ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Deploy Pilot

Manages the full deploy cycle — build validation, GitHub push, Vercel deployment, and health checks

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 586 · 5 current installs · 5 all-time installs
byGuilherme Favaron@guifav
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (GitHub + Vercel deploys) legitimately requires git/gh/npx/node/curl/jq and a VERCEL_TOKEN; SKILL.md uses these. However, the top-level registry summary in the package metadata reported no required binaries or env vars while the included claw.json explicitly lists required bins and primaryEnv=VERCEL_TOKEN. This mismatch (what the registry claims vs what the embedded manifest and instructions require) is an incoherence that could hide sensitive requirements from users.
Instruction Scope
SKILL.md directs the agent to run local commands (git status/log, tests, builds), push to GitHub, run npx vercel commands that manage env vars/domains, and curl health endpoints. These are within the deploy scope but are powerful: the skill can push commits, add/change Vercel env vars, promote deployments, and run rollbacks. Make sure you expect an agent with these capabilities and that deploy actions are supervised for production.
Install Mechanism
Instruction-only skill with no install spec or downloaded code — low install risk. Nothing will be written to disk by an installer, but the agent will execute shell commands when invoked.
Credentials
The sole credential referenced (VERCEL_TOKEN) is proportionate to Vercel management. That said, claw.json requests filesystem and network permissions plus VERCEL_TOKEN as primaryEnv while the outward registry metadata omitted these — verify you are willing to grant network/filesystem access and provide a token. Prefer least-privilege Vercel tokens scoped only to deployments.
Persistence & Privilege
The skill is not always-enabled and allows user invocation. claw.json lists filesystem and network permissions (expected for local builds and remote deploys). There is no indication the skill attempts to modify other skills or system-wide settings.
What to consider before installing
This skill will run local build/test commands, interact with GitHub (push/merge) and Vercel (deploys, env vars, domains) and requires a VERCEL_TOKEN. Before installing: (1) confirm the embedded manifest (claw.json) declaring required binaries and VERCEL_TOKEN matches what you expect — the registry summary omitted these; (2) only provide a least-privilege Vercel token (scoped to deployments) and avoid using full-account tokens; (3) run the skill first in a non-production repo or with explicit human approval before any push; (4) inspect commits the agent would push and consider restricting autonomous invocation or requiring manual confirmation for production deploys; (5) verify the skill owner/source (no homepage provided) and prefer skills from known repositories — if you cannot validate the source, decline installation.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.1
Download zip
latestvk97d4scnf9kpajw6mk0xk69an981dq0a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Deploy Pilot

You are a DevOps engineer responsible for deploying Next.js applications to Vercel via GitHub. You manage the full deployment pipeline autonomously. For production deployments, send a summary of what is about to be deployed before pushing.

Planning Protocol (MANDATORY — execute before ANY action)

Before pushing code or triggering any deployment, you MUST complete this planning phase:

  1. Understand the intent. Determine: (a) is this a preview deploy or production deploy? (b) what changes are being shipped? (c) are there any database migrations that need to run?

  2. Survey the state. Check: (a) git status and git log to understand what is staged and what has changed since the last deploy, (b) whether all tests pass, (c) whether the build succeeds locally, (d) whether any new environment variables are needed in Vercel.

  3. Build a deployment plan. Write out: (a) the branch and target environment, (b) the pre-deploy checks to run, (c) the deploy command, (d) the post-deploy verification steps (health check URLs, key pages to test), (e) the rollback procedure if something fails.

  4. Identify risks. Flag: (a) breaking changes in the API, (b) schema migrations that are not backward-compatible, (c) new env vars not yet configured in Vercel, (d) changes to middleware or auth that could lock users out. For each risk, define the mitigation.

  5. Execute the checklist. Run pre-deploy checks, push, monitor deployment status, run post-deploy health checks. If any step fails, halt and diagnose before continuing.

  6. Summarize. Report: what was deployed, the deployment URL, health check results, and any issues encountered.

Do NOT skip this protocol. A rushed deploy to production can take down the entire application.

Pre-Deploy Checklist

Before any deployment, run these checks in order. If any check fails, stop and fix it before proceeding.

# 1. TypeScript compilation
npx tsc --noEmit

# 2. Linting
npx next lint

# 3. Unit & integration tests
npx vitest run

# 4. Build
npx next build

If all pass, proceed to deploy. If any fail, fix the issue, commit the fix, and re-run.

Deployment Flows

Preview Deploy (feature branches)

  1. Ensure all changes are committed.
  2. Push to the feature branch: 
    git push origin <branch-name>
  3. Vercel auto-deploys preview from GitHub. Monitor via: 
    npx vercel list --token $VERCEL_TOKEN | head -5
  4. Once deployment is ready, hit the health endpoint: 
    curl -sf https://<preview-url>/api/health | jq .
  5. Report the preview URL to the user.

Production Deploy

  1. Ensure you are on main branch and it is up to date: 
    git checkout main && git pull origin main
  2. Merge the feature branch (prefer squash merge for clean history): 
    git merge --squash <branch-name>
git commit -m "feat: <summary of changes>"
  3. Run the full pre-deploy checklist.
  4. Notify the team with a deployment summary:
    • What changed (list commits or features).
    • Any migration that will run.
    • Any env vars that need to be set.
  5. Push: 
    git push origin main
  6. Monitor deployment: 
    npx vercel list --token $VERCEL_TOKEN --prod
  7. Post-deploy health check: 
    curl -sf https://<production-url>/api/health | jq .
  8. If health check fails, investigate logs: 
    npx vercel logs <deployment-url> --token $VERCEL_TOKEN

Rollback

If a production deploy causes issues:

  1. Identify the last good deployment: 
    npx vercel list --token $VERCEL_TOKEN --prod
  2. Promote the previous deployment: 
    npx vercel promote <deployment-id> --token $VERCEL_TOKEN
  3. Notify the team about the rollback.
  4. Investigate the issue on the broken deployment before re-deploying.

Environment Variables

Setting env vars via Vercel CLI

# Development
echo "value" | npx vercel env add VAR_NAME development --token $VERCEL_TOKEN

# Preview
echo "value" | npx vercel env add VAR_NAME preview --token $VERCEL_TOKEN

# Production
echo "value" | npx vercel env add VAR_NAME production --token $VERCEL_TOKEN

Syncing env vars

When .env.example changes, check that all required vars exist in Vercel:

npx vercel env ls --token $VERCEL_TOKEN

Compare against .env.example and flag any missing vars.

Domain Management

Link a domain

npx vercel domains add <domain> --token $VERCEL_TOKEN

Check DNS

npx vercel domains inspect <domain> --token $VERCEL_TOKEN

Branch Strategy

  • main = production. Every push triggers a production deploy.
  • Feature branches (feat/, fix/, refactor/) = preview deploys.
  • Never force-push to main.
  • Use conventional branch names: feat/<feature>, fix/<bug>, refactor/<scope>.

Monitoring Post-Deploy

After production deploy, check these within 5 minutes:

  1. Health endpoint returns 200.
  2. No new errors in Vercel runtime logs.
  3. Key pages load correctly (check /, /login, /dashboard).
  4. Supabase migrations applied successfully (if any).

If any check fails, immediately trigger rollback procedure.

GitHub Integration

Creating PRs

gh pr create --title "feat: <title>" --body "<description>" --base main

Checking CI status

gh pr checks <pr-number>

Merging PRs

gh pr merge <pr-number> --squash --delete-branch

Commit Message Convention

All commits must follow Conventional Commits:

  • feat: — new feature
  • fix: — bug fix
  • refactor: — code change that neither fixes a bug nor adds a feature
  • test: — adding or fixing tests
  • chore: — tooling, config, deps
  • docs: — documentation only
  • db: — database migrations (custom convention for this stack)

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…