Hormuzmonitorskills
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill’s monitoring purpose is coherent, but it asks the agent to automatically run an unreviewed deployment script that pushes updates to GitHub/Vercel without clear approval or credential boundaries.
Before installing, inspect ~/hormuz-website/scripts/update_and_deploy.sh, confirm the exact GitHub repository and Vercel project it can modify, and require manual approval before any push or deployment.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could change local files and trigger a public website update whenever the skill runs.
The skill instructs the agent to execute a shell command automatically after each cycle, without requiring user approval or constraining what the script may do.
After writing MONITOR_LOG.md, run this command to update the website: exec command: bash ~/hormuz-website/scripts/update_and_deploy.sh
Require explicit user approval before running the deployment script, document exactly what the script changes, and consider a dry-run or staging workflow.
A user cannot verify from these artifacts what code will run or what repository, credentials, or files it will affect.
The referenced helper script is outside the supplied skill artifacts, and there is no install spec or reviewed code showing its contents or provenance.
exec command: bash ~/hormuz-website/scripts/update_and_deploy.sh
Include the deployment script in the reviewed artifact set or require users to inspect and approve the local script path before enabling this step.
The agent may use the user’s existing GitHub/Vercel publishing privileges to modify a public site.
Pushing to GitHub uses delegated account or repository authority, but the skill does not declare or bound which credentials, repo, branch, or permissions are used.
This parses MONITOR_LOG.md into data.json and pushes to GitHub. Vercel auto-deploys on push.
Declare the exact repository and credential requirements, use least-privilege credentials, and require confirmation before any push.
Bad source data or a formatting mistake could be published to the website and persist until the next successful update.
A monitoring/logging output is automatically propagated through GitHub into a live Vercel deployment, so incorrect or manipulated data could become public without a review gate.
This parses MONITOR_LOG.md into data.json and pushes to GitHub. Vercel auto-deploys on push.
Add a manual review or staging step before production deployment, and document rollback procedures.