Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Supernal Interface CLI
v1.0.0CLI tool for generating tests, scanning contracts, managing story-based tests, and setting up MCP integration in web projects.
⭐ 0· 401·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name, description, and listed commands are consistent: scanning routes/components, generating tests, story-based tests, and MCP/Claude setup are coherent with a developer CLI. However the skill metadata has no source/homepage and this SKILL.md tells the agent/user to install an external npm package (@supernal/interface) with unknown provenance — that gap in origin information is noteworthy.
Instruction Scope
The runtime instructions include commands that modify project files (init --inject, --migrate, --revert), auto-commit changes (--git-commit), create servers and configure IDEs (si setup-mcp), and install other skills/agents (si setup-claude). These are high-impact actions that go beyond read-only scanning; they can change local code, commit to git, and install software. The SKILL.md gives broad authority (e.g., 'fully automated', '--force', auto-commit flags) without describing safeguards or required confirmations.
Install Mechanism
There is no install spec in the skill bundle (instruction-only), but the documentation instructs users/agents to run 'npm install -g @supernal/interface'. Installing an unpublished/unknown npm package can execute arbitrary code. Because the package's source/homepage is missing, there's no way to inspect the package before installing from the instructions alone.
Credentials
The skill declares no required env vars or credentials, which superficially looks least-privileged. In practice many commands (git auto-commit, server setup, IDE configuration, Claude integration) will require filesystem access, network access and possibly credentials/APIs (e.g., for Claude or remote servers). The lack of declared environment requirements means those accesses are implicit and not documented.
Persistence & Privilege
The skill is not marked always:true and has no install footprint in this bundle. However the documented commands include installing software, creating servers, and installing other skills/agents (si setup-claude). If an agent executes these commands autonomously, they can create persistent software and modify system state. This combination increases blast radius if the agent is permitted to act without restrictions.
What to consider before installing
This SKILL.md describes a legitimate-seeming CLI, but before installing or running anything: (1) locate and inspect the npm package (@supernal/interface) source (GitHub/homepage, package.json, published tarball) — do not install from npm without reviewing it; (2) run any initial tests inside an isolated environment (container or disposable VM) rather than your main workstation or production repo; (3) back up your repository and avoid using auto-commit/--force flags until you’ve reviewed the changes the tool will make; (4) be cautious with commands that 'configure IDE', 'create server', or 'install agents' and verify what credentials or network connections they require; (5) if you allow an autonomous agent to run these commands, restrict its permissions and monitor its actions. If you can, ask the publisher for a homepage or source repository link and audit the package contents before trusting it.Like a lobster shell, security has layers — review code before you run it.
latestvk977686v5jrdn8e0h2q6yjstt9823ph2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.