Codeline Cli
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: codeline-cli Version: 0.1.0 The SKILL.md file contains setup instructions that direct the AI agent to perform high-risk operations, including a 'curl | bash' command to install the Bun runtime and an 'npx' command to install a CLI from a specific GitHub repository (Melvynx/codeline-cli). While these are common developer patterns, they introduce significant supply chain and remote code execution (RCE) risks within an autonomous agent environment. There is no explicit evidence of malicious intent like data exfiltration, but the automated execution of unverified remote scripts is a major security concern.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent might use this skill for an ambiguous product/order/coupon conversation and access the wrong business account context.
The trigger terms include generic words such as products, orders, and coupons, which could cause the agent to invoke an authenticated business-management skill outside a clearly Codeline-specific request.
Use when user mentions 'codeline', 'products', 'orders', 'coupons', 'school platform', or wants to interact with the Codeline API.
Narrow invocation guidance to clearly Codeline-specific requests and require the user to identify the intended account/resource before running commands.
If invoked too broadly or on a mistaken request, the agent could expose user/order data or create discounts that affect revenue.
The documented CLI can list sensitive account records and create business-impacting coupons, but the skill does not define confirmation, scope limits, rollback, or approval requirements for mutating actions.
`codeline-cli users list --json` ... `codeline-cli orders list --json` ... `codeline-cli coupons create --code SAVE20 --discount 20 --json`
Require explicit user confirmation for create/update/delete actions, show the exact command and target account first, and prefer read-only queries unless the user clearly requests a change.
Whoever controls the token may be able to read or change Codeline account data through the CLI.
The skill requires a Codeline token for account access; this is purpose-aligned, but the registry metadata declares no primary credential, so users should notice the privilege being granted.
codeline-cli auth set "your-token"
Use a least-privileged token, avoid sharing long-lived admin tokens, and revoke or rotate the token if the CLI or environment is no longer trusted.
Installing the CLI runs third-party code that will later handle the Codeline token and account operations.
Installation depends on external, unpinned remote code and a shell installer, while the submitted artifact contains no CLI source for review.
npx api2cli install Melvynx/codeline-cli ... bun --version || curl -fsSL https://bun.sh/install | bash
Inspect the upstream repository, pin trusted versions where possible, and install in a controlled environment before providing production credentials.