Deploy HTML content to EdgeOne Pages, return the public URL.
Security Analysis
medium confidenceThe skill's purpose (publish HTML to a remote Pages service) is plausible, but the runtime instructions rely on dynamically executing an npm package (npx -y mcporter) and the examples show reading local files to send to an external endpoint โ behaviors that increase risk and are not explicitly constrained in the instructions.
The stated purpose (deploy HTML and return a public URL) matches the instructions to call a remote deploy endpoint. Requiring a CLI (mcporter) is reasonable for this functionality. The claim 'No login required, no API key required' is consistent with anonymous deployment but should be verified against the service's policy.
The examples instruct running 'npx -y mcporter call ... value="$(cat index.html)"' which reads a local file and sends its contents to an external service. The SKILL.md does not limit which local files may be read nor require explicit user confirmation before reading/sending files. That creates a risk of unintended local data exfiltration if the agent reads files beyond what the user expects.
The install metadata and examples rely on an npm package (mcporter). The instructions use 'npx -y' which automatically downloads and executes code from the npm registry at runtime โ a higher-risk install mechanism because it runs remote code without manual review. The skill does not reference a known, verifiable upstream repository/release for that package in the instructions.
No environment variables, credentials, or config paths are requested. This is proportionate to the described anonymous deployment use case.
The skill is not 'always' enabled and does not request elevated persistence. It can be invoked normally by the agent; autonomous invocation is allowed by default (not flagged on its own).
Guidance
This skill does what it claims (upload HTML and return a URL) but has two practical risks you should consider before installing: (1) It runs mcporter from npm (the examples use 'npx -y'), which downloads and executes remote code automatically โ verify the mcporter package and its maintainer before use. (2) The instructions show reading local files (cat index.html) and sending them to an external host (mcp-on-edge.edgeone.app). Ensure the agent only uploads content you intend to publish and avoid allowing it to read sensitive files. If you need to use this, prefer reviewing the mcporter package source (or install a vetted binary), require explicit confirmation before any local-file reads, and avoid uploading private data. If you want stronger assurance, test in an isolated/sandboxed environment first.
Latest Release
v1.0.0
Deploy HTML content to EdgeOne Pages, return the public URL. No login required, no API key required.
More by @mcp
Published by @mcp on ClawHub
