ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Deno Deploy

v0.1.0

Deploy simple web pages and HTML apps live to the internet using the Deno Deploy REST API. Use this skill whenever the user wants to make something "live", "...

0· 417·1 current·1 all-time
byHosain@hosainnet
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill's claimed purpose (deploy to Deno Deploy) matches the code and instructions: the script calls https://api.deno.com/v1 to create a project and a deployment. However, the package metadata declares no required config paths or credentials while both SKILL.md and scripts/deploy.py require credentials saved under ~/.config/deno-deploy (access_token and org_id). That metadata omission is an inconsistency.
Instruction Scope
SKILL.md and the script stick to the stated scope: they instruct creating an org, storing a token and org ID in a local config directory, writing TypeScript code to a file, and calling the Deno REST API. The instructions do not request other system files, unrelated environment variables, or unexpected external endpoints beyond deno.com and the final deno.dev project URL.
Install Mechanism
No install step is provided (instruction-only with a bundled Python script). No downloads from arbitrary URLs or archive extraction occur. This is a low-risk install profile.
Credentials
The only sensitive artifacts the skill needs are an access token and org ID for Deno Subhosting, which is proportionate to the task. But the manifest did not declare required config paths or credentials; instead the script expects credentials in ~/.config/deno-deploy. The SKILL.md advises storing the token in a plaintext file, which is expected but is a sensitive practice the user should consider (use minimal-scope tokens and protect the file).
Persistence & Privilege
The skill does not request always-on presence, does not modify other skills or system-wide config, and only reads credential files from a user config directory. It does make network calls to the Deno API as required for deployment.
Assessment
This skill appears to implement exactly what it claims: it uploads your code to Deno Deploy using an org access token read from ~/.config/deno-deploy/access_token and the org ID file. Before installing or running it: 1) Verify provenance — the source/homepage is unknown and the registry entry lacks a homepage; prefer code from an official Deno source or your own trusted repo. 2) Inspect the script (you already can) and only run it if you trust it. 3) Use a minimal-scope access token and a dedicated subhosting org (so compromise impact is limited). 4) Be aware the SKILL.md/manifest mismatch: the skill does require local credential files even though the metadata lists none. 5) Store the token securely (restrict filesystem permissions) and consider deleting tokens when not needed or using ephemeral/limited tokens. If you are unsure about the origin, run the script in a sandboxed environment or recreate its HTTP calls with your own trusted tooling instead.

Like a lobster shell, security has layers — review code before you run it.

latestvk979kvm42t4a486neyj48ppn2h81yeea

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments