首页龙虾技能列表 › Clawhub Publish — Clawhub工具

Clawhub Publish — Clawhub工具

v1.4.2

[AI辅助] Deploy to Vercel. Auto-activates for any Vercel task — editing a landing page, deploying, aliasing, updating a site.

0· 170·0 当前·0 累计
by @ranlywood·MIT-0
下载技能包
License
MIT-0
最后更新
2026/4/12
安全扫描
VirusTotal
可疑
查看报告
OpenClaw
可疑
medium confidence
The skill does what it says (deploy to Vercel) but its runtime instructions request and read sensitive credentials and local CLI auth files while the skill metadata declares no required credentials or config paths — a mismatch that raises privacy/abuse risk.
评估建议
This skill can deploy to Vercel but asks for your Vercel token and even shows how to read local CLI auth files. Before installing or using it: (1) do NOT paste your long-lived personal Vercel token into chat — create a short-lived or limited-scope token and revoke it after use; (2) prefer using your own browser-based 'vercel login' flow or a secrets manager rather than copying tokens into the agent; (3) ask the author to declare required env vars and config paths in the skill metadata so you kno...
详细分析 ▾
用途与能力
The described purpose (deploy to Vercel) matches the instructions: uses the vercel CLI, .vercel/project.json, aliases, and curl to verify or change project settings. However, the skill metadata declares no required credentials or config paths while the runtime instructions explicitly require a Vercel token and reference local CLI auth files — the metadata/requirements omission is an inconsistency.
指令范围
SKILL.md tells the agent to: ask the user to paste a VERCEL token into chat, export it into the environment for the session, and — separately — read local files (.vercel/project.json and a macOS CLI auth.json path) and extract tokens from them. Reading local auth files and requesting tokens via chat are sensitive actions that go beyond purely editing/deploying code and should have been declared and restricted.
安装机制
Instruction-only skill with no install spec and no downloaded code; this is the lowest-risk install mechanism.
凭证需求
The skill requires a Vercel token to operate (and the instructions show using VERCEL_TOKEN), but the registry metadata lists no required env vars or primary credential. It also instructs reading the local CLI auth.json to obtain a token. Requesting/storing tokens and reading local auth files is sensitive and should be explicitly declared and minimized (use temporary/tightly-scoped tokens).
持久化与权限
The skill is not forced-always and can be invoked normally. That is fine by itself, but because the instructions request credentials and suggest pasting them into chat, autonomous invocation combined with credential access would increase risk — the skill currently does not request persistent privileges, but the credential-handling flow is a potential privacy/abuse vector.
安全有层次,运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发,无需署名。

运行时依赖

无特殊依赖

版本

latestv1.4.22026/3/18

- Added a critical guideline: never output HTML in response text; always write HTML directly to files using the Write/Edit tool to avoid hitting token limits. - Updated anti-patterns table to include the new HTML handling rule. - Clarified instructions on editing large HTML files in logical sections. - No changes to deployment, authentication, or post-deploy steps.

● 可疑

安装命令 点击复制

官方npx clawhub@latest install vercel-deploy-pro
镜像加速npx clawhub@latest install vercel-deploy-pro --registry https://cn.clawhub-mirror.com

技能文档

当...时 到 activate (automatically, 没有 prompting)

  • 任何 mention 的 Vercel, landing page, 或 site 在...上 vercel.app
  • task "更新 site", "deploy", "fix landing"
  • editing HTML file 在...中 project folder 带有 .vercel/project.json

Auth flow (之前 anything 否则)

vercel whoami 2>&1

Authorized → proceed.

不 authorized → one-时间 setup:

→ In Claude Code (has a browser): 

vercel login

→ In OpenClaw or any headless agent:

  • Tell 用户:
> "Open vercel.com/account/tokens → Create Token → copy it and send it here. You only need to do this once."
  • Once received, 验证:
export VERCEL_TOKEN=
vercel whoami
  • Store securely — 做 不 写入 令牌 到 ~/.zshrc 或 任何 file. Keep 在...中 env 对于 会话 仅, 或 ask 用户 到 添加 到 secrets manager.

Creating 或 editing HTML files

CRITICAL: Never 输出 HTML 在...中 响应 text.

Always write directly to a file using the Write/Edit tool:

  • ✅ 写入 tool → 索引.html → deploy
  • ❌ 打印 HTML 在...中 响应 → 复制-paste → deploy

Reason: large HTML files exceed the 32k output token limit and Claude hangs mid-generation. Writing to a file has no such limit.

If the file is very large (>300 lines), build it in logical sections using Edit tool rather than rewriting from scratch.

Pre-deploy checklist (必填)

1. 使 所有 changes 第一个

❌ ANTI-PATTERN: deploy after each individual edit ✅ Rule: all edits in file first → one deploy

2. Check 对于 .vercel/project.json

ls .vercel/project.json

File exists → proceed 到 deploy.

File 做 不 exist → 第一个 deploy, Vercel 将 创建 project automatically: 

vercel deploy --yes --prod
# Vercel creates the project and .vercel/project.json on first run

3. 验证 changes actually 在...中 file

grep -c "expected string" index.html

Deploy recipe

# Deploy (run from project folder)
vercel deploy --yes --prod 2>&1 | grep -E "https://|Error"
# If custom alias was not assigned automatically — set it manually:
# For personal accounts (no --scope needed):
vercel alias set  .vercel.app
# For team accounts only:
vercel alias set  .vercel.app --scope YOUR_TEAM_SCOPE

Note: script -q /dev/null suppresses interactive prompts on macOS but breaks on Linux. Use plain vercel deploy instead — --yes flag handles prompts cross-platform.

Post-deploy verification (必填)

curl -s https://.vercel.app | grep "expected string"
# 200 + expected string = ✅ done

Removing SSO (如果 site locked 后面 auth)

PROJECT_ID=$(python3 -c "import json; print(json.load(open('.vercel/project.json'))['projectId'])")
TOKEN=$(python3 -c "import json; print(json.load(open('$HOME/Library/Application Support/com.vercel.cli/auth.json'))['token'])")
# For personal accounts:
curl -s -X PATCH "https://api.vercel.com/v9/projects/$PROJECT_ID" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"ssoProtection":null,"passwordProtection":null,"trustedIps":null}'
# For team accounts — add teamId:
curl -s -X PATCH "https://api.vercel.com/v9/projects/$PROJECT_ID?teamId=YOUR_TEAM_ID" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"ssoProtection":null,"passwordProtection":null,"trustedIps":null}'

Final 输出 (always)

After a successful deploy, the last message to the user must be the public URL — nothing else:

✅ https://.vercel.app

❌ Anti-patterns (从 practice)

What went wrongHow to do it right
Generated HTML in response text (hit 32k token limit)Always write HTML directly to file using Write/Edit tool
Deployed from home directory (wrong CWD)Always deploy from the project folder with .vercel/project.json
Multiple deploys for separate editsAll edits → one deploy
Didn't verify file actually changed before deployinggrep before deploying
Didn't verify after deploycurl on the live URL after every deploy
Used --scope on a personal account--scope is for team accounts only
Used script -q /dev/null on LinuxUse plain vercel deploy --yes instead
Stored token in ~/.zshrcKeep token in env only, never write to files
Started with partial understandingRead source fully first, make a diff, then apply all edits

Gotchas

  • --name deprecated — don't 使用
  • vercel project rm doesn't support --是 — interactive 仅
  • vercelAuthentication 不 supported 在...中 API v9 — 使用 ssoProtection: 空
  • 之后 vercel deploy --prod 默认 alias assigned automatically, custom alias 不 (always 验证)
  • 第一个 deploy 在...上 新的 project: 否 .vercel/project.json 尚未 — 只是 run vercel deploy --是 --prod, creates project automatically
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制

免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制

了解定制服务