ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

W-Spaces Deploy

Deploy static websites to W-Spaces. Use when deploying HTML/CSS/JS sites, landing pages, or single-page apps to wspaces.app. Supports project creation, code...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 17 · 0 current installs · 0 all-time installs
byTran Dac Truong@trandactruong
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The scripts and documentation clearly implement W-Spaces project creation, code push, and deployment via an API key, which matches the stated purpose. However the registry metadata claims 'no required env vars' and 'no required binaries' while the scripts require WSPACES_API_KEY and recommend curl, jq, and python3. That mismatch (declared requirements vs. actual requirements) is incoherent and should be corrected before trusting the package metadata.
Instruction Scope
SKILL.md instructs only actions related to W-Spaces (register/login, set API key, create projects, push HTML, deploy). The scripts call only the documented API endpoints and read only the provided HTML file content; they do not attempt to read arbitrary system files or contact unexpected endpoints by default.
Install Mechanism
This is instruction-only from an installer perspective (no install spec), but the package contains executable shell scripts. There is no network download/install step in the skill itself, which lowers risk, but the presence of executable scripts means users will run code from an unknown publisher — review the scripts before executing.
!
Credentials
The scripts require a sensitive env var (WSPACES_API_KEY) but the metadata does not declare it. Additionally the scripts honor WSPACES_API_URL to override API_BASE; if that env var is set to an attacker-controlled host, the API key will be sent there. Requesting/storing an API key for the service being used is reasonable, but the missing declaration and endpoint-override behavior increase the risk of accidental credential leakage.
Persistence & Privilege
The skill is not always-enabled and does not request special platform privileges. The only persistent action suggested is the user copying their API key into shell startup files (e.g., ~/.bashrc) if they choose — a user action, not an automatic modification by the skill. The skill does not attempt to modify other skills or system-wide settings.
What to consider before installing
Before installing or running this skill: 1) Inspect the included scripts (wspaces_*.sh) yourself — they are small and readable; confirm curl/jq/python3 usage. 2) Know that the scripts require and will send WSPACES_API_KEY to the API_BASE (default https://api.wspaces.app); do not set WSPACES_API_URL to an untrusted host because the scripts will send your key there. 3) The registry metadata incorrectly lists no required env vars/binaries — treat that as a quality/attention-to-detail issue and verify requirements manually. 4) Prefer creating a limited-scoped API key for CI or short-lived use and avoid putting long-lived secrets directly into persistent dotfiles unless you understand the exposure. 5) Because the package source/homepage is unknown, only proceed if you trust the publisher or after running the scripts in an isolated environment; if you need higher assurance, ask the publisher for a canonical homepage/repository and a signed release.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97bj51f15kws0yg28ggmymvbd8378sg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

W-Spaces Deployment

Deploy static websites to W-Spaces (wspaces.app). Create projects, push HTML, and deploy to a live URL — all via API.

Configuration

Get your API key

  1. Register: scripts/wspaces_auth.sh --register --email you@example.com --password yourpass --name "Your Name"
  2. Verify your email (check inbox)
  3. Login: scripts/wspaces_auth.sh --login --email you@example.com --password yourpass
  4. Copy the API key from the response

Set the API key

export WSPACES_API_KEY="wsk_live_xxxx..."

Or store in .env:

WSPACES_API_KEY=wsk_live_xxxx...

Operations

Create a project

scripts/wspaces_project.sh --create --name "My Landing Page"

Response includes project ID and slug.

Push HTML code

# From a file
scripts/wspaces_push.sh --project <project-id> --file ./index.html

# From inline HTML
scripts/wspaces_push.sh --project <project-id> --html "<html><body><h1>Hello</h1></body></html>"

Deploy to live URL

scripts/wspaces_deploy.sh --project <project-id>

Result: https://<slug>.wspaces.app

List projects

scripts/wspaces_project.sh --list

Check project details

scripts/wspaces_project.sh --get --id <project-id>

View deployments

scripts/wspaces_deploy.sh --list --project <project-id>

Common Workflows

Deploy a landing page

# 1. Create project
scripts/wspaces_project.sh --create --name "Startup Landing"
# → project ID: abc-123

# 2. Push code
scripts/wspaces_push.sh --project abc-123 --file ./index.html

# 3. Deploy
scripts/wspaces_deploy.sh --project abc-123
# → https://startup-landing-xyz.wspaces.app

Update existing site

# Push new code (creates new version)
scripts/wspaces_push.sh --project abc-123 --file ./index.html

# Redeploy
scripts/wspaces_deploy.sh --project abc-123

Full flow from scratch

Tell your agent:

  • "Create a W-Spaces project called My Portfolio"
  • "Push this HTML to my W-Spaces project"
  • "Deploy my project to wspaces.app"

API Key Management

# Create additional API key
scripts/wspaces_auth.sh --create-key --name "CI/CD Key"

# List all keys
scripts/wspaces_auth.sh --list-keys

# Revoke a key
scripts/wspaces_auth.sh --revoke-key --id <key-id>

API Reference

See wspaces-api.md for complete API documentation.

Troubleshooting

"WSPACES_API_KEY not set"

export WSPACES_API_KEY="wsk_live_xxx..."

"Invalid API key"

  • Key may be revoked — generate a new one via login
  • Check for extra spaces when copying

"Please verify your email"

  • Check your inbox for verification email
  • Verify before logging in

"Project not found"

  • Verify project ID with scripts/wspaces_project.sh --list

Files

8 total
Select a file
Select a file to preview.

Comments

Loading comments…