Openpond Cli
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is a coherent OpenPond CLI guide, but it involves installing an external npm CLI and using OpenPond credentials for commands that can push code, run tools, and create agents.
Before installing, verify the npm package source, use a least-privilege OpenPond API key, review files and diffs before any repo push, and require explicit approval before running tools or creating OpenPond agents.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or running the npm package will execute code from outside this skill review.
The skill asks the user to install or run an external npm package that is not included in the reviewed artifacts and is not pinned to a version.
Install: `npm i -g openpond-code` (or `npx --package openpond-code openpond <cmd>`)
Verify that `openpond-code` is the expected OpenPond CLI package, prefer trusted sources, and pin or review the package version when possible.
Anyone or anything with access to the configured credential may be able to act on the OpenPond account within that credential's scope.
The workflow uses OpenPond account credentials and a local cache, which is expected for CLI account operations but sensitive.
Auth: run `openpond login` or set `OPENPOND_API_KEY` ... Cache file: `~/.openpond/cache.json`
Use least-privilege API keys, avoid pasting real keys into shared chats or logs, and review local credential/cache handling.
An agent running these commands could push unintended files or trigger tool actions if the target path, repo, or tool is wrong.
The documented CLI workflows can upload repository contents and run OpenPond tools; these are purpose-aligned but can have account or data side effects.
`git add . && git commit -m "init"` ... `openpond repo push --path . --branch main` ... `openpond tool run handle/repo myTool --body ...`
Require explicit user approval for pushes and tool runs, inspect the git diff before pushing, and avoid broad `git add .` when secrets or unrelated files may be present.
A created agent could continue to exist or act according to its OpenPond configuration after the current task.
The skill documents creating an OpenPond agent, which may persist beyond the immediate CLI session.
`openpond apps agent create --prompt "Build a daily digest agent"`
Only create agents on explicit request, confirm the prompt and intended lifecycle, and know how to disable or delete created agents.