ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

IGA Pages

v1.0.5

Deploy frontend and full-stack projects to IGA Pages. Use when the user mentions IGA Pages or requests deployment ("deploy my app", "publish this site", "pus...

0· 235·0 current·0 all-time
by@seasonrui

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for seasonrui/iga-pages.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "IGA Pages" (seasonrui/iga-pages) from ClawHub.
Skill page: https://clawhub.ai/seasonrui/iga-pages
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install iga-pages

ClawHub CLI

Package manager switcher

npx clawhub@latest install iga-pages
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name and description (deploy to IGA Pages) match the instructions, which center on using the @iga-pages/cli to build, link, and deploy projects. However, the SKILL metadata declares no required credentials or environment variables even though the runtime instructions require access keys (AK/SK) for headless login and reference detecting headless environments via $SSH_CONNECTION. That mismatch (no declared required creds but clear runtime credential needs) is a minor inconsistency.
!
Instruction Scope
The instructions are explicit about commands to run (npm i -g @iga-pages/cli, iga login, iga pages deploy), which is expected. Concerns: (1) they direct use of AK/SK for headless auth (sensitive credentials) and tell agents/users to include those on the CLI; (2) they instruct sharing full preview URLs that include query tokens (?iga_token=...&iga_time=...), which are essentially bearer tokens and should not be treated as public links; (3) they reference using $SSH_CONNECTION to auto-detect headless environments but the skill metadata did not declare this env var usage. These behaviors expand the scope to handling sensitive secrets and decisions based on environment state.
Install Mechanism
There is no install spec in the registry (instruction-only), but the runtime guidance tells users to install @iga-pages/cli via npm (npm i -g @iga-pages/cli@latest). Installing a third-party CLI from the npm registry is a common pattern but is a moderate-risk operation because it will run arbitrary code from that package; the SKILL.md does not point to a source repo or homepage for verification.
!
Credentials
The skill requires credentials in practice (AK/SK) for headless deployments and references Volcengine's IAM console as the source of keys, but the skill metadata lists no required environment variables or primary credential. The instructions also reference $SSH_CONNECTION for environment detection. Requesting cloud access keys is proportionate to a deploy tool, but the omission in metadata and no guidance on scope/permissions for the keys (least privilege, temporary keys) is a red flag: users may be prompted to supply high-privilege long-lived keys without guidance.
Persistence & Privilege
The skill is not forced-always and does not request persistent presence or modify other skills; model invocation is allowed (default) which is normal. There is no install-time modification of other agent configs in the provided instructions.
What to consider before installing
This skill appears to be a straightforward guide for using the IGA Pages CLI, but it asks you to install an npm package and to provide cloud access keys for headless deployments while the registry metadata does not declare those credentials. Before installing or running it: (1) verify the @iga-pages/cli package on npm and find its source repository and author — do not install a CLI you can't audit; (2) prefer browser-based login when possible; if you must use AK/SK, create least-privilege, short-lived keys in a throwaway/test project first; (3) never share preview URLs publicly because the query parameters include access tokens; treat them like secrets; (4) ask the publisher for a homepage or source repo (none is listed) and confirmation of exactly what permissions the AK/SK require; (5) if you plan to run this in CI, review the CLI's code or run it in an isolated environment first. These steps will reduce the risk that an untrusted CLI or mis-scoped keys could be abused.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f3mg08yhw8tvcmv7jv7fjgh85b2j6
235downloads
0stars
6versions
Updated 6d ago
v1.0.5
MIT-0
@seasonrui
latest
Download

IGA Pages Skill

Two areas: CLI (iga tool for auth, link, dev, build, deploy) and Project development (functions, API routes).

Run iga <command> -h for full flag details.

Critical: CLI Version

The @iga-pages/cli version must be >= 1.0.3. Check with iga --version; if it's older (or not installed), upgrade before running any other command:

npm i -g @iga-pages/cli@latest

Critical: Framework Compatibility

Supported frameworks: Next.js, Vite, Vue CLI, Create React App, Angular, Hexo, Docusaurus, VitePress, VuePress, Hugo. Frameworks not in this list (e.g. Nuxt, Remix, Astro) are unsupported — proactively inform the user before proceeding.

Pure static assets (plain HTML/JS/CSS) can also be deployed — the project root is used as the output directory by default.

Critical: Login Authentication

Before any deploy or link command, authenticate with iga login. The login method depends on the environment:

  • Local IDE (VS Code, TRAE desktop, etc.) → browser login:

    iga login

Wait for the user to complete browser auth. The CLI prints a success message when done.

  • Remote / headless environment (SSH, Cowork, CI/CD, cloud dev container, etc.) → AK/SK login: 
    iga login --accessKey <YOUR_AK> --secretKey <YOUR_SK>
    Browser-based login is unavailable in headless environments; AK/SK is the only option. Obtain AK/SK from the Volcengine IAM console.

To determine the environment: if the session has no display or browser access (e.g., $SSH_CONNECTION is set, running inside a container, or the user mentions they are on a remote machine), default to AK/SK login. Otherwise, prefer browser for its simplicity.

Critical: Working Directory

All iga commands must run inside the project root. Scaffolding tools (create-next-app, npm create vite, hugo new site, etc.) create a subdirectory — you must cd into it before any iga command:

npx create-next-app@latest my-app --yes
cd my-app && iga pages deploy --name my-app

Quick Reference

npm i -g @iga-pages/cli

iga login                         # local IDE: opens browser
iga login --accessKey <AK> --secretKey <SK>  # remote/headless: AK/SK login

## new project
iga pages deploy --name <my-app>   # deploy (auto-creates project on first run)
## project already linked
iga pages deploy

iga pages link                     # link to existing project without deploying
iga pages dev                      # local dev server
iga pages build                    # build for production
  • deploy auto-detects GitHub remote → Git deploy; otherwise → upload deploy. Only GitHub is supported for Git integration.
  • If deploy output includes a preview URL with ?iga_token=...&iga_time=..., share that full URL (query included); omitting it can break access.

Anti-Patterns

CLI

  • Running iga commands outside the project directory → always cd into the scaffolded subdirectory first
  • Deploy without login → always iga login first
  • Committing .iga/ → it's auto-gitignored, don't remove the entry
  • provider: "upload_v2" with GitHub remote → delete .iga/project.json and redeploy to switch to Git deploy

Comments

Loading comments...