ClawHub

Reply.io CLI

v1.0.1

Manage sequences, contacts, email accounts, and schedules in Reply.io directly from the terminal. Use this skill when users want to view Reply.io stats, mana...

0· 76·0 current·0 all-time
by@grizzlyzp1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, description, declared binaries (node) and required env var (REPLY_API_KEY) match the behavior: the skill invokes the reply-cli via npx. The inclusion of curl in the declared binaries is slightly unnecessary given the provided files and instructions, but not a strong mismatch.
Instruction Scope
SKILL.md instructs the agent to run npx reply-cli commands and to avoid logging the API key. The provided reply.sh only reads the API key (from env or /run/secrets/reply_key) and forwards args to npx. There are no instructions to read unrelated files, exfiltrate data, or call unexpected endpoints.
Install Mechanism
There is no install spec (instruction-only) and the included script uses npx to fetch/run the reply-cli package from the npm registry at runtime. This is expected for a CLI wrapper, but npx will download and execute code from npm on first run — a moderate operational risk that is proportional to the skill's purpose.
Credentials
The only required secret is REPLY_API_KEY (declared as primaryEnv). The script's fallback to /run/secrets/reply_key is consistent with the documented alternatives. No other unrelated credentials or config paths are requested.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent system-wide privileges. It does not modify other skills or agent configuration beyond reading the declared API key fallback. Autonomous invocation is allowed (platform default) and appropriate for this kind of skill.
Assessment
This skill is a thin wrapper around the official reply-cli and looks coherent, but consider the following before installing: (1) npx will download and run the reply-cli package from the public npm registry at runtime — if you need stricter supply-chain control, install a pinned reply-cli version locally or audit the npm package/version you expect to run; (2) keep REPLY_API_KEY secret (use .env, Docker secrets, or a secrets manager) — the script will read /run/secrets/reply_key if present; (3) curl is declared but not used by the included files (harmless but slightly inconsistent); (4) verify you trust the reply-cli package owner before allowing the agent to execute it via npx.

Like a lobster shell, security has layers — review code before you run it.

emailvk9766b188mk4779d46bg0wzdf583td9vlatestvk9766b188mk4779d46bg0wzdf583td9voutreachvk9766b188mk4779d46bg0wzdf583td9vreply.iovk9766b188mk4779d46bg0wzdf583td9vsalesvk9766b188mk4779d46bg0wzdf583td9v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode, curl
EnvREPLY_API_KEY
Primary envREPLY_API_KEY

Comments