Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Quick Deploy
v1.0.0Deploy projects to Vercel, Netlify, or Fly.io with one command. Auto-detects framework (Next.js, React, Python, Node.js, static HTML). Shows deploy URL when...
⭐ 0· 41·0 current·0 all-time
byHa Le@vanthienha199
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (quick deploy to Vercel/Netlify/Fly.io) matches the instructions: auto-detect files in the project root and run the relevant CLI commands. Nothing requested or referenced (no extra env vars, no unrelated binaries) is out of scope for a deploy helper.
Instruction Scope
Instructions tell the agent to inspect project-root files (package.json, next.config.*, Dockerfile, etc.) and run deploy/status/rollback/log commands via vendor CLIs. That is expected for deployment, but the skill's runtime commands will upload project contents to remote hosting—so the agent will transmit project code to third-party services as part of normal operation. The SKILL.md does include a useful rule to ask before production deploys.
Install Mechanism
There is no package/install spec in the skill bundle itself, but the instructions tell the agent to install CLIs if missing (npm -g vercel/netlify-cli, and curl | sh https://fly.io/install.sh). Installing global npm packages and piping a remote install script are common for CLI installs but carry moderate risk. The URLs used (npm registries and fly.io) are expected official sources.
Credentials
The skill declares no required environment variables, no credentials, and no config paths. That matches the instructions which rely on the vendor CLIs for authentication rather than asking for tokens. This is proportionate for a deploy helper.
Persistence & Privilege
Skill is instruction-only, has no install script or always:true, and does not request persistent presence or modify other skills. It may cause system changes by installing CLIs globally if run, which is expected behavior for the described functionality.
Assessment
This skill appears coherent for deploying projects, but here are practical precautions before you use it:
- Understand what will happen: the agent will read files in your project root and run deploy commands that upload your code to an external hosting provider. Only run it on repositories you intend to publish.
- CLI installs: the instructions will install vercel/netlify CLIs via npm -g (global install) and run a fly.io install script via curl | sh. Those are official providers but installing global packages or piping remote scripts modifies your system—run this in a disposable/container environment or inspect the install commands first.
- Authentication: the skill relies on the CLIs' auth flows; it does not ask for tokens, which is good. Make sure you are logged into the correct accounts and that the agent prompts you before deploying to production (the SKILL.md says to ask).
- Production safety: confirm the skill's prompt is shown and answered before any production deploy; consider restricting the agent to preview/staging runs until you validate its behavior.
- Origin caution: the skill has unknown source and no homepage. That doesn't make it malicious, but you should be more cautious: review the SKILL.md and (if used) monitor exactly which commands are run.
If you want extra safety, run the commands the skill would use manually or inside a controlled CI container the first few times instead of letting the agent execute them autonomously.Like a lobster shell, security has layers — review code before you run it.
latestvk974j6s7z0hyxfa0w4619yz0w583qg8t
License
MIT-0
Free to use, modify, and redistribute. No attribution required.