Hoist
v0.1.5Deploy and manage apps, servers, databases, domains, and environment variables on VPS providers using the Hoist CLI.
⭐ 1· 16·0 current·0 all-time
by@g4f4r0
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description, required binary ('hoist'), and the install spec (npm package 'hoist-cli' that creates the 'hoist' binary) are coherent with a CLI for deploying apps/servers/databases/domains. Declared provider env vars (HOIST_*_API_KEY) match the described providers.
Instruction Scope
SKILL.md limits actions to running the Hoist CLI, reading hoist.json for project context, and running provider-specific commands. It instructs the agent to request confirmation before any create/modify/destroy and to verify actions with 'hoist status' or 'hoist doctor'. It does not instruct the agent to read unrelated system files or exfiltrate data.
Install Mechanism
Install uses npm (npm install -g hoist-cli) to provide the 'hoist' binary. This is a typical distribution channel for CLI tools but carries standard supply-chain risk (npm package install scripts, postinstall hooks). No direct downloads from arbitrary URLs or extract steps are present.
Credentials
The only environment variables mentioned are provider API keys (HOIST_HETZNER_API_KEY, HOIST_VULTR_API_KEY, HOIST_DIGITALOCEAN_API_KEY, HOIST_HOSTINGER_API_KEY, HOIST_LINODE_API_KEY, HOIST_SCALEWAY_API_KEY), which are necessary and proportional for managing providers. The skill does not request unrelated secrets or broad platform credentials.
Persistence & Privilege
The skill is not force-included (always:false) and does not request elevated platform privileges. It can perform destructive infrastructure actions via the CLI, but SKILL.md instructs a human-in-the-loop confirmation policy for sensitive operations. Autonomous invocation is allowed by default on the platform but is not a problem unique to this skill.
Assessment
This skill is a wrapper around the Hoist CLI and appears coherent with its stated purpose, but before installing: (1) Verify the npm package 'hoist-cli' and the GitHub repo are the official project and review recent package versions and changelogs; (2) treat provider API keys as sensitive — create least-privilege tokens where possible and avoid placing them in global/long-lived shells; (3) be aware the CLI can create/destroy servers and rotate keys — require explicit confirmation for destructive commands; (4) consider installing/testing the CLI in an isolated environment or container first to inspect behavior and network activity; and (5) keep the npm package updated and monitor supply-chain advisories for 'hoist-cli'.Like a lobster shell, security has layers — review code before you run it.
latestvk976tnnx6xq96zxg70my0x2fr984cav7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binshoist
Install
Install Hoist CLI (npm)
Bins: hoist
npm i -g hoist-cli