v1.0.0

Web Deploy GitHub Pages

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 4:56 AM.

Analysis

The skill matches its GitHub Pages purpose, but it can use your GitHub login to create a public repository and push all project files, so review it carefully before use.

GuidanceOnly use this skill if you are comfortable letting it create a public GitHub repository and publish the project contents. Before running deployment, inspect the folder, remove secrets or private files, add a .gitignore, confirm the GitHub account and repository name, and consider making the repo private or adding an explicit approval step.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

scripts/deploy_github_pages.sh

git add . ... gh repo create "$PROJECT_NAME" --public --source=. --remote=origin --push

The deployment script stages every file in the project directory and creates/pushes a public GitHub repository by default.

User impactAnything accidentally present in the project directory could be committed and published publicly on GitHub and GitHub Pages.

RecommendationReview the project directory before deployment, add a .gitignore and secret check, and require explicit approval or use private repositories by default.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

scripts/init_project.sh

uses: actions/checkout@v4 ... uses: actions/configure-pages@v4 ... uses: actions/upload-pages-artifact@v3 ... uses: actions/deploy-pages@v4

The generated GitHub Actions workflow runs external GitHub Actions pinned to version tags rather than immutable commit SHAs.

User impactThe generated repository will execute those public actions during deployment.

RecommendationFor stricter supply-chain control, pin actions to full commit SHAs and review workflow permissions.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

scripts/deploy_github_pages.sh

if ! gh auth status &> /dev/null; then ... gh api -X POST "/repos/$GITHUB_USERNAME/$PROJECT_NAME/pages"

The script relies on the locally authenticated GitHub CLI to create and configure resources in the user's account, while the registry metadata declares no primary credential.

User impactThe skill needs GitHub account authority to create repositories, push code, and enable Pages.

RecommendationUse a GitHub account or token with only the permissions needed, and verify the target username and repository before deployment.