TRIGGERcmd - Run commands on your computers remotely
PassAudited by ClawScan on May 10, 2026.
Overview
This skill clearly does what it claims—uses a TRIGGERcmd token to list and run commands on your registered computers—but that is powerful and should be used carefully.
Install this only if you trust the agent to trigger TRIGGERcmd actions on your computers. Keep your API token private, prefer temporary environment-variable use when possible, review the available commands first, and require confirmation before running anything that could change files, devices, services, or system state.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could trigger real actions on your computers through TRIGGERcmd.
The skill intentionally enables remote command execution across registered computers. This is the stated purpose and is disclosed, but it is a high-impact capability if used on the wrong command or device.
Use this skill to inspect and run TRIGGERcmd commands on any computer that is registered with the account tied to the local API token.
Review available commands before running them, keep destructive commands out of TRIGGERcmd where possible, and require confirmation for commands with side effects.
Anyone or any process with access to the token may be able to list and run TRIGGERcmd commands for your account.
The skill requires a TRIGGERcmd API token and can read it from an environment variable or a local token file. This is expected for the service integration, but the token represents account authority.
Set `TRIGGERCMD_TOKEN` to your personal API token ... Store token at `~/.TRIGGERcmdData/token.tkn`
Use a dedicated token if possible, restrict the token file to owner-only permissions, and rotate the token if it may have been exposed.
The local agent will run curl and jq commands to contact TRIGGERcmd, and the remote TRIGGERcmd service may then execute configured commands on registered machines.
The skill documents local shell snippets that call the TRIGGERcmd API. These commands are central to the skill’s purpose and are not hidden or obfuscated.
curl -sS -X POST "${BASE_URL}/run/trigger" ... -d "$PAYLOAD"Use the skill only in a trusted shell environment and inspect the command name, target computer, and parameters before triggering remote actions.
A token saved on disk may remain available to future sessions or local processes that can read the file.
The skill supports persistent local credential storage. It gives appropriate permission guidance, but persistent secrets should be protected from accidental reuse or exposure.
If using the token file method, ensure `~/.TRIGGERcmdData/token.tkn` has permissions set to `600`
Prefer the environment variable for temporary use, keep the token file permission-restricted, and remove the file when no longer needed.