ClawHub

Exponential

v1.0.0

Manage tasks, projects, and workspaces in Exponential via the `exponential` CLI. Use when creating, listing, or updating actions/tasks, viewing projects, che...

0· 401·0 current·0 all-time
byJ△MΞS@positonic
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name, description, and runtime instructions all align: it is an adapter for the 'exponential' CLI to manage tasks/projects. However, the registry metadata claims no required binaries or credentials while the README explicitly requires npm (for installing exponential-cli) and a JWT to authenticate — a mismatch that should be corrected.
Instruction Scope
SKILL.md stays on-topic: it provides CLI commands, expected JSON output, and workflows for tasks/projects. It does not instruct the agent to read unrelated files, harvest environment variables, or transmit data to endpoints beyond the stated Exponential API URL.
!
Install Mechanism
There is no formal install spec in the registry; instead SKILL.md tells the user to run 'npm install -g exponential-cli'. This is a global npm install of a third-party package — a moderate-risk action because global installs modify the system PATH and the package source (npm) and package name should be verified. The skill does not reference a known repository or release host (e.g., GitHub link) to validate the package.
Credentials
The instructions require a JWT token for 'exponential auth login', but the skill declares no primary credential or required env vars. Requiring a token is reasonable for CLI-authenticated operations, but the registry should document that a credential is necessary and clarify recommended storage/rotation and least privilege.
Persistence & Privilege
The skill does not request always-on presence, system config paths, or modification of other skills. As an instruction-only skill, it won't write files itself; the only persistent effect comes from installing the external CLI and authenticating it (normal for CLI integrations).
What to consider before installing
Before installing or using this skill: 1) Verify the exponential-cli package: find its npm page and source repository (GitHub or official org), review maintainer, recent releases, and issues — do not run a global install for an unknown package. 2) Prefer installing the CLI locally or in a sandbox rather than using -g; avoid installing untrusted packages system-wide. 3) Treat the JWT/token like any secret: verify what scopes it grants on the Exponential service, use least privilege, and rotate/revoke it if needed. 4) Confirm the API URL (https://www.exponential.im) is correct for your org; confirm TLS and domain ownership. 5) Note the registry metadata omits required binaries/credentials — ask the publisher to update metadata to declare that npm/node and a JWT are required. 6) If you plan to let an autonomous agent run these commands, be aware the agent will authenticate and the CLI will communicate with the remote service; limit agent privileges and monitor token use.

Like a lobster shell, security has layers — review code before you run it.

latestvk975yf793v9gwe15n9bezpywrn81n7ds

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments