W-Spaces Deploy
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a straightforward W-Spaces deployment helper, but it uses an API key to publish and manage W-Spaces resources, so users should review deploy and key-management actions before running them.
Use this skill only if you trust the W-Spaces service and are comfortable giving the agent a W-Spaces API key. Confirm each create, push, deploy, create-key, and revoke-key action before execution, verify WSPACES_API_URL is unset or trusted, and avoid storing real keys in shared logs or conversations.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill can create or update a W-Spaces site and make it live on the internet.
These commands create projects, upload site code, and deploy it to a live URL. That is central to the skill, but it can publish or change public-facing content.
scripts/wspaces_project.sh --create --name "My Landing Page" ... scripts/wspaces_push.sh --project <project-id> --file ./index.html ... scripts/wspaces_deploy.sh --project <project-id>
Confirm the intended project, file contents, and deploy action before letting the agent run these scripts.
Anyone with the API key may be able to manage W-Spaces projects and keys within the account permissions.
The skill requires a W-Spaces API key and includes API key creation, listing, and revocation workflows. This is expected for a deployment integration, but it grants account-level authority.
export WSPACES_API_KEY="wsk_live_xxxx..." ... scripts/wspaces_auth.sh --create-key --name "CI/CD Key" ... scripts/wspaces_auth.sh --revoke-key --id <key-id>
Use the least-privileged or dedicated key available, avoid sharing it in chats or logs, and revoke it when no longer needed.
The skill may fail or prompt for setup at runtime even though the registry metadata says no prerequisites are required.
The registry metadata does not declare runtime requirements that the docs and scripts rely on, including WSPACES_API_KEY, curl, jq, and python3.
Required binaries (all must exist): none ... Required env vars: none ... Primary credential: none
Before use, install/verify curl, jq, and python3, and set WSPACES_API_KEY intentionally.
If WSPACES_API_URL is set incorrectly or maliciously, credentials or site content could be sent to a non-W-Spaces endpoint.
The default API destination is the expected W-Spaces API, but an undeclared WSPACES_API_URL environment override can change where login and API-key requests are sent.
API_BASE="${WSPACES_API_URL:-https://api.wspaces.app}" ... curl -s -X POST "$API_BASE/api/v1/auth/login"Unset or verify WSPACES_API_URL before using the skill, and use the default HTTPS W-Spaces API unless intentionally testing.