ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Codeline Cli

v0.1.0

Manage codeline via CLI - tools, products, orders, users, coupons. Use when user mentions 'codeline', 'products', 'orders', 'coupons', 'school platform', or...

0· 250·0 current·0 all-time
byMelvyn@melvynx
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the commands in SKILL.md (tools, products, orders, users, coupons). The CLI commands shown line up with the stated e‑commerce management purpose.
Instruction Scope
Instructions are focused on installing/using codeline-cli and running commands against the Codeline API. They do not instruct reading unrelated local files or exfiltrating arbitrary system data. They do expect an API token to be set via 'codeline-cli auth set'.
Install Mechanism
No formal install spec is declared, but SKILL.md tells the agent to run network installs: 'npx api2cli install Melvynx/codeline-cli' and 'curl -fsSL https://bun.sh/install | bash'. These are from recognizable hosts (npm via npx and bun.sh), but piping remote install scripts to shell and dynamic npm installs raise typical supply-chain risks and warrant manual review before allowing automated execution.
!
Credentials
SKILL.md expects an API token (shows 'codeline-cli auth set "your-token"') but the skill metadata lists no required environment variables or primary credential. This mismatch means the skill will need a credential to function but does not declare it up-front; users may be surprised when asked for a token. Verify what token scope is needed and avoid providing high‑privilege tokens.
Persistence & Privilege
The skill is user-invocable and not 'always' enabled. It can be invoked autonomously (default allowed), which combined with the ability to run installs and CLI commands means it could perform actions (create coupons, modify orders/users) without manual confirmation unless the agent's policy prevents it. No self-modifying or cross-skill config changes are present in the SKILL.md.
What to consider before installing
This SKILL.md looks coherent for a Codeline CLI client, but take these precautions before installing or granting access: 1) Expect to provide a Codeline API token — the skill did not declare required env vars; only provide a token with minimal scope (read-only if possible). 2) The instructions run network installers (npx and a curl|bash installer for bun). Prefer to install and inspect codeline-cli and bun yourself rather than allowing an agent to run those commands automatically. 3) Review the GitHub repo (Melvynx/codeline-cli) for source trustworthiness and to confirm what the token allows (create/delete operations). 4) If you allow autonomous invocation, be aware the skill can run CLI commands that modify your Codeline data (create coupons, change users/orders); consider requiring manual confirmation or using a limited-scope token for safety.

Like a lobster shell, security has layers — review code before you run it.

latestvk972wwnn47cw4dg0qyqymxsw9x82w1zw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments