ClawHub

C.R.A.B Deploy Agent

v1.1.0

Multi-step deployment agent for full-stack apps. Build → Test → GitHub → Cloudflare Pages with human approval at each step.

2· 5.4k·23 current·25 all-time
by@sherajdev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description promise a multi-step deploy to GitHub and Cloudflare which the script implements (gh, wrangler, git usage). However the skill metadata omits utilities the script actually uses: the SKILL.md and script reference 'jq' and 'npm' (and the script calls npm list, grep, etc.), but the registry metadata lists required binaries only as gh, wrangler, git. SKILL.md also references a Cloudflare token in ~/.wrangler.toml and a default domain of {name}.sheraj.org — neither the config path nor the external default domain are declared in registry metadata. These discrepancies mean the declared requirements don't fully match what the skill actually needs.
!
Instruction Scope
The runtime instructions and the included script perform local state reads/writes under ~/.clawdbot/skills/deploy-agent and call external CLIs that will access the user's GitHub and Cloudflare credentials (gh, wrangler). That's expected for a deploy tool, but SKILL.md gives a surprising default domain (sheraj.org) which implies publishing under a third-party domain unless user overrides — this is unexpected and should be verified. The instructions also assume user tools/config are already authenticated (no guidance for securing tokens).
Install Mechanism
No install spec (instruction-only plus bundled script) — low risk from arbitrary network installs. Files are provided with the skill (script + SKILL.md) so nothing is fetched on install. This is the lower-risk install pattern.
!
Credentials
Registry metadata declares no required env vars or config paths, yet SKILL.md and the script expect Cloudflare configuration (wrangler whoami and ~/.wrangler.toml) and rely on the user's authenticated 'gh' and 'wrangler' CLI state to push repos and deploy. The script also uses jq and npm but those are not declared in required binaries. The skill asks for access to services (GitHub, Cloudflare) implicitly via CLIs, but the metadata does not document those dependencies or the config locations — this is an omission that reduces transparency.
Persistence & Privilege
The skill stores state under the user's home (~/.clawdbot/skills/deploy-agent/state) and does not request elevated or system-wide privileges. 'always' is false and it doesn't claim to modify other skills or system configs beyond using existing CLI tools/configs. Persisting state in the user's home directory is expected for this kind of tool.
What to consider before installing
This skill appears to implement a deploy workflow, but there are mismatches and surprising defaults you should review before installing: - The script and SKILL.md use jq and npm, and expect a wrangler Cloudflare configuration (~/.wrangler.toml) and authenticated gh/ wrangler CLIs, but the registry metadata does not declare jq/npm or the config path. Ensure you have (and trust) the required CLIs and configs before running. - The SKILL.md sets a default custom domain of {name}.sheraj.org. Do not allow automatic use of a third-party domain; explicitly provide your own domain or confirm how the domain is assigned. - Inspect the full scripts/deploy-agent.sh (especially the push/deploy sections) to see exactly what gh, git, and wrangler commands will run and whether any network endpoints beyond GitHub/Cloudflare are contacted. - Run the tool in a safe environment (local sandbox or disposable account) first, and verify it uses your authenticated gh/wrangler credentials rather than trying to read unrelated secrets. - If you need more assurance, ask the publisher for: a complete list of required binaries and config paths, explanation of the default domain choice, and confirmation that no hidden remote endpoints are contacted. Given these inconsistencies, proceed only after verifying the script's actions and the domain behavior — the issues may be benign omissions or laziness, but they should be clarified before trusting the skill with your credentials or deploying publicly.

Like a lobster shell, security has layers — review code before you run it.

latestvk974374w65b96yr03k2mq0dh817zhpr6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🚀 Clawdis
Binsgh, wrangler, git

Comments