ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Coala Client

v0.1.2

How to use the coala-client CLI for chat with LLMs, MCP servers, and skills. Use when the user asks how to use coala, run coala chat, add MCP servers, import...

0· 553·0 current·0 all-time
byqhu@hubentu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (coala-client CLI for chat, MCP, and skills) match the declared binary requirement (coala-client) and the documented actions (init, chat, mcp-import, skill import). No unrelated credentials or unrelated binaries are requested.
Instruction Scope
Instructions are specific to coala-client usage and reference config paths under ~/.config/coala/. However, the SKILL.md explicitly allows importing CWL/toolsets and skills from arbitrary http(s) URLs or zip files and describes running MCP servers (run_mcp.py). That implies downloading and potentially executing third‑party code from remote sources — behavior coherent with the tool but risky if sources are untrusted.
Install Mechanism
Install spec uses a 'uv' package named 'coala-client' that creates the coala-client binary. The manifest does not show a raw URL download or archive extraction, but the origin/resolver for the 'uv' package is not described here — verify the package registry/source before installing.
Credentials
No required environment variables or credentials are declared. The documentation sensibly notes optional provider keys (OPENAI_API_KEY, GEMINI_API_KEY, OLLAMA_BASE_URL) needed only for LLM provider access; these are proportional and expected.
Persistence & Privilege
Skill is not always-enabled and does not request persistent elevated privileges or modification of other skills. It uses per-user config paths under ~/.config/coala/, which is appropriate for a CLI tool of this type.
What to consider before installing
This skill appears to be a legitimate helper for the coala-client CLI, but be cautious about importing toolsets or skills from remote URLs or zipped archives: those artifacts can contain code (run_mcp.py or other scripts) that the client may execute when you start an MCP server or load a skill. Before installing or using: 1) verify the origin of the 'uv' package (where 'coala-client' comes from), 2) avoid importing skills/toolsets from untrusted/unverified URLs, 3) inspect downloaded zips/local files before import, 4) prefer running MCP/toolsets in an isolated environment or sandbox, and 5) only provide LLM API keys to providers you trust and consider using --no-mcp when you do not want external tools to run.

Like a lobster shell, security has layers — review code before you run it.

latestvk9751qzqc7rvdnwyggnmct6hjx81he2e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧬 Clawdis
Binscoala-client

Install

Install coala-client (uv)
Bins: coala-client
uv tool install coala-client

Comments