Checkly Cli Skills
v1.0.1Comprehensive Checkly CLI command reference and Monitoring as Code workflows. Use when user mentions Checkly CLI, monitoring as code, synthetic monitoring, A...
⭐ 2· 456·1 current·1 all-time
byVince Lozada@vince-winkintel
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name, description, and many code/templates match a Checkly CLI Monitoring-as-Code skill, which legitimately needs CHECKLY_API_KEY and CHECKLY_ACCOUNT_ID and the checkly/npx binaries. However the registry metadata at the top states 'Required env vars: none' and 'Required binaries: none', while the SKILL.md frontmatter embedded in the package lists binaries (checkly, npx) and credentials (CHECKLY_API_KEY, CHECKLY_ACCOUNT_ID). That mismatch is an incoherence: either the published metadata is incomplete or the SKILL.md was prepared assuming credentials that the registry doesn't advertise. Also the PROJECT_SUMMARY claims a public GitHub repo URL while the skill 'Source' is 'unknown' in the registry — another discrepancy to verify.
Instruction Scope
The runtime SKILL.md and sub-skill docs instruct use of npx checkly, npx checkly login, reading/writing the CLI config at ~/.config/@checkly/cli/config.json, and accessing environment variables. These are expected for a Checkly CLI skill. However templates and example check code also reference other environment variables (e.g., API_TOKEN, CLIENT_ID, CLIENT_SECRET, TEST_EMAIL, TEST_PASSWORD, process.env.API_KEY) that are not globally declared in the main registry metadata. The skill includes scripts that write files to disk (init/import/test/deploy helpers). Because instructions direct reading/writing local config and environment variables, you should audit the scripts and templates before running them with real credentials.
Install Mechanism
No install specification is present (instruction-only skill with supporting templates and scripts). That minimizes hidden network downloads or arbitrary installs. The files included are plain templates and small shell scripts; still, they will execute local commands (npx, npm, sh) when you run them, so inspect them before execution.
Credentials
Requesting CHECKLY_API_KEY and CHECKLY_ACCOUNT_ID is proportionate to a Checkly CLI deploy/import workflow and is documented in the skill. However: (1) the registry metadata omitted those required env vars, (2) many templates refer to additional environment variables (API_TOKEN, CLIENT_ID/SECRET, TEST_EMAIL/PASSWORD, etc.) which are application-specific — they are plausible for examples but not required universally, and (3) the SKILL.md documents a local storage path (~/.config/@checkly/cli/config.json) for credentials. Give only minimal-scope API keys (rotate & restrict permissions) and do not supply secrets until you review the code.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide privileges. It instructs storing Checkly credentials in the normal Checkly CLI config path (~/.config/@checkly/cli/config.json) — expected behavior for a CLI-based workflow. No evidence the skill attempts to modify other skills or agent-wide settings.
What to consider before installing
This package looks like a genuine Checkly CLI skill set (lots of docs, templates, and helper scripts), but there are important inconsistencies you should resolve before use:
- Verify source: confirm the repository URL and author (PROJECT_SUMMARY lists a GitHub repo; the registry says Source: unknown). Prefer a verified upstream repo before running scripts.
- Inspect scripts: open scripts/import-from-ui.sh, scripts/init-project.sh, scripts/test-and-deploy.sh, and scripts/validate-config.sh for any unexpected network calls, credential exfiltration, or destructive commands before running them.
- Check metadata mismatch: the SKILL.md requires checkly/npx and CHECKLY_API_KEY/CHECKLY_ACCOUNT_ID but the published metadata omitted these. Treat the SKILL.md requirements as authoritative only after you verify the package origin.
- Limit credential scope: create a Checkly API key with the minimum permissions needed (use separate keys for CI/CD vs local dev), rotate keys after testing, and do not paste keys into files that might be committed.
- Sandbox first: run init/import/test scripts in a disposable environment (throwaway repo or container) without real production secrets to validate behavior.
- Audit templates: templates and example checks reference app-specific secrets (CLIENT_SECRET, API_TOKEN, test credentials). Remove or replace these before deploying to production.
If you want, I can (a) show the contents of the shell scripts and flag suspicious lines, or (b) list every environment variable referenced across all SKILL.md and template files so you can see what secrets the examples use.Like a lobster shell, security has layers — review code before you run it.
latestvk97crb6d33mjj0e1026ev6ttxs81pr4w
License
MIT-0
Free to use, modify, and redistribute. No attribution required.