Skylv Deployment Automation
AdvisoryAudited by Static analysis on May 3, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If followed too freely, the agent could promote or change a production deployment before the user has reviewed the exact target and impact.
This is a high-impact production promotion command that includes an approval flag, but the skill does not state that the agent must get explicit user confirmation or validate the target before running it.
node deploy.js promote --from staging --to production --approve
Only use this skill with explicit per-deployment approval, known targets, dry-run or diff review, and least-privilege deployment credentials.
The agent may try to run an unknown local deployment script, which could perform actions outside what this skill document describes.
The skill depends on a local deploy.js runner, but the provided artifacts include no code file or install spec for that runner, making the executor's provenance and behavior unreviewed.
node deploy.js deploy --strategy canary --service api --canary-percent 10
Before use, verify the exact deploy.js file, its source, permissions, and expected behavior; do not run it from an untrusted workspace.
Using this skill in a privileged deployment environment could let the agent affect production systems.
Production deployment and promotion normally require privileged access, although the skill does not declare any credential handling.
Multi-env — Dev → staging → production promotion
Use narrowly scoped deployment credentials and require human approval for production changes.