Squid
v1.0.1Create, modify, and debug agentic pipelines with Squid. Define multi-agent YAML workflows with spawn (OpenClaw, Claude Code, OpenCode), gates, parallel execu...
⭐ 0· 69·0 current·0 all-time
byDominik Szopa@dominno
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (Squid pipeline authoring, multi-agent workflows) matches the included files: extensive YAML examples, references, and test schemas. The skill does not require unrelated environment variables or credentials. Examples legitimately reference CLIs (docker, kubectl, gh, openclaw, claude) because pipelines are intended to orchestrate external tools.
Instruction Scope
SKILL.md instructs the agent/user to read bundled reference docs before generating pipelines — this is appropriate and explicit. It also includes human-facing install/run commands (git clone https://github.com/dominno/squid.git, npm install, npx squid run ...). Those are installation/run instructions for the Squid tool and examples and are coherent with the skill goal, but they do instruct running network and shell actions ( cloning a GitHub repo, npm install, running CLI tools ) which will execute arbitrary code if the user follows them. The examples contain run steps that perform file/git operations and create PRs (gh pr create) — expected for a pipeline tool but they can modify repos and require external credentials if actually executed.
Install Mechanism
The registry has no formal install spec; installation instructions live in SKILL.md and point to a GitHub repository (github.com/dominno/squid) and npm build steps. Using GitHub as the source is common and reasonable, but because there is no automated, vetted install spec in the registry, following SKILL.md will clone and build third‑party code locally. That operation writes code to disk and runs npm scripts — a normal install step but higher-risk compared to an instruction-only skill that never asks you to fetch/execute external code.
Credentials
The skill declares no required env vars, binaries, or secrets. The example pipelines may require external credentials to interact with services (git, gh, cloud CLIs, Slack/PagerDuty hooks) but those are not requested or embedded by the skill itself. This is proportionate for a pipeline-orchestration skill.
Persistence & Privilege
The skill is not marked always:true and does not request to modify other skills or system-wide config. It is instruction-only and does not ask for persistent privileges. Pipelines produced by the skill may create persistent side effects when executed, but that is normal for this domain and not a registry-level privilege escalation.
Assessment
This skill is internally coherent for authoring and testing Squid YAML pipelines, but exercise caution before executing anything: 1) Inspect the bundled example pipelines and tests (they can run shell commands, git commits, create PRs, call CLIs like docker/kubectl/gh) and confirm you understand what they will do. 2) If you follow the SKILL.md install steps, review the GitHub repo code (https://github.com/dominno/squid) before cloning/building; running npm install/build executes third-party code on your machine. 3) Use the 'sandbox' test mode and the provided .test.yaml files to validate behavior without running real commands; only run integration modes after auditing and optionally mocking dangerous steps. 4) Be mindful that executing pipelines may require external credentials (git, GitHub CLI, cloud CLIs, Slack/PagerDuty tokens); provide least-privilege credentials and avoid exposing secrets. 5) If you want extra assurance, run installs inside an isolated environment (container or VM) and review any network activity during install/run.Like a lobster shell, security has layers — review code before you run it.
latestvk97a8gwjnn7cxptjcrce411xhd84c6cs
License
MIT-0
Free to use, modify, and redistribute. No attribution required.