← Back to Skills Marketplace
388
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install tonic-system-deploy
Description
Software deployment workflow for systems with separate UAT and PROD environments. Use when: planning a bug fix deployment, choosing between Flow 1 (UAT-first...
Usage Guidance
This appears to be a deployment playbook rather than executable automation, but it mentions sending Telegram notifications and performing deploy/merge operations without listing any required credentials, endpoints, or tools. Before installing or enabling this skill for autonomous use: 1) Confirm whether it is intended as a human-facing checklist only — if so, treat it as documentation and keep autonomous invocation disabled. 2) If you plan to let the agent perform deploys or send Telegram messages, require explicit, minimal credentials (scoped CI/CD service token, Telegram bot token + chat id, deploy keys) and restrict them to least privilege. 3) Ask the publisher for concrete integration details (what CI/CD, how deploys are executed, where 'records' are stored, rollback commands). 4) Avoid pasting high-privilege secrets into the agent without reviewing and limiting their scope; prefer manual gates for PROD actions. If you cannot obtain those clarifications, do not grant this skill network or credential access and use it only as a manual runbook.
Capability Analysis
Type: OpenClaw Skill
Name: tonic-system-deploy
Version: 1.0.0
The skill bundle describes a complex software deployment workflow, which inherently requires powerful system interactions. Specifically, the `SKILL.md` file includes explicit shell commands for rollback procedures (`docker compose down && git checkout <prev_tag> && docker compose up`). While these commands are plausible for the stated purpose, they represent a significant shell injection vulnerability if the `<prev_tag>` input is not properly sanitized, potentially leading to Remote Code Execution (RCE). Additionally, the skill instructs the AI agent to perform 'AI analysis' and 'AI assist' in fixing bugs, implying powerful code generation/modification capabilities which, without strict sandboxing, could be risky. There is no evidence of intentional malicious behavior like data exfiltration or backdoor installation, but the presence of high-risk, potentially vulnerable commands makes it suspicious.
Capability Assessment
Purpose & Capability
The name and description claim a deployment workflow for UAT/PROD with automation and Telegram notifications. However, the skill declares no required binaries, no environment variables, and no install steps. For a workflow that claims to perform automated deploys and send Telegram messages, we'd expect declared integration credentials (e.g., CI/CD API tokens, SSH keys, Telegram bot token/chat id) and/or required tooling. The absence of those required artifacts is an incoherence: either the skill is only a human-facing playbook (OK) or it intends to execute actions but fails to declare necessary capabilities/credentials.
Instruction Scope
SKILL.md instructs an agent to 'AI analyses root cause + records fix plan', 'Deploys fix to UAT/PROD', and 'Telegram: "Fix deployed to UAT"' — i.e., networked actions and side effects. The instructions are vague about how/where to run deploys, where plans are recorded, and which Telegram endpoints to use. They grant broad discretion to an agent (e.g., 'AI analyses root cause') without bounded constraints, and they reference sending data externally but provide no destination or authorization details.
Install Mechanism
There is no install spec and no code files; the skill is instruction-only. This is the lowest install risk because nothing is written to disk by the skill itself.
Credentials
The instructions imply need for secrets (CI/CD credentials, deploy keys, Telegram bot token, possibly cloud provider credentials) but the skill declares none. That mismatch is disproportionate: the documented behavior would normally require multiple secrets and scoped access, yet none are requested or documented.
Persistence & Privilege
The skill does not request 'always: true' and has no install-time persistence. Model invocation is allowed (platform default) but there is no evidence the skill modifies other skills or system-wide settings. This dimension is not a concern by itself.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install tonic-system-deploy - After installation, invoke the skill by name or use
/tonic-system-deploy - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release
Metadata
Frequently Asked Questions
What is Tonic System Deploy?
Software deployment workflow for systems with separate UAT and PROD environments. Use when: planning a bug fix deployment, choosing between Flow 1 (UAT-first... It is an AI Agent Skill for Claude Code / OpenClaw, with 388 downloads so far.
How do I install Tonic System Deploy?
Run "/install tonic-system-deploy" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Tonic System Deploy free?
Yes, Tonic System Deploy is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Tonic System Deploy support?
Tonic System Deploy is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Tonic System Deploy?
It is built and maintained by tonylnng (@tonylnng); the current version is v1.0.0.
More Skills