ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Git Deployer

Push static site content to GitHub Pages repositories. Clone, copy files, commit with timestamp, force-push. Use when updating GitHub Pages sites, deploying...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 36 · 0 current installs · 0 all-time installs
by@kryzl19
duplicate of @kryzl19/git-deployer
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included script and SKILL.md: the script clones a repo, copies site files, commits, and force-pushes. Required capabilities (git auth) are consistent with deploying to GitHub Pages or other git hosts.
Instruction Scope
Instructions and script stay within deployment scope, but the script uses rsync (not declared in SKILL.md requirements) and clones into /tmp without automatic cleanup. That can cause local-data retention and possible /tmp collisions across repos with the same basename.
Install Mechanism
No install spec (instruction-only plus a small shell script) — nothing is downloaded or installed by the skill itself.
Credentials
The skill requests no environment variables or credentials in metadata. It reasonably assumes git credentials or SSH keys are already configured locally. It does not attempt to read or exfiltrate other environment data.
Persistence & Privilege
Skill is not always-enabled and does not modify other skills or system configuration. It runs only when invoked and does not request elevated or persistent privileges.
Assessment
This skill appears to do what it claims, but review and consider the following before installing or running it: - Confirm you have git and rsync installed (the script uses rsync but SKILL.md only mentions git). - Be cautious: the script uses git --force to push, which will overwrite remote history on the target branch; prefer --force-with-lease or ensure you intend to replace remote state. - The script clones to /tmp/<repo_name> and does not delete that directory. On multi-user systems or shared machines this can leak site content or leave artifacts; consider modifying the script to use mktemp -d and perform cleanup after a successful deploy. - Because the /tmp directory is named from the repository basename, different repositories with the same name can collide; using a unique temp directory prevents accidental cross-repo contamination. - Review the contents of your site_path before running: any secrets present in the build output will be pushed to the remote. - If you want stricter safety: add validation of remote_url, require a pre-push confirmation step, and switch to safer push options. No malware indicators or unexpected external endpoints were found in the files provided. If you need higher assurance, request a version that: declares rsync in requirements, uses mktemp for the clone path, cleans up on exit, and uses safer push semantics.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk975e0xpc05q239x9a61xhktss83kaat

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

git-deployer

Deploy static site content to GitHub Pages or any git-backed host.

When to Use

  • GitHub Pages updates — You have a local build/output directory and want to push it to a username.github.io repo or a Pages branch (gh-pages, main)
  • Static site deployment — Hugo, Jekyll, Gatsby, Docusaurus, or any static site with a git-hosted output
  • Automated CI replacement — Instead of setting up GitHub Actions, you want a one-command deploy from your machine
  • Syncing local → remote — You edit content locally and need to push changes to a hosted git repository

Workflow

Local Site Directory → /tmp/clone → File Copy → Commit → Force Push → Done
  1. Clone or init — If the remote repo exists, clone it to /tmp/{reponame}. Otherwise initialize a fresh clone
  2. Copy files — Sync your local site directory contents into the clone (clean copy, not append)
  3. Commit — Stage all files, commit with auto-generated timestamp message
  4. Force push — Push to remote with force flag to overwrite remote state
  5. Report — Output success/failure with commit hash and push result

Usage

Via skill invocation (from agent)

Provide the following arguments:

  • site_path — Absolute path to the local site directory (the content to deploy)
  • remote_url — Full git URL (e.g., https://github.com/user/repo.git or git@github.com:user/repo.git)
  • branch — Branch to deploy to (default: main)

Via script directly

./scripts/deploy.sh /path/to/site git@github.com:user/repo.git [branch]

Output

  • Success — Shows commit hash, remote URL, branch, and push status
  • Failure — Shows error message with exit code and which step failed

Requirements

  • git must be installed and configured with credentials for the remote
  • SSH key or HTTPS token auth must be set up for the remote repository
  • Site path must exist and contain files

Notes

  • Uses --force push — this will overwrite remote state. Use with caution on shared branches
  • Clone happens in /tmp and is not cleaned up automatically (intentional: allows inspection)
  • Commit message format: Deploy: YYYY-MM-DD HH:MM:SS UTC

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…