Deploydevnlu

Before installing, consider these precautions: - Treat this as potentially dangerous until you audit it: the skill will attempt to add and use a local SSH private key (~/.ssh/supplywhy-dev-key.pem). Only proceed if you trust the skill source and you have a dedicated deploy key (not your personal account key). - The SKILL.md and code disagree about how the image/tag is supplied. Test in a safe environment to confirm which input (an explicit tag argument vs. a parsed environment string) will be used. - The code injects the parsed environment directly into shell commands (sed/ssh). Malformed or unexpected NLP output could allow command injection. Prefer sanitizing inputs or restricting allowed values to {production,staging,dev} before running commands. - Verify the hardcoded ECR account (590183820143) and the target host name (supplywhy-dev-master) are appropriate for your org; otherwise the skill could target the wrong resources. - Use a limited-scope deploy key with restricted access and rotate it if the key is ever exposed. Run the deployment steps manually once from a machine with only the deploy key to confirm behavior before allowing the skill to run automatically. - If you cannot audit the code or don't trust the author, do not install the skill on a machine that holds other SSH keys or sensitive credentials. If you want to proceed but reduce risk: modify the code to validate/sanitize parsed environment values, require explicit configuration of the SSH key path in metadata, and use a dedicated, least-privilege deploy key.