Deploy any project to xCloud hosting — auto-detects stack (WordPress, Laravel, PHP, Node.js, Next.js, NestJS, Python, Go, Rust), routes to native or Docker d...
Security Analysis
high confidenceThis is an instruction-only deployment helper that is internally consistent with its stated purpose: it reads a repo, adapts docker-compose, and generates GitHub Actions and .env.example for xCloud — it does not ask for unrelated credentials or install code on the agent.
The skill's name/description (xCloud Docker deployment, stack detection, Dockerfile/compose/GHA generation) matches the files present and the runtime instructions. There are no unrelated required binaries, config paths, or credentials requested. Templates and references (Dockerfiles, compose templates, GitHub Actions workflow) are directly relevant to the stated goal.
SKILL.md instructs the agent to scan the project directory, detect stack signals, and produce modified docker-compose.yml, GitHub Actions workflows, and .env.example — all within the deployment scope. The agent is expected to read repository files (DETECT.md, compose, Dockerfile, package/composer/requirements files) which is appropriate for this task. The only network-related actions are in generated CI templates (e.g., docker login, optional curl to xCloud webhook) which run in GitHub Actions or on xCloud, not by the skill itself.
No install spec or executable code is provided; this is instruction-only. There are no download/install steps that would fetch arbitrary code or write binaries to disk. That minimizes installation risk.
The skill itself declares no required environment variables or primary credential — appropriate for an instruction-only skill. Generated artifacts reference standard CI secrets (GITHUB_TOKEN, optional XCLOUD_DEPLOY_WEBHOOK) and expect repo secrets to be added by the user; this is reasonable for the workflow but users should be aware the generated workflows will use GitHub secrets and may ask them to make GHCR packages public or add the xCloud webhook secret.
The skill does not request permanent inclusion (always:false) and does not modify other skills or system-wide agent settings. It merely provides instructions and templates to be applied by the agent or user.
Guidance
This skill appears coherent and focused on adapting docker-compose and producing GitHub Actions for xCloud. Before you use it: 1) Review any generated GitHub Actions workflow before committing — it will push images to GHCR and optionally call an xCloud webhook; ensure the webhook URL and any secrets are trustworthy. 2) Do not commit real secrets (.env) to the repo; the skill correctly advises generating .env.example and storing secrets in GitHub secrets or xCloud UI. 3) If you make GHCR packages public (required by xCloud), confirm you are comfortable with public images. 4) Verify the optional curl trigger to XCLOUD_DEPLOY_WEBHOOK is only present when you add that secret. 5) Because the agent will read your repository files to detect stack and extract env var names, ensure you are comfortable granting the agent access to the repo contents and review outputs before pushing the changes. Overall the files and instructions are consistent with the described deployment workflow.
Latest Release
v1.2.1
v1.2.1: Sync — updated CHANGELOG, README badge, skill.json + skillsmp.yml all pinned to 1.2.0; all PRs merged and closed.
More by @Asif2BD
Published by @Asif2BD on ClawHub
