Craft CLI
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill may gain access to specific Craft spaces without the user supplying or approving credentials at install time.
The helper hardcodes API endpoints for named business and personal spaces. SKILL.md treats the API URL as the configured access mechanism, while the registry declares no credential requirement.
WAVEDEPTH_API="https://connect.craft.do/links/5VruASgpXo0/api/v1" PERSONAL_API="https://connect.craft.do/links/HHRuPxZZTJ6/api/v1"
Remove hardcoded Craft API URLs, revoke or rotate any exposed links, require users to provide their own scoped credentials/configuration, and declare those credentials in metadata.
A mistaken or over-eager agent action could alter or delete business or personal Craft documents.
The skill exposes direct document mutation and deletion commands against the configured Craft space, but does not document user-confirmation, scoping, backup, or reversibility safeguards.
### Update Document ~/clawd/skills/craft-cli/craft update <document-id> --file updated-content.md ... ### Delete Document ~/clawd/skills/craft-cli/craft delete <document-id>
Require explicit user confirmation before create/update/delete operations, show the active Craft space and document ID/title before acting, and prefer read-only defaults unless the user specifically requests mutation.
The unreviewed downloaded binary would handle the Craft API access and document operations, increasing supply-chain risk.
The installation instructions download an external executable and install it into a privileged system path, but the reviewed artifacts do not include the binary, checksum, signature, or install spec.
curl -L https://github.com/nerveband/craft-cli/releases/download/v1.0.0/craft-darwin-arm64 -o craft chmod +x craft sudo mv craft /usr/local/bin/
Provide a pinned and verified install spec, include checksums or signatures, align versions and paths, declare the required binary, and avoid privileged installation where possible.