ClawHub

TRIGGERcmd - Run commands on your computers remotely

v1.0.4

Control TRIGGERcmd computers remotely by listing and running commands via the TRIGGERcmd REST API.

2· 602·3 current·3 all-time
by@rvmey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description match the runtime instructions: the skill only calls the TRIGGERcmd REST API and needs curl and jq. One minor inconsistency: the registry metadata lists 'Primary credential: none' while the SKILL.md clearly treats TRIGGERCMD_TOKEN as the primary credential (with a file fallback). This appears to be a metadata bookkeeping error rather than functional misalignment.
Instruction Scope
SKILL.md is instruction-only and confines actions to: reading an API token (env var or single file), building Authorization headers, calling https://www.triggercmd.com/api endpoints, and parsing responses with jq. It does not instruct reading unrelated system files or contacting unexpected endpoints. It warns not to print or log the token and to confirm before running side-effecting commands.
Install Mechanism
There is no install spec and no code files; the skill is instruction-only and relies on existing curl and jq binaries. This is the lowest-risk install model.
Credentials
The single required secret (TRIGGERCMD_TOKEN) is appropriate and expected for a REST-API integration. The SKILL.md documents a reasonable file fallback (~/.TRIGGERcmdData/token.tkn) with permission guidance. The only issue is the registry metadata claiming no primary credential, which conflicts with the declared required env var in the skill — this is likely a metadata mismatch.
Persistence & Privilege
The skill does not request permanent presence (always: false), does not modify other skills or system-wide agent settings, and the runtime instructions do not require elevated privileges. Autonomous invocation is allowed (platform default) but not combined with other high-risk factors.
Assessment
This skill looks like a straightforward wrapper for the TRIGGERcmd REST API and is internally consistent aside from a small metadata mismatch. Before installing: 1) Confirm you trust the skill source (published source is unknown; homepage is triggercmd.com). 2) Use a limited-scope API token if TRIGGERcmd supports token scopes, and prefer setting TRIGGERCMD_TOKEN as an environment variable for ephemeral sessions rather than storing it on disk. 3) If you use the file fallback, ensure ~/.TRIGGERcmdData/token.tkn is created with chmod 600 as recommended. 4) Always review the exact command the agent plans to run and ask for confirmation before executing actions that have side effects on your machines. 5) If you need stronger assurance, request the publisher add proper registry metadata (mark TRIGGERCMD_TOKEN as primary credential) or provide a signed source/repository for inspection.

Like a lobster shell, security has layers — review code before you run it.

latestvk970hntgbdjfxjzm4wax166a3981d085

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🕹️ Clawdis
Binscurl, jq
EnvTRIGGERCMD_TOKEN

Comments