Cobalt Io
v1.0.0Cobalt integration. Manage data, records, and automate workflows. Use when the user wants to interact with Cobalt data.
⭐ 0· 94·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The SKILL.md describes interacting with Cobalt via the Membrane CLI, and all required actions (install CLI, login, create connection, run actions or proxy requests) match the stated purpose of managing Cobalt data and workflows. No unrelated binaries or credentials are requested.
Instruction Scope
Instructions are limited to installing and using the Membrane CLI and interacting with connections/requests. They do allow proxying arbitrary API paths to Cobalt through a user's Membrane connection, which is expected but means the agent (once authorized) can read/modify any Cobalt data permitted by the connection. Also note an odd reference to 'https://cobalt.foo/development/' (likely a placeholder) — verify official doc links before trusting them.
Install Mechanism
Install is via 'npm install -g @membranehq/cli' (public npm). This is a reasonable, common mechanism but requires global npm permissions and will place a binary on the host. Consider installing locally or reviewing the package before global install.
Credentials
The skill requires no environment variables or local secrets. Authentication is handled via Membrane's browser-based login flow and server-side credential management, which aligns with the skill's claims. Trusting this model requires confidence in the Membrane service's handling of credentials and scopes.
Persistence & Privilege
always:false (no forced persistent inclusion) which is appropriate. Default autonomous invocation is allowed (platform default) — if you permit the agent to use this skill autonomously, it could perform any API calls the Membrane-connected Cobalt account permits. That increases blast radius and should be considered when granting agent privileges.
Assessment
This skill is internally consistent: it uses the Membrane CLI and browser OAuth to access Cobalt, which matches its description. Before installing and using it: 1) Confirm you trust the Membrane service (homepage/repo) and review the @membranehq/cli package on npm or its GitHub repo; 2) Check the OAuth/connection scopes presented during 'membrane login' so you know what the agent can access; 3) Prefer non-global installs or review the package code if you must grant global npm install rights; 4) Be cautious about allowing autonomous agent invocation — once a connection exists the skill can proxy arbitrary requests to the Cobalt API under that account; and 5) Verify the odd 'cobalt.foo' documentation link and prefer official Cobalt docs or vendor-provided endpoints if unsure.Like a lobster shell, security has layers — review code before you run it.
latestvk97bfc8fa7je744pbetvv6q83984h7h8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.