Deploy and operate apps on Render (Blueprint + one-click Dashboard deeplink, same flow as Codex render-deploy). Use when the user wants to deploy, host, or publish an app; create or edit render.yaml; add web, static, workers, cron, Postgres, or Key Value; get the Blueprint deeplink to deploy; trigger or verify deploys via API when RENDER_API_KEY is set; connect Render MCP via mcporter for direct service creation; or configure env vars, health checks, scaling, previews, and projects.
Security Analysis
high confidenceThe skill's files and runtime instructions are consistent with its stated purpose (deploying to Render); it is instruction-only and does not request unrelated credentials or install code, but it will read repository files and will use a Render API key if present — so treat any exposed secrets and API keys with care.
Name/description (deploy to Render) match the included assets, example Blueprints, and references. The skill explains Blueprint, API, and MCP flows and only refers to Render-related resources (render.yaml, render API, mcporter/mcp). Nothing required or referenced is unrelated to deploying on Render.
The SKILL.md directs the agent to inspect the user's codebase (package.json, Dockerfile, lockfiles, runtime files) and to read environment state (checks for RENDER_API_KEY) and to call Render APIs (curl). These actions are reasonable for preparing and verifying deployments, but they imply reading arbitrary repo files and extracting env var names (which might include accidentally committed secrets). The skill does warn not to commit secrets and to mark secrets sync:false.
Instruction-only skill (no install spec, no code downloaded). This minimizes disk-write/remote-install risk.
The skill does not declare required env vars or primary credentials, but it uses RENDER_API_KEY if present to call the Render REST API or mcporter. That is proportionate to its purpose; no unrelated secrets or cloud credentials are requested.
always:false and the skill is user-invocable. It does not request persistent system changes or modify other skills. Autonomous invocation is allowed by platform default but not combined with other high-risk flags.
Guidance
This skill is coherent for deploying to Render and is instruction-only (no code to run from remote). Before using it: do not set a long-lived, high-privilege RENDER_API_KEY in shared or CI environments — create a limited API key and rotate it if possible; avoid committing any secrets to the repository (the skill explicitly recommends sync:false for secrets); be aware the agent will read repository files to infer build/start commands and env var usage (so remove or redact any accidentally committed secrets); if you enable mcporter, ensure mcporter is installed and configured securely. If you want to limit exposure further, prefer the Blueprint + deeplink flow (manual click) instead of giving an API key to let the agent trigger actions programmatically.
Latest Release
v3.0.0
- Added new references for direct Render API deployments and MCP integration: `references/rest-api-deployment.md` and `references/mcp-integration.md`. - Documented support for triggering deployments directly via REST API or Render MCP when `RENDER_API_KEY` is set. - Provided guidance on selecting between API-based, MCP, or traditional Dashboard (deeplink) deploy flows based on user credentials. - Updated references section to include new deployment integration docs.
Popular Skills
Published by @ojusave on ClawHub
