keyco
v1.0.0Manage Keyco assets, DUBs (QR/NFC/BLE/Virtual beacons), workflows, lifecycle events, users, and analytics. Use when the user asks about Keyco, asset manageme...
⭐ 0· 29·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the included documentation and CLI commands. The SKILL.md and references describe using the Keyco CLI (api.qrdub.com / dashboard.qrdub.com) to manage DUBs/assets, lifecycles, workflows, users, and analytics — everything in the bundle (command reference, scope guidance, setup script) is consistent with that purpose.
Instruction Scope
Runtime instructions are limited to checking/using the Keyco CLI, running Keyco commands with --output json, and running the included setup script if the CLI is missing or not configured. The setup script only checks ~/.keyco.yaml, runs keyco status, and invokes keyco configure interactively. The SKILL.md explicitly forbids circumventing audit flows (no manual location edits or out-of-band workflow completion). No instructions ask the agent to access unrelated system files or external endpoints beyond Keyco dashboard/API hosts.
Install Mechanism
There is no builtin install spec, but the included setup script will run npm install -g @keyco/cli (and retry with sudo if needed). Installing a global npm package is an expected way to get a CLI, but it is a moderate-risk action because it pulls code from the npm registry and may require elevated privileges (sudo). This is proportionate to a CLI integration but worth a manual check before running.
Credentials
The skill does not declare or require unrelated environment variables or credentials. It legitimately expects the user to provide a Keyco API key (kc_live_*) via the CLI or ~ /.keyco.yaml; the included docs note KEYCO_API_KEY as an environment override, which is expected for CLI tooling. No unrelated secrets or high-scope credentials are requested.
Persistence & Privilege
The skill is not always-enabled and does not request persistent elevated privileges or modify other skills. It can be invoked by the agent (normal), but there are no additional privileged behaviors in the bundle.
Assessment
This skill appears to do what it claims (manage Keyco assets via the Keyco CLI). Before running anything: 1) Review the npm package @keyco/cli on the public registry (npmjs.com) to confirm publisher/trust; 2) Be aware the provided setup script may run npm install -g and fall back to sudo (you may be prompted for your password) — run it manually rather than allowing automatic execution if you prefer; 3) Only use API keys with the minimum scopes needed (the docs list recommended scopes) and never paste your Keyco API key into an untrusted chat; 4) If you have doubts about the dashboard URLs (dashboard.qrdub.com / api.qrdub.com), verify them with your organization. Overall: safe and coherent, but exercise standard caution when installing global packages and supplying API keys.Like a lobster shell, security has layers — review code before you run it.
latestvk978hbyh89eg77k7756ppp3qr984ze01
License
MIT-0
Free to use, modify, and redistribute. No attribution required.