← 返回 Skills 市场
388
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install tonic-system-deploy
功能描述
Software deployment workflow for systems with separate UAT and PROD environments. Use when: planning a bug fix deployment, choosing between Flow 1 (UAT-first...
安全使用建议
This appears to be a deployment playbook rather than executable automation, but it mentions sending Telegram notifications and performing deploy/merge operations without listing any required credentials, endpoints, or tools. Before installing or enabling this skill for autonomous use: 1) Confirm whether it is intended as a human-facing checklist only — if so, treat it as documentation and keep autonomous invocation disabled. 2) If you plan to let the agent perform deploys or send Telegram messages, require explicit, minimal credentials (scoped CI/CD service token, Telegram bot token + chat id, deploy keys) and restrict them to least privilege. 3) Ask the publisher for concrete integration details (what CI/CD, how deploys are executed, where 'records' are stored, rollback commands). 4) Avoid pasting high-privilege secrets into the agent without reviewing and limiting their scope; prefer manual gates for PROD actions. If you cannot obtain those clarifications, do not grant this skill network or credential access and use it only as a manual runbook.
功能分析
Type: OpenClaw Skill
Name: tonic-system-deploy
Version: 1.0.0
The skill bundle describes a complex software deployment workflow, which inherently requires powerful system interactions. Specifically, the `SKILL.md` file includes explicit shell commands for rollback procedures (`docker compose down && git checkout <prev_tag> && docker compose up`). While these commands are plausible for the stated purpose, they represent a significant shell injection vulnerability if the `<prev_tag>` input is not properly sanitized, potentially leading to Remote Code Execution (RCE). Additionally, the skill instructs the AI agent to perform 'AI analysis' and 'AI assist' in fixing bugs, implying powerful code generation/modification capabilities which, without strict sandboxing, could be risky. There is no evidence of intentional malicious behavior like data exfiltration or backdoor installation, but the presence of high-risk, potentially vulnerable commands makes it suspicious.
能力评估
Purpose & Capability
The name and description claim a deployment workflow for UAT/PROD with automation and Telegram notifications. However, the skill declares no required binaries, no environment variables, and no install steps. For a workflow that claims to perform automated deploys and send Telegram messages, we'd expect declared integration credentials (e.g., CI/CD API tokens, SSH keys, Telegram bot token/chat id) and/or required tooling. The absence of those required artifacts is an incoherence: either the skill is only a human-facing playbook (OK) or it intends to execute actions but fails to declare necessary capabilities/credentials.
Instruction Scope
SKILL.md instructs an agent to 'AI analyses root cause + records fix plan', 'Deploys fix to UAT/PROD', and 'Telegram: "Fix deployed to UAT"' — i.e., networked actions and side effects. The instructions are vague about how/where to run deploys, where plans are recorded, and which Telegram endpoints to use. They grant broad discretion to an agent (e.g., 'AI analyses root cause') without bounded constraints, and they reference sending data externally but provide no destination or authorization details.
Install Mechanism
There is no install spec and no code files; the skill is instruction-only. This is the lowest install risk because nothing is written to disk by the skill itself.
Credentials
The instructions imply need for secrets (CI/CD credentials, deploy keys, Telegram bot token, possibly cloud provider credentials) but the skill declares none. That mismatch is disproportionate: the documented behavior would normally require multiple secrets and scoped access, yet none are requested or documented.
Persistence & Privilege
The skill does not request 'always: true' and has no install-time persistence. Model invocation is allowed (platform default) but there is no evidence the skill modifies other skills or system-wide settings. This dimension is not a concern by itself.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install tonic-system-deploy - 安装完成后,直接呼叫该 Skill 的名称或使用
/tonic-system-deploy触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release
元数据
常见问题
Tonic System Deploy 是什么?
Software deployment workflow for systems with separate UAT and PROD environments. Use when: planning a bug fix deployment, choosing between Flow 1 (UAT-first... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 388 次。
如何安装 Tonic System Deploy?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install tonic-system-deploy」即可一键安装,无需额外配置。
Tonic System Deploy 是免费的吗?
是的,Tonic System Deploy 完全免费(开源免费),可自由下载、安装和使用。
Tonic System Deploy 支持哪些平台?
Tonic System Deploy 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Tonic System Deploy?
由 tonylnng(@tonylnng)开发并维护,当前版本 v1.0.0。
推荐 Skills