Cosin
v1.0.2Use this skill when an agent needs to operate the `cosin` CLI from the terminal. `cosin` accepts only relative paths, lists available skills through the `ski...
⭐ 0· 119·0 current·0 all-time
byC9@0xcipher0
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The SKILL.md describes using a CLI to call a COS API and COS-backed skills; the inputs it asks for (bearer token, method, path, JSON, headers) match that purpose. There are no unrelated binaries, config paths, or credentials requested.
Instruction Scope
Instructions are limited to running the cosin CLI and validating inputs. Two minor issues: the doc references SKILLS_BASE_URL as how /cos/... calls are built (but does not declare or require that env var), and it recommends passing the bearer token on the command line (which is insecure because command-line args can be visible to other local users/processes). Otherwise the instructions stay within the stated scope and do not ask the agent to read unrelated files or secrets.
Install Mechanism
No install spec or code is provided; this is instruction-only so nothing is downloaded or written to disk by the skill itself.
Credentials
The skill does not request any environment variables or other credentials from the agent registry. It does require a COS bearer token at runtime (expected for a CLI that authenticates to an API). The SKILL.md mentions SKILLS_BASE_URL (internal build step) without declaring it as required, which is an informational mismatch but not a direct credential request.
Persistence & Privilege
The skill is not always-on and does not request elevated or persistent system privileges. It does not modify other skills or agent-wide configs.
Assessment
This is an instruction-only skill for running the cosin CLI; it does not install code or request extra credentials beyond the COS bearer token you must supply at runtime. Before installing or enabling: 1) Ensure you have a trusted cosin binary installed from a known source — the skill assumes that CLI is present. 2) Be careful with the bearer token: the SKILL.md suggests passing it as --key on the command line, but command-line arguments can be seen by other local processes/users (use a more secure mechanism if available, such as a protected environment variable or a secrets manager). 3) Note the doc references SKILLS_BASE_URL for resolving /cos/... calls; verify where that value comes from in your environment and that the target endpoints (including skills.bankofuniverse.org and the COS API host) are expected. 4) Do not hardcode tokens in repo files as the doc warns. If you need higher assurance, ask the skill author for the expected cosin release URL or checksum and for clarification about SKILLS_BASE_URL.Like a lobster shell, security has layers — review code before you run it.
latestvk979bgxmxq5h4mr4fsmv8mp4mh83dw5z
License
MIT-0
Free to use, modify, and redistribute. No attribution required.