← Back to Skills Marketplace
W-Spaces Deploy
by
Tran Dac Truong
· GitHub ↗
· v1.0.0
· MIT-0
247
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install wspaces-deploy
Description
Deploy static websites to W-Spaces. Use when deploying HTML/CSS/JS sites, landing pages, or single-page apps to wspaces.app. Supports project creation, code...
Usage Guidance
Before installing or running this skill: 1) Inspect the included scripts (wspaces_*.sh) yourself — they are small and readable; confirm curl/jq/python3 usage. 2) Know that the scripts require and will send WSPACES_API_KEY to the API_BASE (default https://api.wspaces.app); do not set WSPACES_API_URL to an untrusted host because the scripts will send your key there. 3) The registry metadata incorrectly lists no required env vars/binaries — treat that as a quality/attention-to-detail issue and verify requirements manually. 4) Prefer creating a limited-scoped API key for CI or short-lived use and avoid putting long-lived secrets directly into persistent dotfiles unless you understand the exposure. 5) Because the package source/homepage is unknown, only proceed if you trust the publisher or after running the scripts in an isolated environment; if you need higher assurance, ask the publisher for a canonical homepage/repository and a signed release.
Capability Analysis
Type: OpenClaw Skill
Name: wspaces-deploy
Version: 1.0.0
The skill provides a set of tools for deploying static websites to wspaces.app, but it contains several security vulnerabilities. Specifically, `wspaces_auth.sh` and `wspaces_project.sh` manually construct JSON payloads using unescaped shell variables, which is a classic JSON injection vulnerability. Furthermore, `wspaces_auth.sh` encourages passing sensitive passwords as command-line arguments, which can expose them in system process lists. While the core logic appears to serve its stated purpose and `wspaces_push.sh` correctly uses Python for JSON escaping, the lack of consistent input sanitization across the bundle poses a risk in an AI agent environment.
Capability Assessment
Purpose & Capability
The scripts and documentation clearly implement W-Spaces project creation, code push, and deployment via an API key, which matches the stated purpose. However the registry metadata claims 'no required env vars' and 'no required binaries' while the scripts require WSPACES_API_KEY and recommend curl, jq, and python3. That mismatch (declared requirements vs. actual requirements) is incoherent and should be corrected before trusting the package metadata.
Instruction Scope
SKILL.md instructs only actions related to W-Spaces (register/login, set API key, create projects, push HTML, deploy). The scripts call only the documented API endpoints and read only the provided HTML file content; they do not attempt to read arbitrary system files or contact unexpected endpoints by default.
Install Mechanism
This is instruction-only from an installer perspective (no install spec), but the package contains executable shell scripts. There is no network download/install step in the skill itself, which lowers risk, but the presence of executable scripts means users will run code from an unknown publisher — review the scripts before executing.
Credentials
The scripts require a sensitive env var (WSPACES_API_KEY) but the metadata does not declare it. Additionally the scripts honor WSPACES_API_URL to override API_BASE; if that env var is set to an attacker-controlled host, the API key will be sent there. Requesting/storing an API key for the service being used is reasonable, but the missing declaration and endpoint-override behavior increase the risk of accidental credential leakage.
Persistence & Privilege
The skill is not always-enabled and does not request special platform privileges. The only persistent action suggested is the user copying their API key into shell startup files (e.g., ~/.bashrc) if they choose — a user action, not an automatic modification by the skill. The skill does not attempt to modify other skills or system-wide settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install wspaces-deploy - After installation, invoke the skill by name or use
/wspaces-deploy - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of wspaces-deploy.
- Deploy static websites, landing pages, and SPAs to W-Spaces (wspaces.app)
- Supports project creation, HTML/CSS/JS code push, and deployment to a live URL
- Authenticate securely using API keys (with management commands included)
- Includes scripts to list, view, and update projects and deployments
- Full documentation and common workflow examples provided in SKILL.md
Metadata
Frequently Asked Questions
What is W-Spaces Deploy?
Deploy static websites to W-Spaces. Use when deploying HTML/CSS/JS sites, landing pages, or single-page apps to wspaces.app. Supports project creation, code... It is an AI Agent Skill for Claude Code / OpenClaw, with 247 downloads so far.
How do I install W-Spaces Deploy?
Run "/install wspaces-deploy" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is W-Spaces Deploy free?
Yes, W-Spaces Deploy is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does W-Spaces Deploy support?
W-Spaces Deploy is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created W-Spaces Deploy?
It is built and maintained by Tran Dac Truong (@trandactruong); the current version is v1.0.0.
More Skills