s1cli
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent S1 forum CLI skill, but it uses a forum login/session and can publish posts or replies, so account actions should be explicitly user-directed.
This skill appears benign for its stated purpose. Before installing, verify the external s1cli package or GitHub repository, avoid passing passwords directly on the command line when possible, protect ~/.config/s1cli/session.toml, and require explicit confirmation before any post, reply, or check-in is submitted.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, the agent could publish content to the user's S1 account or perform a forum check-in when the user did not intend it.
The skill documents commands that can publish new forum posts and replies. This is central to the stated forum-tool purpose, but it can create public account-visible content.
python3 -m s1cli post -f <forum_name> -t "标题" -c "内容" python3 -m s1cli reply <thread_id> -c "回复内容"
Only allow posting, replying, or check-in after the user has clearly requested the action and reviewed the exact content or operation.
The skill can act as the logged-in forum user while the local session remains valid.
The skill uses S1 account credentials and persists an authenticated session file. This is expected for an authenticated forum CLI, but it grants account-level authority.
python3 -m s1cli login -u <username> -p <password> - 会话保存到 `~/.config/s1cli/session.toml`,有效期 7 天
Prefer interactive login over putting passwords in command arguments, protect the session file, and run logout when the session is no longer needed.
Installing the external package gives that package code execution in the local Python environment.
The instruction-only skill depends on an external Python package or GitHub source installed with unpinned commands. This is normal for a CLI wrapper, but users should trust the package source before installation.
pip3 install s1cli # 或从源码 git clone https://github.com/Geoion/s1cli.git && cd s1cli && pip3 install -e .
Install from a trusted source, verify the package/repository identity, and consider pinning a known version before using it with account credentials.