Is deploy-agent safe?

https://clawhub.ai/sherajdev/deploy-agent

68
CAUTION

deploy-agent is a deployment workflow tool that orchestrates GitHub and Cloudflare Pages deployments. While functionally legitimate, it presents significant concerns: all deployments default to the author's domain (sheraj.org), it creates public GitHub repos by default, and it requires access to cloud credentials (Cloudflare tokens, GitHub auth). Filesystem monitoring detected access to AWS credentials and .env files during installation. No outbound data exfiltration or malicious install hooks were detected.

Category Scores

Prompt Injection 80/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 50/100 · 20%
Clone Behavior 65/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (10)

HIGH Default deployment routes to author-controlled domain -20

All deployments default to '{name}.sheraj.org', meaning the skill author controls DNS for deployed applications. This allows traffic interception, content injection, or deployment monitoring without the user's knowledge. Users must explicitly override the domain to avoid this.

HIGH Broad shell execution capabilities -30

The bash script executes powerful commands including gh repo create (creates public repos), wrangler pages deploy (deploys to cloud), git add -A && git push (pushes all files including potentially sensitive ones), and npm install/run. These operations have significant side effects on user's cloud accounts and public repositories.

MEDIUM Accesses cloud credential files -15

The script interacts with ~/.wrangler.toml (Cloudflare API tokens) and gh CLI (GitHub tokens). While necessary for its stated purpose, these credentials could be exfiltrated if the script were modified or if the skill were updated maliciously.

MEDIUM AWS credentials and .env accessed during install -25

Filesystem monitoring detected reads of /home/oc-exec/.aws/credentials and /home/oc-exec/.env during the clone/install phase. While this may be platform-level behavior rather than skill-specific, it indicates sensitive files were accessed in the skill's install context.

MEDIUM Cross-skill chaining with C.R.A.B -10

The skill instructs the agent to use 'C.R.A.B' for the design phase, creating an implicit dependency on another skill/persona. This cross-skill chaining could be exploited if C.R.A.B contains malicious instructions, and creates an opaque trust chain.

MEDIUM Creates public GitHub repositories by default -20

The push command creates GitHub repositories with --public flag by default. If a user runs this on a private project without noticing, their source code becomes publicly visible.

LOW Hardcoded external documentation reference -5

SKILL.md references an external Cloudflare documentation URL. While this is standard technical documentation, it could be used as a vector if the agent is instructed to fetch and process it.

LOW Persistent state accumulation in home directory -10

The skill stores deployment state in ~/.clawdbot/skills/deploy-agent/state/ with project names, repo URLs, domains, and timestamps. This metadata accumulates over time and could profile the user's projects.

INFO Skill metadata requests specific binary tools -5

The skill declares requirements for gh, wrangler, and git binaries. While appropriate for its purpose, this effectively requests broad system access through these powerful CLI tools.

INFO No malicious install hooks detected 0

package.json is empty — no preinstall/postinstall scripts. No git hooks, submodules, or symlinks detected. The executable code is limited to the explicit deploy-agent.sh script.