ClawHub

Statamic AI Gateway

v0.0.6

Manage Statamic content through a tool execution gateway (composer require stokoe/ai-gateway).

1· 73·0 current·0 all-time
byMichael Stokoe@michael-stokoe
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binaries (curl, jq), and required config (~/.config/ai-gateway/sites.json) match the documented behavior: reading site tokens and base URLs and making HTTP requests to the ai-gateway endpoints.
Instruction Scope
SKILL.md only instructs the agent to read the declared sites.json, discover capabilities with GET, and POST execute requests to the configured site endpoints. It does not ask for unrelated files, system-wide credentials, or exfiltration to arbitrary external hosts beyond the configured base_url values.
Install Mechanism
Instruction-only skill with no install spec or downloads; lowest-risk delivery model. Runtime behavior relies on existing curl/jq binaries which are declared and used in examples.
Credentials
The skill declares AI_GATEWAY_SITES_CONFIG as the primary required env var and lists ~/.config/ai-gateway/sites.json as a required config path. The docs, however, treat AI_GATEWAY_SITES_CONFIG as optional (used to override the default path). This is a minor inconsistency but not a security problem. The single required secret (site tokens) is proportionate to the skill's purpose, but those tokens are sensitive and the skill will read and send them to the configured site endpoints — only store tokens for sites you trust.
Persistence & Privilege
Skill is not always:true and does not request elevated system privileges or modify other skills. Autonomous invocation is allowed (platform default) but not combined with other red flags.
Assessment
This skill is internally consistent with its goal of managing Statamic sites via an HTTP gateway. Before installing: (1) ensure ~/.config/ai-gateway/sites.json (or the path you set in AI_GATEWAY_SITES_CONFIG) only contains tokens for sites you trust and protect the file (chmod 600 is recommended); (2) verify each configured base_url points to a Statamic site you control or trust, since the agent will send authenticated requests there; (3) be aware the agent will read these tokens and use them to perform writes — rotate tokens if compromised; (4) decide whether to allow autonomous agent invocation for this skill depending on your risk tolerance (autonomous calls can perform writes). Finally, note the small doc inconsistency: the skill marks AI_GATEWAY_SITES_CONFIG as required even though the docs show a default path — confirm whether you need to set the env var in your environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fx4h7ywmft9fk4w4rh8bd3184wkwf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛡️ Clawdis
Binscurl, jq
EnvAI_GATEWAY_SITES_CONFIG
Config~/.config/ai-gateway/sites.json
Primary envAI_GATEWAY_SITES_CONFIG

Comments