ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Sigmaflow Deploy

Deploy the SigmaFlow SvelteKit trading frontend to the Git repository. Use when building and deploying changes to the SigmaFlow application, including after...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 22 · 0 current installs · 0 all-time installs
byVitali Sakalouski@sirenday
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name, description, SKILL.md, and scripts/deploy.sh are consistent: they clone, build, commit, and push a SvelteKit frontend to a GitLab instance. However, the script contains an embedded repository URL and a long token; the skill metadata declares no required environment variables or credentials — storing credentials in the script instead of declaring them is a mismatch and unnecessary for the stated purpose.
Instruction Scope
The runtime instructions and included script stay within deployment scope: cloning/updating the repo, npm install, npm run build, git add/commit/push. The script does not attempt to read unrelated system files or contact unexpected external endpoints beyond the stated GitLab host. Note: npm install and build will execute code from the repo's dependencies (normal for builds but a supply-chain risk).
Install Mechanism
There is no install spec and the skill is instruction-only with a single shell script. No arbitrary downloads from untrusted URLs are performed by the skill itself. The only network operations are git clone/push to the declared git.homelab host and npm fetches as part of a normal build.
!
Credentials
The deploy.sh script hardcodes a Git URL and a long secret token (TOKEN) inside the script rather than declaring a required credential or using environment variables. The skill metadata lists no required env vars or primary credential, so the presence of a plaintext credential in code is disproportionate and inconsistent with the metadata. Hardcoded tokens are high-risk (easy to leak or accidentally commit elsewhere).
Persistence & Privilege
The skill does not request persistent/always-on privileges (always: false) and does not modify other skills or system-wide agent settings. The agent can invoke it autonomously (default) which is normal, but if allowed to run autonomously it would have network access to the Git host and the embedded token—combine with the credential concern above when deciding permissions.
What to consider before installing
This skill appears to perform a legitimate deployment, but it embeds a plaintext Git token (and Git URL) directly in scripts rather than using declared environment variables or secret management. Before installing or running: (1) do not use the embedded token—replace it with a properly scoped token stored in an env var or secret store and update the script/metadata to declare that env var; (2) verify the token's scope and rotate it if you suspect it was leaked; (3) review the repository being cloned and its package.json for untrusted dependencies (npm install runs arbitrary build-time code); (4) avoid running this script on sensitive hosts or under high-privilege accounts; (5) consider running it in an isolated CI runner or container and audit network access to git.homelab. The mismatch between declared requirements (none) and a hardcoded credential is the primary reason to treat this skill with caution.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk971mjkzvb2gfpdyjaqh8z8qh9831yxs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

SigmaFlow Deploy

Overview

Automates deployment of the SigmaFlow trading frontend to the GitLab repository at http://git.homelab:3000/vitali/SigmaFlow-Svelte. This skill handles the full deployment workflow: repository management, dependency installation, SvelteKit production build, and pushing to the remote repository.

Quick Start

Basic Deployment

# Deploy to main branch (default)
scripts/deploy.sh

# Deploy to specific branch
scripts/deploy.sh ./SigmaFlow-Svelte main

# Use custom repo directory
scripts/deploy.sh /path/to/repo dev

When to Run

  • After completing a feature implementation (charts, orders, portfolio)
  • After bug fixes or code changes
  • Before testing in production environment
  • As part of CI/CD pipeline integration

Deployment Workflow

The deployment script performs these steps:

  1. Clone/Update Repository: Clones from GitLab if needed, or updates existing clone
  2. Install Dependencies: Runs npm install if node_modules doesn't exist
  3. Build Application: Runs npm run build to create production bundle
  4. Commit Changes: Stages all changes with timestamped commit message
  5. Push to Remote: Pushes to specified branch (default: main)

Repository Credentials

The script uses embedded credentials:

  • URL: http://git.homelab:3000/vitali/SigmaFlow-Svelte.git
  • Token: c865b793f09a3b79b65ebdfbd75c5b17395188d2

Security Note: These credentials are stored in the script. For production environments, consider environment variables or secret management.

Parameters

The deploy script accepts optional parameters:

  • $1 (optional): Repository directory path (default: ./SigmaFlow-Svelte)
  • $2 (optional): Branch name to push (default: main)

Output

On success, the script displays:

  • [INFO] messages for each step
  • Final success message with deployment confirmation
  • Application URL (configure based on hosting setup)

On no changes:

  • [WARN] indicating no changes to commit
  • Graceful exit (no git push)

Troubleshooting

Build fails: Check SvelteKit configuration and fix errors, then re-run deploy Authentication error: Verify token is valid and has write access to repository Push rejected: Pull latest changes, resolve conflicts, then deploy again

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…