Deploy Kit

Name/behavior align: the SKILL.md and scripts/deploy.py focus on detecting project type, checking CLI availability, recommending a platform, and running platform CLIs to deploy. No unrelated credentials, binaries, or system paths are requested.

SKILL.md instructs the agent to detect projects, verify CLIs, and always ask for confirmation before deploying. The script runs subprocesses to invoke platform CLIs (vercel, railway, supabase) which is expected for a deploy helper — but those CLIs (and the project's build steps they trigger) can execute arbitrary code from the repository during build/runtime, so the agent/user should be aware and confirm deployments before running in sensitive environments.

There is no install spec in the skill (instruction-only + a helper script) which is low risk. The bundled reference docs include example install commands (npm global installs and a curl | sh line for Railway in the reference) — these are not executed by the skill but are potentially risky if blindly run by a user.

The skill does not request environment variables or credentials. References mention CLI authentication (interactive login or tokens) which is appropriate for deployment CLIs; nothing indicates unnecessary access to unrelated secrets or system config.

always is false and the skill does not request persistent elevated privileges or attempt to modify other skills or system-wide settings. Model invocation is allowed (default) which is normal for a user-invocable skill.