Oblien workspace runtime
v1.0.0Complete Oblien workspace environment — what you are running inside (Firecracker microVM), how auth works (gateway JWT vs raw token), and the full Internal A...
⭐ 0· 217·0 current·0 all-time
byHydra de lerne@hydralerne
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name and description match the instructions: the document is a runtime reference for an Oblien workspace internal API (file access, exec, terminal, watcher). The capabilities described align with the stated purpose of describing the workspace runtime.
Instruction Scope
The document explicitly instructs agents about an Internal API that can read/write any filesystem path, execute arbitrary commands, open interactive PTYs, and stream output — powerful operations that go beyond typical lightweight helper skills. The SKILL.md includes example snippets referencing environment variables (e.g., OBLIEN_CLIENT_ID, OBLIEN_CLIENT_SECRET, GATEWAY_JWT) and command examples even though the skill metadata lists no required env vars; the instructions therefore reference secrets/variables not declared in the registry metadata.
Install Mechanism
Instruction-only skill with no install spec and no code files. This lowers the disk/write risk because nothing is downloaded or executed by an installer, but the runtime instructions still describe powerful remote APIs the agent may call.
Credentials
The SKILL.md shows and encourages use of sensitive credentials and tokens (client ID/secret, gateway JWT, raw tokens) but the registry entry declares no required environment variables or primary credential. That mismatch reduces clarity about what secrets the skill actually needs and how they should be provided. The documented Internal API also permits reading arbitrary files (which may include system or user secrets) — a high privilege surface that should be justified and protected.
Persistence & Privilege
The skill is not forced always:true and is user-invocable, which is appropriate. However, because the runtime describes an API that grants broad filesystem and command execution capability, autonomous invocation (the default) increases the risk if the skill is allowed to run without additional safeguards. There is no indication the skill modifies other skills or agent configs.
What to consider before installing
This skill is a documentation-style runtime reference for a high-privilege Oblien workspace API. Before installing or enabling it, consider: 1) Source trust — the skill lists no homepage or publisher identity; prefer skills from known/trusted providers. 2) Secrets handling — the SKILL.md uses client_id/client_secret and JWT examples but the registry declares no required env vars; confirm how credentials will be provided and ensure tokens are not leaked. 3) Privileged actions — the API can read/write any file and execute commands; only allow use if you trust the calling agent and have logging/auditing in place. 4) Network exposure — gateway vs direct tokens and public_access settings affect exposure; verify network config. If you want to proceed, ask the publisher for provenance (homepage, repo), clarify which credentials are required, and restrict token scopes and workspace network settings. If you cannot verify the source or secret handling, do not enable autonomous use of this skill.Like a lobster shell, security has layers — review code before you run it.
latestvk97fzf5yh1yy5vdbp0y7pk534s829m2x
License
MIT-0
Free to use, modify, and redistribute. No attribution required.