ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Flyio

v1.0.0

Fly.io edge deployment platform — manage apps, machines, volumes, secrets, and certificates via the Fly.io Machines API. Deploy containers globally, scale to...

0· 336·0 current·0 all-time
by@aiwithabidi
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, commands, and required env var (FLY_API_TOKEN) align with a Fly.io CLI wrapper. However the script uses API_BASE = "https://api.machines.dev/v1" (not the expected api.fly.io host) and the declared homepage is agxntsix.ai rather than fly.io, which could indicate a third‑party proxy or misconfiguration and should be verified.
!
Instruction Scope
SKILL.md states no local data storage and declares no config paths, but the included script will attempt to read a .env file from a workspace path (WORKSPACE or ~/.openclaw/workspace/.env) to extract FLY_API_TOKEN. That file access is not documented in SKILL.md and is outside declared scope.
Install Mechanism
No install spec (instruction-only + included script). The shipped Python script uses only the standard library and nothing is downloaded or written during install, so install risk is low.
Credentials
The skill requests only FLY_API_TOKEN (primary credential), which is appropriate for a Fly.io integration. The script, however, will also consult the WORKSPACE env var and potentially read a local .env file to obtain the token — that additional file access is not declared and means the script will read user config files if present.
Persistence & Privilege
The skill is not marked always:true, does not request system-wide config changes, and does not modify other skills. It runs on invocation only.
What to consider before installing
This looks like a mostly legitimate Fly.io CLI wrapper, but take these precautions before installing: - Verify the API endpoint: the script points to https://api.machines.dev/v1 rather than an official Fly.io host. Confirm with the author why a non‑Fly.io domain is used and whether it is an approved proxy/relay. - Note undocumented file access: the script will try to read WORKSPACE or ~/.openclaw/workspace/.env to find FLY_API_TOKEN. If you keep other secrets in a .env file in that location, the script will read that file (it only extracts FLY_API_TOKEN but still accesses the file). If you prefer, set FLY_API_TOKEN explicitly in the environment instead. - Check the skill author and homepage (agxntsix.ai) and confirm trust before providing your token. Use a token with minimal permissions (or a scoped/temporary token) for testing and rotate it afterwards if you decide to trust the skill. - Review the included scripts locally (scripts/flyio.py) yourself — network calls are limited to API_BASE, and there is no obfuscation, but you should be comfortable with the domain being contacted. If the author confirms the API_BASE and you set FLY_API_TOKEN in your environment (not only in an undetermined .env), the skill's behavior would be coherent; otherwise treat it cautiously.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

✈️ Clawdis
EnvFLY_API_TOKEN
Primary envFLY_API_TOKEN
latestvk9751y33bpdytfqcg3mggk1q85828jt6
336downloads
0stars
1versions
Updated 8h ago
v1.0.0
MIT-0
@aiwithabidi
latest
Download

✈️ Fly.io

Fly.io edge deployment platform — manage apps, machines, volumes, secrets, and certificates via the Fly.io Machines API.

Features

  • App management — create, list, configure apps
  • Machine operations — start, stop, restart machines
  • Volume management — persistent storage provisioning
  • Secret management — secure environment secrets
  • Certificate management — SSL/TLS auto-provisioning
  • Scaling — scale machines up/down, auto-stop
  • Region selection — deploy to specific global regions
  • Health checks — monitor machine health
  • Network config — IP allocation, private networking
  • Deployment — rolling deploys with canary support

Requirements

VariableRequiredDescription
FLY_API_TOKENAPI key/token for Fly.io

Quick Start

# List apps
python3 {baseDir}/scripts/flyio.py apps --limit 20

# Get app details
python3 {baseDir}/scripts/flyio.py app-get my-app

# Create an app
python3 {baseDir}/scripts/flyio.py app-create '{"app_name":"my-service","org_slug":"personal"}'

# List machines
python3 {baseDir}/scripts/flyio.py machines --app my-app

Commands

apps

List apps.

python3 {baseDir}/scripts/flyio.py apps --limit 20

app-get

Get app details.

python3 {baseDir}/scripts/flyio.py app-get my-app

app-create

Create an app.

python3 {baseDir}/scripts/flyio.py app-create '{"app_name":"my-service","org_slug":"personal"}'

machines

List machines.

python3 {baseDir}/scripts/flyio.py machines --app my-app

machine-get

Get machine details.

python3 {baseDir}/scripts/flyio.py machine-get --app my-app mach_abc123

machine-start

Start a machine.

python3 {baseDir}/scripts/flyio.py machine-start --app my-app mach_abc123

machine-stop

Stop a machine.

python3 {baseDir}/scripts/flyio.py machine-stop --app my-app mach_abc123

machine-create

Create a machine.

python3 {baseDir}/scripts/flyio.py machine-create --app my-app '{"config":{"image":"nginx:latest","guest":{"cpus":1,"memory_mb":256}}}'

volumes

List volumes.

python3 {baseDir}/scripts/flyio.py volumes --app my-app

volume-create

Create a volume.

python3 {baseDir}/scripts/flyio.py volume-create --app my-app '{"name":"data","size_gb":10,"region":"ord"}'

secrets

List secrets.

python3 {baseDir}/scripts/flyio.py secrets --app my-app

secret-set

Set a secret.

python3 {baseDir}/scripts/flyio.py secret-set --app my-app "DATABASE_URL" "postgres://..."

certs

List certificates.

python3 {baseDir}/scripts/flyio.py certs --app my-app

regions

List available regions.

python3 {baseDir}/scripts/flyio.py regions

status

App status overview.

python3 {baseDir}/scripts/flyio.py status --app my-app

Output Format

All commands output JSON by default. Add --human for readable formatted output.

# JSON (default, for programmatic use)
python3 {baseDir}/scripts/flyio.py apps --limit 5

# Human-readable
python3 {baseDir}/scripts/flyio.py apps --limit 5 --human

Script Reference

ScriptDescription
{baseDir}/scripts/flyio.pyMain CLI — all Fly.io operations

Data Policy

This skill never stores data locally. All requests go directly to the Fly.io API and results are returned to stdout. Your data stays on Fly.io servers.

Credits

Built by M. Abidi | agxntsix.ai YouTube | GitHub Part of the AgxntSix Skill Suite for OpenClaw agents.

📅 Need help setting up OpenClaw for your business? Book a free consultation

Comments

Loading comments...