Deploy local web projects to live URLs by automating GitHub repo creation, Vercel/Netlify deployment, and optional custom domain setup with SSL and CI/CD.
Security Analysis
medium confidenceThe skill's stated purpose (publish local sites via GitHub → Vercel/Netlify) is plausible, but it mandatorily requires a MATON_API_KEY (a third‑party control-plane credential) and orchestrates installs via npx, which is disproportionate and raises risk around where repository contents and credentials are sent.
Name/description match the actions described (create repo, push, trigger Vercel/Netlify, wire domains). Required binaries (git/node/npm/npx) make sense. However, the skill mandates MATON_API_KEY for the github-api and api-gateway paths — this delegates GitHub/API operations to a Maton control plane instead of using a direct GitHub token, which is unexpected and should be justified.
SKILL.md tells the agent to audit the project, initialize git, create a remote via github-api, push, run vercel/netlify CLIs, and optionally manage domains. Those steps are within purpose, but the github-api and api-gateway routes are mediated by Maton (MATON_API_KEY) — this implies actions and possibly repository metadata/content will be routed to an external control plane. The doc also references a specific local path (~/Projects/manager) for domain-dns-ops, which could cause the agent to look in user home directories. The instructions to install other skills via npx implicate network installs at runtime.
The skill is instruction-only (no files to execute), which reduces on-disk risk. But it instructs using 'npx -y clawhub@latest install ...' to fetch/install other skills — that will download and run code from the npm registry at runtime. This is a common pattern but still a non-trivial dynamic install operation that fetches third-party code and should be reviewed before execution.
Only MATON_API_KEY is declared as required, but the skill also expects VERCEL_TOKEN/NETLIFY_AUTH_TOKEN or CLI logins. Requiring MATON_API_KEY as mandatory for GitHub operations is disproportionate: a GitHub personal access token would be the usual, minimal credential. MATON_API_KEY grants access to a separate control plane (Maton) and could allow that external service to act on behalf of the user across multiple providers; the need for it is not justified in the doc beyond 'github-api requires it.'
The skill does not force installation into every agent run (always: false) and is user-invocable. Model invocation is enabled (disable-model-invocation: false), so the agent could autonomously run the orchestration when invoked — combined with a broad external credential (MATON_API_KEY) and runtime installs, this increases the blast radius if the key is overprivileged. The skill does not declare modifying other skills' configs.
Guidance
Before installing or invoking this skill, ask the publisher to explain exactly how MATON_API_KEY is used: does your repository source or secrets get proxied through Maton's servers, or are actions performed locally? Prefer using direct provider credentials (GitHub PAT, Vercel/Netlify tokens) if possible. Inspect the clawhub/npm package (clawhub@latest) that will be fetched by npx and the referenced upstream skills (github-api, vercel, netlify, api-gateway) so you understand where code and data are sent. If you must test, use a throwaway repository and minimal-privilege/dummy tokens first. Avoid granting broad MATON_API_KEY scopes until you confirm the control plane's behavior and data retention policies. Finally, be cautious about the agent reading home paths like ~/Projects/manager — restrict its working directory to only the project you intend to publish.
Latest Release
v1.0.0
Initial release as an orchestration meta-skill for one-command web hosting: - Enables local project deployment to live, production URLs with SSL and CI/CD via Vercel or Netlify, orchestrated through above skills. - Automates repository creation, code push, host linking, deployment trigger, and live URL verification. - Supports optional custom domain DNS setup via domain-dns-ops or api-gateway if available. - Provides unified workflow and output contract for framework detection, infra gating, deploy status, and next steps. - Enforces explicit credential/auth checks, missing-stage reporting, and robust failure handling at all critical steps.
More by @h4gen
Published by @h4gen on ClawHub
