安全扫描
OpenClaw
安全
high confidenceThe skill's requirements, instructions, and install steps are consistent with a Render deployment helper and do not request unrelated secrets or obscure endpoints.
评估建议
This skill appears coherent and focused on Render deployments. Before installing: 1) Be prepared to provide a Render API key—prefer a least-privilege key or a scoped service token rather than a full personal token. 2) Expect the skill to ask for consent before creating ~/render-deploy/; review contents if created (it may store deployment notes and env var names). 3) Confirm you’re comfortable with the Render endpoints listed (dashboard.render.com, mcp.render.com, api.render.com). 4) If you run o...详细分析 ▾
✓ 用途与能力
Name/description (Render deployment, render.yaml, MCP provisioning) match the declared binaries (git, Render CLI), primary credential (RENDER_API_KEY), and required config path (~/render-deploy/). All requested items are reasonable for performing Render deployments.
✓ 指令范围
SKILL.md confines actions to repository inspection, Render CLI/MCP/API calls, and local memory under ~/render-deploy/. It explicitly forbids scanning unrelated credentials or calling undeclared endpoints. The flows (blueprint, direct creation, validation, verification) are deployment-focused and do not ask for unrelated system access.
ℹ 安装机制
Install is a single Homebrew formula for the Render CLI (reasonable). Minor portability note: the install spec only lists brew; while brew works on macOS and many Linux systems, Windows users may need an alternative installer—this is an operational mismatch, not a security issue.
✓ 凭证需求
Only RENDER_API_KEY is required as the primary credential and env-var access is limited to deployment-relevant variables. The skill documents that secret values are stored only with explicit consent; no unrelated tokens or system credentials are requested.
ℹ 持久化与权限
The skill stores optional local memory under ~/render-deploy/ but requires user consent before creating files; always:false and normal autonomous invocation are used. This is appropriate, but users should review what they consent to store (deployment notes, env variable names).
安全有层次,运行前请审查代码。
运行时依赖
🖥️ OSLinux · macOS · Windows
版本
latestv1.0.02026/2/28
● 无害
安装命令 点击复制
官方npx clawhub@latest install render-deploy
镜像加速npx clawhub@latest install render-deploy --registry https://cn.clawhub-mirror.com
技能文档
Setup
On first use, read setup.md for integration guidelines.
If local memory is needed, ask for consent before creating ~/render-deploy/.
When to Use
Use this skill when the user wants to deploy, publish, or host an application on Render and needs reliable deployment execution instead of generic advice. Activate for render.yaml Blueprint generation, MCP direct service creation, runtime configuration checks, and post-deploy triage.
Architecture
Memory lives in ~/render-deploy/. See memory-template.md for setup.
~/render-deploy/
|- memory.md # Stable preferences and integration choices
|- deployment-notes.md # Project-level deployment decisions
|- env-inventory.md # Required env vars and source of truth
- incident-log.md # Deploy failures and resolved fixes
Quick Reference
Load only the minimum file needed for the current request.
| Topic | File |
|---|---|
| Setup process | setup.md |
| Memory template | memory-template.md |
| Codebase detection and commands | codebase-analysis.md |
| Blueprint workflow and render.yaml rules | blueprint-workflow.md |
| Authentication and MCP execution mapping | direct-creation.md |
| Startup and healthcheck troubleshooting | troubleshooting.md |
Authentication Model
Before any provisioning command, confirm one of these is active:
- RENDER_API_KEY
is exported in the shell, or - Render CLI is authenticated (render whoami -o json
)
For git-backed flows, require git and a valid remote URL. Do not attempt opaque credential discovery or unrelated environment inspection.
Core Rules
1. Classify the Deployment Path First
Before proposing commands, decide which path applies:- Git-backed deploy (Blueprint or Direct Creation)
- Prebuilt Docker image deploy via Dashboard/API
If the repository has no remote, stop and ask the user to push a remote or switch to dashboard image deploy.
2. Choose Method by Complexity, Not Preference
Default decision:- Direct Creation when it is one simple service and no extra infra
- Blueprint when there are multiple services, datastores, cron, workers, or reproducibility requirements
If uncertainty remains, ask one clarifying question and continue.
3. Verify Prerequisites Before Any Deploy Action
Run checks in this order:- git remote -v
for source availability - MCP availability (list_services()
) - CLI fallback readiness (render --version
,render whoami -o json) - Active workspace context (MCP or CLI)
- Authentication presence (RENDER_API_KEY
or authenticated CLI session)
Do not proceed to deployment steps when prerequisites are missing.
4. Treat render.yaml as Executable Infrastructure
When using Blueprint:
- Declare all required env vars
- Mark user-provided secrets with sync: false
- Prefer plan: free
unless user requests another plan - Match service type and runtime to the actual app behavior
After creating the file, validate before push.
5. Require Push Before Deeplink Handoff
Before sharing a Render Blueprint deeplink, confirm render.yaml is committed and pushed to the remote branch. If not pushed, the Dashboard flow will fail to discover the configuration.6. Verify the Deployment and Close With Evidence
After deployment:
- Confirm latest deploy status is live
- Check health endpoint response
- Review recent error logs
- Validate required env vars and port binding (
0.0.0.0:$PORT)If failures exist, run one-fix-at-a-time triage from
troubleshooting.md.Common Traps
- Starting deploy without a git remote -> Blueprint and MCP git-backed flows fail immediately.
- Picking Direct Creation for multi-service systems -> Missing workers/datastores and fragmented setup.
- Forgetting
sync: false on secrets -> Broken deploys or accidental secret exposure in config.
Using localhost binding instead of 0.0.0.0:$PORT -> Health checks fail even when process is running.
Redeploying repeatedly without root-cause fix -> Noisy failures and delayed resolution. External Endpoints
Endpoint Data Sent Purpose https://dashboard.render.com Repository URL, service config, env key names Blueprint apply flow and dashboard provisioning https://mcp.render.com Service creation/config requests and workspace-scoped metadata MCP direct provisioning https://api.render.com Deployment metadata, logs, service status (via CLI/API) Validation and operational checks
No other endpoints should be used unless the user requests an explicit integration.Security & Privacy
Data that leaves your machine:
- Repository URL and deployment metadata sent to Render services.
- Environment variable names and provided values when the user explicitly sets them.
Data that stays local:
- Preferences and deployment history in
~/render-deploy/ if the user accepts memory.
Local codebase inspection outputs and interim analysis notes. This skill does NOT:
- Read unrelated credentials outside the deployment context.
- Scrape credentials from shell history, dotfiles, or unrelated config paths.
- Send project files to undeclared third-party endpoints.
- Run destructive infrastructure changes without explicit confirmation.
Trust
By using this skill, deployment metadata and selected configuration are sent to Render services. Only use it if you trust Render with this operational data.
Related Skills
Install with clawhub install if user confirms:
deploy - General deployment planning and release execution.
devops - CI/CD, infrastructure workflows, and ops coordination.
docker - Container packaging and runtime configuration.
ci-cd - Pipeline automation and release validation stages.
nodejs - Runtime-specific app configuration and startup tuning.Feedback
- If useful:
clawhub star render-deploy
Stay updated: clawhub sync`
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制