one-click dev and dploy
Security checks across malware telemetry and agentic risk
Overview
This skill appears purpose-aligned for creating and deploying web apps, but it can overwrite project files and use GitHub/Cloudflare credentials, so users should approve each action carefully.
Install only if you are comfortable letting the agent create or modify a project, run Git/GitHub/Cloudflare commands, and deploy to your accounts. Use a limited Cloudflare token, confirm every generated command before execution, and be especially careful with --source, --in-place, GitHub push, and Cloudflare deployment options.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill can execute local Git/GitHub/Cloudflare tooling and change your local project or remote deployment state.
The script executes local shell commands for prerequisite checks and deployment workflow steps. This is expected for a development/deployment skill, but it gives the skill real local execution capability.
execSync(command, { stdio: 'pipe' });Review the exact command the agent plans to run, and only approve it when the project name, source directory, GitHub action, and Cloudflare deployment target are correct.
A token with broad permissions could allow changes to more Cloudflare resources than intended.
The script uses a Cloudflare API token from the environment or a config file so it can deploy to Cloudflare Pages. This is sensitive account authority, but it is aligned with the stated deployment purpose.
process.env.CLOUDFLARE_API_TOKEN || fileConfig.cloudflareApiToken || fileConfig.cloudflareToken || null
Use a least-privilege Cloudflare token scoped to the intended account/project, and avoid storing long-lived tokens in broadly readable config files.
If the wrong source or target path is approved, existing project files could be overwritten.
The script can copy project files with overwrite behavior. SKILL.md discloses that file overwrite and in-place/source operations require explicit user authorization.
fs.cpSync(sourcePath, targetPath, { recursive: true, force: true, filter: src => { const base = path.basename(src); if (base === '.git') return false; return true; } });Before approving, verify the source directory, destination directory, and whether --in-place or --source is being used; back up important files first.
Installing global tools changes your local development environment and trusts external package sources.
The skill documents global dependency installation commands. They are not hidden or automatic and SKILL.md says system-level installs require user consent.
brew install gh npm install -g wrangler
Install dependencies from official sources, confirm package names, and approve global installs only when you want the tool added to your system.