SayDeploy
Security checks across static analysis, malware telemetry, and agentic risk
Overview
SayDeploy is purpose-aligned, but it gives an auto-downloaded MCP tool broad authority over cloud, payment, database, and developer accounts with unclear limits.
Install only if you trust SayDeploy and are comfortable giving it access to the listed services. Prefer test or least-privilege accounts, check the scopes requested during pairing, require explicit approval for writes/deployments, and be cautious because the MCP server runs an unpinned `saydeploy@latest` package.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal engine telemetry is currently stale for this artifact.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent uses this tool incorrectly, it could change production infrastructure, payment settings, databases, code repositories, email/SMS services, or media assets.
A single MCP tool is described as able to execute any operation using connected credentials. The artifacts do not describe confirmation gates, scope limits, safe defaults, or rollback for high-impact operations.
`saydeploy__saydeploy_execute` — Execute any operation with auto-injected auth
Use least-privilege service connections, require explicit user approval before any write or deploy action, and prefer documented operation allowlists, dry-runs, and audit logs.
A connected account with broad permissions could let the agent perform sensitive reads or writes across business-critical services.
The skill asks users to connect multiple high-impact accounts, including payment, database, deployment, DNS/CDN, and source-code services, but the artifacts do not specify credential scopes, permission boundaries, or revocation behavior.
Connect your services (Stripe, Supabase, Cloudflare, GitHub, etc.)
Connect only test or least-privilege accounts where possible, verify OAuth/API scopes during pairing, and confirm there is a clear way to revoke SayDeploy access.
A future package update or supply-chain compromise could run different MCP code while holding access to connected service accounts.
The MCP server is sourced from an unpinned `@latest` npm package at runtime. The reviewed artifacts do not include the package implementation or a lockfile, so the executed code can differ from what was reviewed.
"command": "npx", "args": ["-y", "saydeploy@latest"]
Pin the MCP package to a reviewed version, publish integrity/lock information, and avoid granting broad production credentials to unpinned runtime code.
Prompts, operation parameters, and service responses may involve sensitive business data depending on how the MCP server and SayDeploy backend operate.
The skill uses an external pairing flow plus MCP tools to broker operations across connected providers. This is expected for the product, but the artifacts do not detail data boundaries, retention, or what service data may pass through SayDeploy.
Open the URL it prints in your browser ... Connect your services ... SayDeploy exposes three MCP tools to OpenClaw
Review SayDeploy's documentation and privacy/security model before connecting sensitive production services.