ClawHub
Back to skill
v0.1.1

Halo Cli Auth

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:47 AM.

Analysis

This is a straightforward Halo CLI authentication helper, but it involves Halo credentials and profile deletion commands that users should authorize carefully.

GuidanceInstall only if you need help managing Halo CLI authentication. Review any command before it runs, especially commands containing tokens/passwords or `profile delete --force`, and confirm the profile and URL are the intended ones.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
halo auth profile delete production --force ... `profile delete` is destructive; use `--force` in non-interactive mode.

The skill documents a destructive profile deletion command with `--force`. It is disclosed and relevant to fixing broken credentials, but should still be user-approved.

User impactDeleting a profile can remove local auth configuration and disrupt access to that Halo environment, especially if the profile is for production.
RecommendationConfirm the profile name and environment before allowing deletion, and make sure credentials can be restored if needed.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
Login with bearer token: ... --token <token> ... Login with basic auth: ... --username admin ... --password <password>

The skill instructs use of Halo account credentials. This is expected for an authentication skill, but it gives the agent workflows involving bearer tokens or passwords.

User impactIf used incorrectly, a token or password could grant access to the user's Halo instance.
RecommendationOnly provide credentials for the intended Halo URL/profile, prefer secure input methods when available, and avoid sharing command transcripts that include secrets.