← 返回 Skills 市场
63
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install ossify-deploy
功能描述
一键部署静态网站到阿里云 OSS。当用户说「部署」「发布」「上线」「deploy」「重新配置」「更新凭证」「更换 AccessKey」时触发。
安全使用建议
This skill appears to implement a legitimate OSS deploy workflow, but take precautions before installing/using it:
- Be aware the skill will ask you to paste your Alibaba AccessKey ID and Secret directly into the conversation. Conversation logs may persist — avoid pasting production/root keys into chat. Prefer creating a temporary RAM user with limited, least-privilege policies and use that key.
- The skill will write credentials to ~/.ossify/auth.json in plaintext. If you use it, review that file, consider encrypting or deleting it after use, and verify file permissions.
- The SKILL.md assumes node/npm, Bash, and a browser-devtools MCP tool are available, but the manifest does not declare these requirements — ensure these tools exist and understand the commands the skill will run (it may install global npm packages). If you prefer more control, use the manual mode and perform account/key creation yourself rather than enabling the automatic browser automation.
- Review the requested RAM policies (AliyunOSSFullAccess, AliyunDNSFullAccess, AliyunCDNFullAccess). Grant only the permissions you actually need; for simple uploads OSS-only may be enough.
- If you need higher assurance: run the skill in a disposable environment, use temporary keys, or manually follow the guide/index.html steps and avoid pasting credentials into chat.
Given the secret-handling and undeclared runtime-tool assumptions, this skill is coherent with its purpose but presents practical privacy/operational risks — proceed cautiously.
功能分析
Type: OpenClaw Skill
Name: ossify-deploy
Version: 1.0.4
The skill automates static site deployment to Alibaba Cloud OSS but employs high-risk credential handling and automation patterns. In SKILL.md, it instructs the agent to use Chrome DevTools MCP to automate the creation of RAM users and grant broad administrative permissions (AliyunOSSFullAccess, AliyunDNSFullAccess, AliyunCDNFullAccess). It also explicitly directs the user to paste sensitive AccessKey Secrets into the chat interface and uses 'node -e' shell execution to write these credentials to a local file (~/.ossify/auth.json). While these actions are aligned with the stated purpose of a 'one-click' deployment tool, the automation of IAM policies and the handling of secrets in plain text within the agent's prompt history represent significant security risks.
能力标签
能力评估
Purpose & Capability
The skill's stated purpose (deploy static site to Alibaba OSS) matches the actions described (create RAM user, collect AccessKey, validate with ali-oss, run auto-static-web). However the metadata declares no required binaries or credentials while SKILL.md repeatedly assumes presence of node, npm, chmod/icacls, and a Bash execution tool and also uses MCP chrome-devtools tools. The omission of these runtime requirements in the manifest is an inconsistency (missing declared dependencies/tools).
Instruction Scope
The instructions ask the agent to: run arbitrary Bash/Node commands, open/control a browser via MCP (list_pages, new_page, fill, click, take_screenshot), and ask the user to paste AccessKey ID and Secret directly into the chat (explicitly '不要用 AskUserQuestion' — so the secret appears in conversation). It also instructs writing credentials to ~/.ossify/auth.json. Collecting and storing raw credentials in chat and a local file is outside of a minimal, privacy-preserving scope and increases exposure/risk.
Install Mechanism
This is an instruction-only skill with no install spec or code to download, which is lowest-risk from installation perspective. The SKILL.md does instruct installing global npm packages (ali-oss, auto-static-web) at runtime, but that's part of the runtime flow rather than an install manifest — the lack of an install spec is consistent with an instruction-only skill.
Credentials
The only secrets this skill needs (AccessKey ID and Secret) are appropriate for deploying to Alibaba Cloud. However, the SKILL.md instructs the user to paste secrets into the chat (where transcripts may be logged) and to store them unencrypted in a local file (~/.ossify/auth.json). The skill does not declare required env vars but still sets ephemeral env vars for validation; the biggest proportionality concern is the handling/transit/storage of secrets rather than the types of credentials requested.
Persistence & Privilege
The skill writes a persistent credentials file under the user's home directory and sets restrictive file permissions (chmod 600 / icacls). always is false and the skill doesn't request system-wide or other-skills' config changes. Persisting credentials locally is a reasonable design choice for convenience, but it is a privilege with lasting impact and the skill's manifest did not call this out explicitly.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install ossify-deploy - 安装完成后,直接呼叫该 Skill 的名称或使用
/ossify-deploy触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.4
- 完善了阿里云 OSS 静态站点自动化部署 Skill 引导流程,详细分为自动引导和手动引导两种模式,支持凭证一键配置验证。
- 明确所有凭证读取、文件操作、浏览器自动化全部通过 Bash 工具链完成,不含可执行代码。
- 新增自动化流程:在检测到 Chrome DevTools 可用时,可自动填表、截图、辅助创建 RAM 用户并收集 AccessKey。
- 明确凭证格式、保存路径与权限管理,并提供跨平台 Bash 示例供用户手动引导时操作。
- 优化部署流程,每一项参数(Bucket、域名、备案、HTTPS)均需用户逐步确认,不会跳步。
- 部署成功后自动更新凭证文件的 lastDeploy 字段,便于下次快捷部署。
- 增加隐私与安全说明,明确所有敏感信息仅本地保存。
元数据
常见问题
Skill 是什么?
一键部署静态网站到阿里云 OSS。当用户说「部署」「发布」「上线」「deploy」「重新配置」「更新凭证」「更换 AccessKey」时触发。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 63 次。
如何安装 Skill?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install ossify-deploy」即可一键安装,无需额外配置。
Skill 是免费的吗?
是的,Skill 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Skill 支持哪些平台?
Skill 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Skill?
由 liangjf(@liangjfblue)开发并维护,当前版本 v1.0.4。
推荐 Skills