ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

GitHub Pages Auto Deploy

v1.0.0

Auto-deploy websites to GitHub Pages with custom domain support

0· 747·9 current·9 all-time
by@sendwealth
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (auto-deploy to GitHub Pages with custom domains) match the SKILL.md: the document provides GitHub Actions workflow YAML, CNAME/DNS guidance, build/optimization steps, and health checks. No unrelated credentials, system paths, or binaries are requested.
Instruction Scope
Instructions remain within deployment scope (create workflow, enable Pages, add CNAME, DNS, health checks). Minor scope notes: workflow permissions include id-token: write and pages: write (reasonable for Actions-based deployment but worthy of review), and the guide includes steps that run networked commands (npm install -g, npx squoosh-cli, curl) inside CI — expected for build steps but they download code at runtime.
Install Mechanism
No install spec and no code files—lowest risk. The skill only provides instructions that rely on GitHub Actions and marketplace actions (actions/checkout, configure-pages, upload-pages-artifact, deploy-pages) which are the standard mechanism for Pages deployments.
Credentials
The skill declares no required environment variables or credentials. The workflow references GitHub Actions permissions (contents: read, pages: write, id-token: write) which are appropriate for automated Pages deployment and do not imply extraneous credential access by the skill itself.
Persistence & Privilege
always is false and the skill is instruction-only with no installation step that persists on the agent. It does not request persistent system modifications or access to other skills' configs.
Assessment
This is a coherent how-to for GitHub Pages deployment. Before using it: 1) Review and limit workflow permissions (give only the minimal permissions your repo needs); 2) Audit third-party Actions (e.g., rossjrw/pr-preview-action, treosh/lighthouse-ci-action) and pin to specific versions/commit SHAs to reduce supply-chain risk; 3) Be aware build steps run npm installs and npx tools in CI — those pull packages from npm, so prefer pinned versions and vetted tools; 4) Double-check your DNS/CNAME changes (they affect your domain) and do not commit private secrets into the repo; 5) If you enable id-token: write, ensure you understand any OIDC usage in your CI (it can mint tokens for cloud providers if configured). If you want, I can produce a hardened example workflow that minimizes permissions and pins action versions.

Like a lobster shell, security has layers — review code before you run it.

latestvk97afkt6jbs091rf4qahhmxz0n821pwq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments