← 返回 Skills 市场
W-Spaces Deploy
作者
Tran Dac Truong
· GitHub ↗
· v1.0.0
· MIT-0
247
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install wspaces-deploy
功能描述
Deploy static websites to W-Spaces. Use when deploying HTML/CSS/JS sites, landing pages, or single-page apps to wspaces.app. Supports project creation, code...
安全使用建议
Before installing or running this skill: 1) Inspect the included scripts (wspaces_*.sh) yourself — they are small and readable; confirm curl/jq/python3 usage. 2) Know that the scripts require and will send WSPACES_API_KEY to the API_BASE (default https://api.wspaces.app); do not set WSPACES_API_URL to an untrusted host because the scripts will send your key there. 3) The registry metadata incorrectly lists no required env vars/binaries — treat that as a quality/attention-to-detail issue and verify requirements manually. 4) Prefer creating a limited-scoped API key for CI or short-lived use and avoid putting long-lived secrets directly into persistent dotfiles unless you understand the exposure. 5) Because the package source/homepage is unknown, only proceed if you trust the publisher or after running the scripts in an isolated environment; if you need higher assurance, ask the publisher for a canonical homepage/repository and a signed release.
功能分析
Type: OpenClaw Skill
Name: wspaces-deploy
Version: 1.0.0
The skill provides a set of tools for deploying static websites to wspaces.app, but it contains several security vulnerabilities. Specifically, `wspaces_auth.sh` and `wspaces_project.sh` manually construct JSON payloads using unescaped shell variables, which is a classic JSON injection vulnerability. Furthermore, `wspaces_auth.sh` encourages passing sensitive passwords as command-line arguments, which can expose them in system process lists. While the core logic appears to serve its stated purpose and `wspaces_push.sh` correctly uses Python for JSON escaping, the lack of consistent input sanitization across the bundle poses a risk in an AI agent environment.
能力评估
Purpose & Capability
The scripts and documentation clearly implement W-Spaces project creation, code push, and deployment via an API key, which matches the stated purpose. However the registry metadata claims 'no required env vars' and 'no required binaries' while the scripts require WSPACES_API_KEY and recommend curl, jq, and python3. That mismatch (declared requirements vs. actual requirements) is incoherent and should be corrected before trusting the package metadata.
Instruction Scope
SKILL.md instructs only actions related to W-Spaces (register/login, set API key, create projects, push HTML, deploy). The scripts call only the documented API endpoints and read only the provided HTML file content; they do not attempt to read arbitrary system files or contact unexpected endpoints by default.
Install Mechanism
This is instruction-only from an installer perspective (no install spec), but the package contains executable shell scripts. There is no network download/install step in the skill itself, which lowers risk, but the presence of executable scripts means users will run code from an unknown publisher — review the scripts before executing.
Credentials
The scripts require a sensitive env var (WSPACES_API_KEY) but the metadata does not declare it. Additionally the scripts honor WSPACES_API_URL to override API_BASE; if that env var is set to an attacker-controlled host, the API key will be sent there. Requesting/storing an API key for the service being used is reasonable, but the missing declaration and endpoint-override behavior increase the risk of accidental credential leakage.
Persistence & Privilege
The skill is not always-enabled and does not request special platform privileges. The only persistent action suggested is the user copying their API key into shell startup files (e.g., ~/.bashrc) if they choose — a user action, not an automatic modification by the skill. The skill does not attempt to modify other skills or system-wide settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install wspaces-deploy - 安装完成后,直接呼叫该 Skill 的名称或使用
/wspaces-deploy触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of wspaces-deploy.
- Deploy static websites, landing pages, and SPAs to W-Spaces (wspaces.app)
- Supports project creation, HTML/CSS/JS code push, and deployment to a live URL
- Authenticate securely using API keys (with management commands included)
- Includes scripts to list, view, and update projects and deployments
- Full documentation and common workflow examples provided in SKILL.md
元数据
常见问题
W-Spaces Deploy 是什么?
Deploy static websites to W-Spaces. Use when deploying HTML/CSS/JS sites, landing pages, or single-page apps to wspaces.app. Supports project creation, code... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 247 次。
如何安装 W-Spaces Deploy?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install wspaces-deploy」即可一键安装,无需额外配置。
W-Spaces Deploy 是免费的吗?
是的,W-Spaces Deploy 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
W-Spaces Deploy 支持哪些平台?
W-Spaces Deploy 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 W-Spaces Deploy?
由 Tran Dac Truong(@trandactruong)开发并维护,当前版本 v1.0.0。
推荐 Skills