PostMe Deploy
v1.0.3Deploy local HTML/frontend files to PostMe (dele.fun) and get a live URL
⭐ 0· 117·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The skill declares and implements a deploy-to-PostMe workflow: it reads local files, bundles them, and POSTs them to a PostMe upload endpoint. Requiring a POSTME_API_KEY and optionally POSTME_API_URL is proportionate for that purpose. One inconsistency: the registry metadata above says "Required env vars: none" while SKILL.md explicitly requires POSTME_API_KEY — this appears to be a metadata oversight.
Instruction Scope
The SKILL.md instructs the agent to determine an absolute target_path and upload every file found under it. That scope is appropriate for deploying a project folder, but the allowed-tools (read(*), glob(*)) and the implementation mean the agent could read and upload any path the caller supplies. The instructions do not attempt to read unrelated system configuration or credentials.
Install Mechanism
This is an instruction-only skill with no install spec and no remote downloads. It mentions a normal Python dependency (requests) which the README asks the operator to pip install; there is no embedded/install-time network fetch of arbitrary code.
Credentials
The skill requires a single service credential (POSTME_API_KEY) and optionally a custom API URL — both are expected for an API-based deployer. The required secret is proportional, but because it is sensitive, you should only set it for a trusted agent and consider scoping or rotating the key. Also note the registry metadata does not reflect this required env var, which could confuse users.
Persistence & Privilege
The skill does not request permanent/always-on presence (always: false) and does not modify other skills or system-wide config. Autonomous invocation is permitted by default (disable-model-invocation: false) which is normal for skills; combine this with the fact the skill can read local paths only when invoked.
Scan Findings in Context
[no-regex-findings] expected: The static regex scanner found no issues; the SKILL.md contains an embedded Python implementation (file I/O + HTTP upload) but there were no separate code files for the scanner to analyze. The presence of file I/O and network requests is expected for a deploy skill.
Assessment
This skill does what it says: it will read files under whatever path you pass it and upload them to the PostMe API using a POSTME_API_KEY. Before installing or enabling it: (1) confirm the skill's source/trustworthiness (homepage is missing), (2) only provide a target_path that contains non-sensitive files (do not point it at your home directory), (3) store the POSTME_API_KEY in a secure place and consider using a scoped/temporary key if PostMe supports it, (4) be aware the registry metadata incorrectly lists no required env vars — rely on the SKILL.md, and (5) if you want extra safety, test with a dummy key and non-sensitive sample content first and rotate the API key afterwards.Like a lobster shell, security has layers — review code before you run it.
latestvk97cm96ramf3zm4660jj0psjjh83xphy
License
MIT-0
Free to use, modify, and redistribute. No attribution required.