ClawHub

Basecamp CLI

v1.0.0

Manage Basecamp (via bc3 API / 37signals Launchpad) projects, to-dos, messages, and campfires via a TypeScript CLI. Use when you want to list/create/update Basecamp projects and todos from the terminal, or when integrating Basecamp automation into Clawdbot workflows.

3· 2.1k·2 current·2 all-time
by@emredoganer
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the included TypeScript CLI code (commands for projects, todos, messages, campfires). The code uses Basecamp API calls and standard CLI libraries, which is coherent with the stated purpose. However the registry metadata lists no required environment variables or primary credential even though the README and SKILL.md instruct the user to provide BASECAMP_CLIENT_ID / BASECAMP_CLIENT_SECRET or an access token.
Instruction Scope
SKILL.md and README give concrete install/auth steps (npm install -g, create Launchpad integration, run basecamp auth configure/login). The runtime instructions do not ask the agent to read unrelated system files or exfiltrate data; they simply direct the OAuth flow and setting an env var for the client secret. No instructions give the agent open-ended rights to gather arbitrary context.
Install Mechanism
There is no custom install spec in the skill bundle (instruction-only). The README/SKILL.md recommend installing from npm (@emredoganer/basecamp-cli) and package.json lists standard npm dependencies (got, commander, conf, etc.). No downloads from arbitrary URLs or archive extraction were found in the provided manifest.
!
Credentials
The CLI legitimately requires OAuth credentials (client id/secret or an access token). The problem: the registry metadata claims 'Required env vars: none' and 'Primary credential: none', which contradicts the SKILL.md and README that explicitly require BASECAMP_CLIENT_SECRET (and optionally BASECAMP_CLIENT_ID / BASECAMP_ACCESS_TOKEN). This discrepancy could be an oversight, but it matters because automated permission prompts or audits will not show the skill needs secrets.
Persistence & Privilege
always:false and no OS restrictions are appropriate. The code references a 'conf' library to store client config and current account id; SKILL.md explicitly states the client secret is not stored on disk. Expect the CLI to persist non-secret config (client id, selected account, access tokens) in the user's CLI config directory—this is normal but you should verify where tokens are stored and whether they are protected.
What to consider before installing
What to check before installing: - Verify the package publisher and source: package.json points to a GitHub repo (emredoganer/basecamp-cli). Visit that repo and confirm it matches the code here and is maintained by a trusted author. The skill metadata (registry) failing to declare required env vars is suspicious—don't trust the registry entry alone. - Confirm credential handling: the README/SKILL.md ask you to set BASECAMP_CLIENT_SECRET in your shell. Inspect src/lib/config.ts and src/lib/auth.ts in the repo to confirm the secret is not written to disk and to see how access tokens are persisted (the code likely uses the 'conf' package). Prefer using a short-lived OAuth flow or an access token with limited scope if possible. - If you will install globally (npm -g), be aware the CLI will run on your machine and can access anything your user account can. Only install if you trust the package and author. - If you are especially cautious: run the CLI in a disposable environment (container or dedicated VM), or audit the compiled/dist files before granting credentials. - If you maintain automated tooling that checks skill metadata, update the registry entry or ask the publisher to declare required env vars (BASECAMP_CLIENT_ID, BASECAMP_CLIENT_SECRET, optional BASECAMP_ACCESS_TOKEN) so permission prompts are accurate. Confidence note: I reviewed the SKILL.md, README, package.json and many command files; some lib files were truncated in the provided bundle so I could not fully verify exact token storage logic—inspect src/lib/config.ts and src/lib/auth.ts to raise confidence to high.

Like a lobster shell, security has layers — review code before you run it.

latestvk975z678sxm4gy3e9gm4n4281h7zt6kp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments