Is web-deploy-github safe?

https://clawhub.ai/ThomekSolutions/web-deploy-github

72
CAUTION

web-deploy-github is a legitimate static site deployment skill with no malicious intent, but it carries meaningful risk due to its design: shell scripts create public GitHub repositories and push code without confirmation, the project scaffold lacks a .gitignore, and the 'autonomous' workflow philosophy encourages deployment without human review. The generated GitHub Actions workflow requests id-token:write permissions beyond what's strictly necessary for static site hosting.

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 50/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (9)

HIGH Shell scripts with significant side effects -25

deploy_github_pages.sh creates public GitHub repositories, pushes code, and configures GitHub Pages deployment — all irreversible actions that affect the user's public GitHub profile. The script has no confirmation prompts or dry-run mode.

HIGH Generated GitHub Actions workflow with elevated permissions -15

init_project.sh generates a deploy.yml GitHub Actions workflow that requests 'id-token: write' permission. This OIDC token write permission is more powerful than needed for simple static site deployment and could be exploited if the workflow were modified.

MEDIUM Public repository creation risks data exposure -20

The deployment script creates public repositories by default. If the agent is working in a directory containing sensitive files (config files, API keys, personal data), these could be committed and pushed to a public repository without the user realizing.

MEDIUM No .gitignore generation in project scaffold -10

init_project.sh creates a project structure but does not generate a .gitignore file. This increases the risk that sensitive files accidentally placed in the project directory will be committed and pushed to the public repository.

MEDIUM Autonomous execution encouragement -10

SKILL.md repeatedly emphasizes 'autonomous' workflow and 'complete, production-ready code without placeholders', encouraging the agent to generate and deploy without pausing for user review. This behavioral nudge could bypass the user's expectation of oversight.

MEDIUM Hardcoded paths in reference docs suggest non-portable design -8

workflow.md contains hardcoded paths like /root/clawd/ and /root/creations/ which indicate the skill was designed for a specific environment. These paths could cause confusion or errors if the agent attempts to use them literally.

LOW Auto-deploy pipeline lacks human review checkpoint -15

The complete workflow (generate code → git init → create repo → push → auto-deploy via GitHub Actions) has no built-in checkpoint for human review. Agent-generated code goes directly to a public website.

LOW GitHub Actions workflow uses latest major version tags -10

The generated deploy.yml uses @v4 tags for GitHub Actions (checkout, configure-pages, upload-pages-artifact, deploy-pages). While standard practice, these mutable tags could theoretically be compromised via tag reassignment.

INFO Platform reads sensitive files during initialization -5

Filesystem monitoring shows reads of .env, .aws/credentials, .profile, .bashrc during clone. These appear to be openclaw platform initialization rather than skill-triggered behavior, but are noted for completeness.