ClawHub

Box

v1.0.0

Box CLI skill for working with files, folders, metadata, search, and Box AI in headless environments.

0· 614·2 current·2 all-time
byAndrew@hbkwong
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Box CLI for files, metadata, Box AI) match the SKILL.md instructions. The skill requires the 'box' binary and describes using Client Credentials Grant (CCG) or JWT — these are expected for headless Box CLI automation.
Instruction Scope
Instructions focus on configuring the Box CLI, creating credential JSON (or using env vars), registering environments with 'box configure', and running Box commands (upload, download, search, Box AI). It instructs creating credential files under /data/.secrets and setting file perms (chmod 600), which is reasonable for the stated purpose. No instructions request unrelated system data or external endpoints. Note: examples include shell heredocs with env var substitution — ensure env vars and files are kept secure and not accidentally logged or committed.
Install Mechanism
The skill is instruction-only (no install spec in registry), but SKILL.md metadata suggests installing the official @box/cli via npm (producing the 'box' binary). This is a low-risk, standard installation path; no arbitrary download URLs or extraction steps are present.
Credentials
The only secrets discussed are Box credentials (BOX_CLIENT_ID, BOX_CLIENT_SECRET, BOX_ENTERPRISE_ID) or JSON config files for CCG/JWT — these are directly required for Box CLI headless auth. No unrelated credentials or broad environment access are requested.
Persistence & Privilege
The skill does not request always:true, does not alter other skills' configs, and is user-invocable. It requires no persistent platform privileges beyond normal use of the Box CLI and provided credentials.
Assessment
This skill appears to be what it says: a wrapper for the official Box CLI in headless environments. Before installing, ensure you: (1) have the official 'box' CLI installed (the SKILL.md suggests the npm package @box/cli); (2) provide Box credentials yourself (CCG JSON or JWT JSON or env vars) and store them outside the workspace with restrictive permissions (e.g., /data/.secrets, chmod 600); (3) grant the least-privilege scopes to the service account (avoid enterprise-wide rights unless necessary); (4) do not commit credential files to source control; and (5) remember that any agent actions will act with the privileges of the provided credentials — review and limit those credentials accordingly.

Like a lobster shell, security has layers — review code before you run it.

latestvk976qm8fx0x2x87m4qxh4531w181e1e1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📦 Clawdis
Binsbox

Comments