Basecamp CLI
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: basecamp-cli Version: 1.0.0 The OpenClaw AgentSkills skill bundle for the Basecamp CLI is benign. It provides a command-line interface to manage Basecamp resources, using standard and secure practices for OAuth 2.0 authentication, including PKCE and a local redirect server. Sensitive tokens are encrypted on disk using a machine-specific key, and the `BASECAMP_CLIENT_SECRET` is explicitly required to be set as an environment variable, never stored in configuration files. The `SKILL.md` and `README.md` contain clear, functional instructions without any evidence of prompt injection attempts or hidden directives. All network communication is directed to legitimate Basecamp API endpoints (`launchpad.37signals.com`, `3.basecampapi.com`).
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed and authenticated, the CLI can operate with the permissions granted to the Basecamp OAuth app or token.
The skill uses Basecamp OAuth credentials or access tokens to act on a user's Basecamp account. This is purpose-aligned, but the registry metadata lists no primary credential or required environment variables.
export BASECAMP_CLIENT_SECRET="your-client-secret" ... `BASECAMP_ACCESS_TOKEN` | Access token (alternative to OAuth flow)
Use a dedicated Basecamp integration with the least permissions available, keep secrets out of shell history where possible, and log out or revoke tokens when no longer needed.
An agent or user running the wrong command could post messages or change project/task state in Basecamp.
The documented CLI includes Basecamp write actions, including creating projects/messages, archiving projects, and sending chat messages. These actions fit the stated purpose but can affect shared business data.
basecamp projects create ... basecamp projects archive <id> ... basecamp messages create ... basecamp campfires send
Require explicit user approval for write, send, complete, update, or archive operations when using this in automated workflows.
Installing the package gives npm package code a place on the user's system and makes the `basecamp` command available globally.
The installation path relies on a global npm package. That is expected for a TypeScript CLI, but it means users trust the published package and dependency resolution outside the skill instructions.
npm i -g @emredoganer/basecamp-cli
Install only from the expected npm package, review the package source/version if possible, and avoid installing it in highly sensitive environments without verification.