. This minimizes supply-chain and install-time risk.
Credentials
The skill declares no required env vars (proportionate), but its runtime instructions will read environment/config files (.env, runtime defaults). Reading those files is reasonable for the stated purpose but is not reflected in the manifest as required access and may surface secrets if outputs are not carefully redacted.
Persistence & Privilege
No always:true, no install or persistence steps, and no instructions to modify other skills or global agent settings. Normal user-invocable behavior and not force-included.
Assessment
This skill appears to do what it says, but it actively inspects project config files (.env, source defaults, READMEs) and can make outbound HTTP checks. Before running it: 1) Run it only in a trusted environment or on a repository copy that does not contain production secrets. 2) If you must run against real config files, ensure the agent/process will redact or mask secrets and that outputs are reviewed before sharing. 3) Expect the skill to contact discovered endpoints for reachability checks—if you need to restrict network access, run it offline or with an allowlist. 4) Ask the skill author (or require) an explicit policy for masking secrets in 'file+line evidence' and for what data is sent externally. 5) After fixes, verify changes manually (the skill suggests post-fix commands); do not auto-apply patches to production without inspection.

Like a lobster shell, security has layers — review code before you run it.

latestvk97824cgzhcw3gqewm3w1v5bj5844dpw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments