← 返回 Skills 市场
Prod Deploy
作者
liupeidawn
· GitHub ↗
· v1.0.1
· MIT-0
86
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install prod-deploy
功能描述
生产环境发布部署自动化技能。用于 SM 交友网站 (zmq-club.com) 的一键发布流程,包括:数据库备份、结构对比、前端构建、代码部署、迁移执行、服务重启、生产验证。Use when 沛哥要求发布生产、部署代码、上线新功能、或执行发布 SOP。
安全使用建议
Do not run or install this skill in a production environment as-is. Specific actions to take before considering use:
- Treat the exposed IP/username/password in SKILL.md and scripts as compromised: rotate the SSH password/keys on the server immediately if these files were shared or uploaded.
- Do not supply production credentials directly in skill files; replace hardcoded credentials with secrets managed by a vault or environment variables and document required env vars in the skill manifest.
- Verify and fix the deploy.py file — it appears truncated/malformed (the __main__ block is incomplete) and paramiko is used but not declared as a dependency.
- Review the code line-by-line to ensure it does only the intended deployment actions (no hidden network calls or exfiltration). Run in a staging environment first.
- Prefer SSH key auth, least-privilege accounts (not root), and an audited CI/CD pipeline instead of running one-click scripts from an agent with embedded credentials.
- If you cannot verify the origin of this skill (source/homepage unknown), avoid granting it access to production credentials or allowing autonomous invocation until a trusted audit is completed.
功能分析
Type: OpenClaw Skill
Name: prod-deploy
Version: 1.0.1
The skill bundle contains hardcoded root SSH credentials (root:7758258Liu) for a production server (157.245.56.178) within SKILL.md and scripts/deploy.py. Although the scripts perform standard deployment tasks like database backups and service restarts for the site zmq-club.com, the inclusion of plaintext administrative credentials for a specific external IP address is a critical security vulnerability and highly irregular for a portable skill.
能力评估
Purpose & Capability
The declared purpose (one-click production deploy) matches the actions (SSH, backup, copy files, run migrations). However the skill embeds production root credentials (IP, username, plaintext password) directly in SKILL.md and in scripts/deploy.py instead of using declared/managed secrets. It also imports paramiko but the package/dependency is not declared. Embedding a production root password in files is disproportionate and poor practice even if deployment legitimately needs access.
Instruction Scope
Runtime instructions and scripts instruct the agent to connect as root to a specific IP, run pg_dump, upload site files, run migrations, and restart services — all expected for deployment. But the docs/scripts include explicit credentials and reference many local paths under /home/administrator/.openclaw/workspace-main (reading/writing backups and memory files). The SKILL.md and scripts contain the credentials in plaintext and direct writes to workspace memory; this broad access and exposure of secrets is a scope risk. Also the deploy.py shown is truncated at the end and likely syntactically broken, so the claimed 'one-click' capability may be non-functional.
Install Mechanism
There is no install spec. The included script imports paramiko (and expects npm/pm2/tools) but the skill declares no required binaries or dependencies. That mismatch (code needing libraries that are not declared or installed) is incoherent and will cause runtime failures or require the agent to install additional packages without explicit instructions.
Credentials
The skill declares no required environment variables or primary credential, yet both SKILL.md and scripts embed a production SSH password and other sensitive server details. This is disproportionate: either the skill should declare and require a secret (and not store it in repo files), or it shouldn't contain production credentials at all. The presence of a plaintext root password in multiple files is a serious secret-exposure issue.
Persistence & Privilege
always:false (OK). The skill writes release notes to workspace/memory and performs operations on the host it has credentials for; that behavior is expected for a deployer. However, because the skill contains embedded production credentials and the platform allows autonomous invocation by default, the blast radius is higher — an agent or skill bug could use those credentials unexpectedly. The script does not attempt to modify other skills or global agent config.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install prod-deploy - 安装完成后,直接呼叫该 Skill 的名称或使用
/prod-deploy触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
- 更新一键发布命令,改为使用 skills/prod-deploy/scripts/deploy.py 路径执行主脚本
- references/QUICK-REFERENCE.md、RELEASE-SOP.md 小幅调整以配合脚本路径变动
- deploy.py 脚本路径与文档保持一致,目录规范化
- 其余流程与内容保持一致,使用体验无变更
v1.0.0
Initial release of the prod-deploy skill for automated production deployment.
- One-click automated deployment for zmq-club.com, covering database backup, schema diff, frontend build, code deployment, migrations, service restart, and production verification.
- Guides detailed pre-deployment checks and includes full & stepwise procedure for deployments and rollbacks.
- Contains exact server, path, and script usage instructions.
- Highlights important notices and common troubleshooting Q&A.
- References supporting documentation and emphasizes backup and release recording best practices.
元数据
常见问题
Prod Deploy 是什么?
生产环境发布部署自动化技能。用于 SM 交友网站 (zmq-club.com) 的一键发布流程,包括:数据库备份、结构对比、前端构建、代码部署、迁移执行、服务重启、生产验证。Use when 沛哥要求发布生产、部署代码、上线新功能、或执行发布 SOP。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 86 次。
如何安装 Prod Deploy?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install prod-deploy」即可一键安装,无需额外配置。
Prod Deploy 是免费的吗?
是的,Prod Deploy 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Prod Deploy 支持哪些平台?
Prod Deploy 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Prod Deploy?
由 liupeidawn(@liupeidawn)开发并维护,当前版本 v1.0.1。
推荐 Skills