Deployment Kit

提供基于 Docker 和 GitHub Actions 的多阶段构建、CI/CD 流水线和健康检查的生产部署套件。

This skill largely behaves like a local Docker/CICD deployment helper, but there are several red flags to consider before installing or running it: 1) SKILL.md asks you to configure OPENAI_API_KEY (and 'other env vars') even though the included code does not use OpenAI — do not supply any secret keys until the author explains why they're needed. 2) The code runs shell commands (docker build/run, netstat, docker logs). That means running this skill will execute commands on your machine — ensure Docker is installed and run it in an isolated/test environment first. 3) The health-check example in the docs mismatches the script (it does not export runHealthChecks) and some commands include Windows-specific syntax (findstr, 2>nul) while other parts target Linux containers — expect cross-platform inconsistencies. 4) The docker-compose mounts a local ./config directory into the container as read-only — review that directory to ensure it does not contain secrets you'll inadvertently expose to containers. 5) If you plan to use this in production, ask the author to clarify why OpenAI credentials are mentioned, request a corrected SKILL.md that matches code exports, and audit the code (especially any shell exec invocations) before providing credentials or running on sensitive hosts.

Type: OpenClaw Skill Name: yuyonghao-deployment-kit Version: 0.1.0 The skill bundle contains a shell injection vulnerability in 'src/deploy-manager.js' where 'child_process.exec' is used with unvalidated configuration parameters (e.g., 'imageName', 'containerName', 'port'). While these capabilities are aligned with the stated purpose of a deployment kit, the lack of input sanitization allows for arbitrary command execution. Additionally, the code uses Windows-specific shell syntax ('findstr', '2>nul') which may cause unexpected behavior or errors on non-Windows systems.