Basecamp CLI
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed and authenticated, the CLI can operate with the permissions granted to the Basecamp OAuth app or token.
The skill uses Basecamp OAuth credentials or access tokens to act on a user's Basecamp account. This is purpose-aligned, but the registry metadata lists no primary credential or required environment variables.
export BASECAMP_CLIENT_SECRET="your-client-secret" ... `BASECAMP_ACCESS_TOKEN` | Access token (alternative to OAuth flow)
Use a dedicated Basecamp integration with the least permissions available, keep secrets out of shell history where possible, and log out or revoke tokens when no longer needed.
An agent or user running the wrong command could post messages or change project/task state in Basecamp.
The documented CLI includes Basecamp write actions, including creating projects/messages, archiving projects, and sending chat messages. These actions fit the stated purpose but can affect shared business data.
basecamp projects create ... basecamp projects archive <id> ... basecamp messages create ... basecamp campfires send
Require explicit user approval for write, send, complete, update, or archive operations when using this in automated workflows.
Installing the package gives npm package code a place on the user's system and makes the `basecamp` command available globally.
The installation path relies on a global npm package. That is expected for a TypeScript CLI, but it means users trust the published package and dependency resolution outside the skill instructions.
npm i -g @emredoganer/basecamp-cli
Install only from the expected npm package, review the package source/version if possible, and avoid installing it in highly sensitive environments without verification.