ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

one-click dev and dploy

v1.0.0

快速创建并部署 Web 应用到 Cloudflare Pages;包含文件覆盖、Git推送与系统修改的安全确认机制。

1· 91·0 current·0 all-time
byPlayWithAI@samueli
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, required binaries (node, git, gh, wrangler), and required env (CLOUDFLARE_API_TOKEN) align with a Cloudflare Pages + GitHub deployment tool. The included deploy.js and SKILL.md implement deployment workflows expected for this purpose.
!
Instruction Scope
SKILL.md contains explicit safety rules (ask before destructive actions) which is good, but it also instructs the agent to read many configuration environment variables and files (PROJECTS_DIR, DEV_DEPLOY_CONFIG, ~/.config/dev-deploy/config.json, ~/.dev-deploy.json, etc.). The instructions permit running system-level installers (brew, npm -g) if authorized. The agent-level enforcement of the confirmation steps is not guaranteed by the skill itself — the script uses shell execution and forceful file copy that can overwrite user files if run without the promised confirmations.
Install Mechanism
This is an instruction-only skill with no install spec; that is lowest risk for installation mechanics. No remote downloads or package installs are automatic. The code file executes local commands (execSync/execFileSync), which is expected for deployment tooling.
Credentials
The declared required env var is only CLOUDFLARE_API_TOKEN which is appropriate. However, SKILL.md and deploy.js reference multiple other environment variables and config file paths (PROJECTS_DIR, DEV_DEPLOY_CONFIG, TEST_DELAY, MAX_RETRIES, etc.) that are not listed in requires.env — these appear to be non-secret configuration values, but their use should be noted. The skill does not request unrelated secrets (no AWS keys, etc.).
Persistence & Privilege
always:false and default autonomous invocation are standard. The skill writes project files under a projects directory and may create/modify repositories and push to remotes — these are within expected scope for a deploy tool but are high-impact operations that depend on user authorization steps described in SKILL.md.
What to consider before installing
This skill appears to do what it says (create and deploy projects to Cloudflare Pages) and requires node/git/gh/wrangler and a Cloudflare token — that is expected. However, before installing or running it: - Review deploy.js yourself (or have someone you trust review it). The script uses execSync/execFileSync and fs.cpSync with force: true; if run without confirmations it can overwrite files and run git pushes. - Ensure the agent or person invoking the skill will actually prompt for and obtain explicit user consent before any 'in-place' operations, installs (brew/npm -g), repo creation, or git push. The SKILL.md mandates this, but the platform/agent must enforce it. - Provide a Cloudflare API token with least privilege and scoped to the intended account/zone; treat the token as sensitive. - Back up any directories that could be targeted (projectsDir or source) before use. - Prefer running the script manually (interactive terminal) the first time in a sandbox or throwaway environment to observe behavior. If you want a higher assurance verdict, provide the full (untruncated) deploy.js for a line-by-line review and confirm how your agent enforces the SKILL.md confirmation steps.
deploy.js:137
Shell command execution detected (child_process).
deploy.js:74
Environment variable access combined with network send.
!
deploy.js:64
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk976rp3p8kkkpwyb9avjw6dt6d83b008

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🚀 Clawdis
OSmacOS · Linux · Windows
Binsnode, git, gh, wrangler
EnvCLOUDFLARE_API_TOKEN

Comments