ClawHub

Web Deploy GitHub Pages

PassAudited by ClawScan on May 10, 2026.

Overview

This skill coherently builds and deploys static sites to GitHub Pages, but users should know it can create a public GitHub repository and push project files using their authenticated GitHub CLI session.

Before installing or using this skill, make sure you are comfortable with it creating a public GitHub repository, pushing the selected project folder, and adding a GitHub Actions workflow that deploys future pushes automatically. Check your gh CLI account and review the generated files so you do not accidentally publish private content.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note
ASI02: Tool Misuse and Exploitation
What this means

If run, the skill can publish the project contents publicly under the user's GitHub account.

Why it was flagged

The deployment script creates a public GitHub repository and pushes the local project. This is purpose-aligned for GitHub Pages, but it is a high-impact publishing action.

Skill content
gh repo create "$PROJECT_NAME" --public --source=. --remote=origin --push
Recommendation

Review the generated site and project folder before deployment, and confirm that public repository creation is intended.

Note
ASI03: Identity and Privilege Abuse
What this means

The skill acts with whatever GitHub permissions are available through the local gh CLI login.

Why it was flagged

The script relies on the user's authenticated GitHub CLI session to create repositories, push code, and configure Pages, while registry metadata declares no primary credential.

Skill content
if ! gh auth status &> /dev/null; then
    echo "❌ Not authenticated with GitHub CLI"
    echo "Run: gh auth login"
Recommendation

Use an appropriately scoped GitHub account/session and verify which account gh is authenticated as before running deployment.

Note
ASI08: Cascading Failures
What this means

Future changes pushed to the repository may automatically update the public website.

Why it was flagged

The skill creates a persistent GitHub Actions workflow that deploys on every push to main. This is normal for GitHub Pages automation but means later pushes can automatically publish changes.

Skill content
cat > .github/workflows/deploy.yml <<'EOF'
name: Deploy to GitHub Pages

on:
  push:
    branches: [ main ]
Recommendation

Keep the generated workflow only if automatic publication on push is desired, and review changes before pushing to main.