GitHub Pages Auto Deploy
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: github-pages-auto-deploy Version: 1.0.0 The `SKILL.md` file contains numerous shell command examples (`npm install`, `npx squoosh-cli`, `curl`) and GitHub Actions YAML configurations. While these are presented as instructions for a human user to set up GitHub Pages and optimize their website, if an OpenClaw agent were vulnerable to prompt injection, it could potentially interpret and execute these commands directly. This represents risky capabilities involving system modification (installing global npm packages) and outbound network calls (`curl -f https://yourdomain.com`), even though the commands themselves are for legitimate purposes and lack clear malicious intent. This falls under the 'suspicious' category due to the potential for unintended execution via prompt injection, rather than 'malicious' as there's no evidence of intentional harm.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If added to a repository, the workflow can publish that repository's website through GitHub Pages.
The suggested GitHub Actions workflow grants permission to publish to GitHub Pages and request an identity token. These permissions are expected for GitHub Pages deployment, but they are still account/repository authority.
permissions: contents: read pages: write id-token: write
Use the workflow only in repositories you intend to publish, keep branch protections appropriate, and review the GitHub Pages permissions before committing it.
Website changes can go live automatically after a matching push.
The workflow is designed to run automatically on pushes to the master branch when website files or the workflow change. That is purpose-aligned for auto-deploy, but a mistaken push could be published.
on:
push:
branches: [ master ]
paths:
- 'website/**'
- '.github/workflows/deploy-pages.yml'Confirm the branch and path filters match your release process, and consider pull requests or branch protection for sites where accidental publication would matter.
If the optional snippet is used, future builds may run whatever versions of those npm packages are current at install time.
The optional optimization example installs npm packages globally in CI without pinning exact versions. This is a common build pattern, but it introduces external package supply-chain reliance.
npm install -g html-minifier clean-css-cli uglify-js
Pin package versions or use a reviewed project lockfile for production workflows.