ClawHub

Runcloud Skill

v1.0.0

Query Runcloud servers, databases, web apps, services, cronjobs, deployments, and health via the Runcloud API v3. Trigger when the user mentions Runcloud, wa...

1· 50·0 current·0 all-time
byNesho Sabakov@neshable
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Runcloud API queries and safe actions) align with required items: jq (for output formatting) and RUNCLOUD_API_TOKEN (needed to authenticate to the Runcloud API). No unrelated binaries or credentials are requested.
Instruction Scope
SKILL.md provides explicit curl commands against manage.runcloud.io and lists both read endpoints and several 'non-destructive' POST actions (deploy, restart service, test cronjob, enable Let's Encrypt). These instructions stay within Runcloud's domain and repeatedly warn to confirm before running writes, but they do provide examples of actions that change server state — operator confirmation is advised before performing those. The doc also shows exporting RC and AUTH variables (examples) even though only RUNCLOUD_API_TOKEN is declared required; this is a minor documentation vs. metadata mismatch.
Install Mechanism
Instruction-only skill with no install spec and no code files. It requires the jq binary to be present on PATH; this is reasonable for command-line JSON formatting. No remote downloads or archive extraction are used.
Credentials
Only one required environment variable is declared: RUNCLOUD_API_TOKEN — which is appropriate for an API-driven Runcloud skill. However, the token grants full workspace access per the notes in SKILL.md, so it is a high-value secret; ensure the token is scoped appropriately and treated like a password.
Persistence & Privilege
always:false and user-invocable:true (default) — the skill is not force-included and requires invocation. disable-model-invocation is false (normal), so an agent could autonomously call the skill if allowed; this is platform-default behavior and not itself a coherence issue.
Assessment
This skill appears to be what it says: a Runcloud API helper that uses curl + jq. Before installing: 1) Only provide a Runcloud API token you trust — it grants workspace-wide access; prefer a token with the least privileges possible and rotate it if needed. 2) Confirm jq is available on any environment where the skill will run. 3) Be aware the skill includes examples of POST actions (deploy, restart service, enable SSL); those change server state — require explicit confirmation/authorization before running on production. 4) Don’t store the token in public or shared repo files; use secure environment configuration. 5) If you do not want autonomous agents to perform changes, avoid giving the agent broad permissions or restrict when it can invoke skills that perform write actions.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dfh7b9bpf7tma0w33avg5bd84hcyw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

☁️ Clawdis
Binsjq
EnvRUNCLOUD_API_TOKEN

Comments