ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Auto Deploy

v1.0.0

Automates Git project deployment by pulling code, building, and deploying via SSH to Linux servers with backup and health checks.

0· 53·2 current·2 all-time
by@zjm1226
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's purpose (deploying code to Linux servers via SSH) aligns with the included scripts (deploy.sh, rollback.sh, install-server-env.sh, etc.). However metadata claims no required credentials or env vars while the shipped files embed sensitive information (Git HTTP username/password, server IP, root user, and a plaintext password). Embedding those credentials in the package is inconsistent with the declared 'no required env vars' and the SKILL.md security guidance, and is unnecessary for the stated purpose (SSH keys or external secret store would be expected).
!
Instruction Scope
SKILL.md and the scripts instruct the agent to perform broad actions: pull, modify, commit, push code; build (npm/mvn); run remote commands as root; backup/restore server directories; and create/modify SSH authorized_keys. Several scripts actively read/write local private/public key files and print or embed passwords (show-ssh-config.js prints the server password). The agent guidance also includes enabling elevated command execution in OpenClaw config — all of which expands the agent's reach beyond a minimal deploy helper and could allow arbitrary code changes and remote root operations.
Install Mechanism
There is no formal install spec (instruction-only), which reduces install-supply risk, but the repository includes many executable scripts that will be written to disk when the skill is installed and executed. install-server-env.sh uses network downloads (nodesource curl) to install Node.js — expected for server setup but worth noting because it fetches and runs remote installation scripts at runtime.
!
Credentials
The skill declares no required env vars or primary credential, yet the files contain explicit credentials: deploy-config.json and other files include git username/password (zhangjiamin) and server root credentials and IP (192.168.1.168). Scripts use hardcoded server password strings, expect/sshpass automation, and reference ~/.ssh/server_deploy. This mismatch (no declared secrets but hardcoded secrets present) is disproportionate and risky. The README also instructs enabling broad 'elevated' tool permissions for the agent, which increases the attack surface.
Persistence & Privilege
always is false and the skill is user-invocable (normal). However the README explicitly instructs granting the agent 'elevated' permissions (git, ssh, scp, npm, mvn, tar) in OpenClaw config. Granting those capabilities combined with the scripts' behavior (remote root operations and arbitrary builds) should be treated as high privilege and audited before enabling.
Scan Findings in Context
[HARDCODED_CREDENTIALS] unexpected: Multiple files contain plaintext credentials and secrets (deploy-config.json contains git username/password; SSH_SETUP.md, show-ssh-config.js, and several scripts contain the server IP, user 'root', and password 'zhangjiamin'). For a deploy helper it is unusual and unsafe to ship hardcoded passwords in the skill.
[PASSWORD_BASED_SSH_AUTOMATION] unexpected: Scripts use expect/sshpass-like automation and heredocs with passwords to add authorized_keys and configure SSH (scripts/configure-ssh.sh, configure-ssh-manual.sh, show-ssh-config.js). Secure deployments typically use preinstalled SSH keys or external secret stores rather than automated password injection.
[REMOTE_ROOT_OPERATIONS] expected: The skill performs operations on remote servers (backup, overwrite deployment path, start/stop services) as root or using root-equivalent commands. That is expected for deployment, but combined with the other findings increases risk.
What to consider before installing
This skill appears to implement real deployment behavior but contains several red flags. Before installing or running it: - Do not enable broad 'elevated' agent permissions until you audit the code. The README asks you to allow the agent to run git/ssh/scp/npm/mvn/tar which grants high capability. - Inspect and remove any hardcoded credentials. The package includes plaintext usernames/passwords and a server IP (e.g., 'zhangjiamin' and 192.168.1.168). Treat those as leaked if they are real: rotate/change those passwords and keys on the remote systems immediately. - Prefer SSH-key based authentication stored securely (not committed in files). Replace password-based expect/sshpass flows with key-based or vault-backed secrets. - Avoid using root for deployment; use a dedicated, minimally privileged deploy user and restrict allowed commands on that account. - Audit scripts that modify authorized_keys and those that print private data (show-ssh-config.js prints password). Remove any code that reveals secrets to logs or stdout. - Run the skill only in a controlled/sandbox environment first (or on an isolated test server) to observe behavior. If you must use it in production, perform a full code review and sanitize deploy-config.json and other files, then apply principle of least privilege on the remote server. If you need help hardening this package, consider asking the author for a version that uses: no embedded credentials, explicit support for secret stores or environment variables, key-based SSH only, and a non-root deploy user. Also request provenance (source/homepage) — currently the skill's source is unknown.
!
deploy-config.json:3
Install source points to URL shortener or raw IP.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f538m0n8pzgfc9t2f33v5tx83y2mt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments