ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Coolify

v2.1.1

Manage Coolify deployments, applications, databases, and services via the Coolify API. Use when the user wants to deploy, start, stop, restart, or manage applications hosted on Coolify.

0· 2.8k·10 current·10 all-time
by@visiongeist
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The script and SKILL.md implement a Bash-based CLI that calls the Coolify API (deploy, manage apps/databases, set envs, etc.), which matches the stated purpose. However, the registry metadata declares 'node' as a required binary while the script actually requires bash, curl, and jq. This metadata/packaging mismatch is incoherent and could indicate sloppy packaging or an incorrect manifest.
Instruction Scope
Runtime instructions and the included script stay within the Coolify API domain: they call endpoints under COOLIFY_API_URL and require COOLIFY_TOKEN. The skill will transmit any environment-variable values or credentials you ask it to create/update to Coolify (e.g., DATABASE_URL, API_KEY). That is expected for this functionality but is important to understand: secrets you pass to these commands are sent to the Coolify service/instance you target.
Install Mechanism
No install spec or external downloads; this is instruction-only plus a bundled shell script. That minimizes supply-chain risk compared to fetching remote archives. The included script is plain bash, not obfuscated, and uses curl/jq for API calls.
Credentials
The skill only requires a single primary credential (COOLIFY_TOKEN), which is appropriate for controlling Coolify. The script also reads COOLIFY_API_URL (with a safe default) and checks for curl/jq, but COOLIFY_API_URL and the curl/jq requirements are not consistently reflected in registry metadata (which lists node). This mismatch should be resolved. Also remember that using the skill will send any sensitive values you supply (passwords, DB URLs, SSH keys) to the Coolify API.
Persistence & Privilege
always is false and the skill does not request system-wide persistence or modify other skills' configuration. It runs as a normal, user-invocable skill and does not request elevated privileges.
What to consider before installing
This skill appears to implement a legitimate Coolify CLI, but there are packaging inconsistencies you should clear up before trusting it: the registry lists 'node' as required while the included script actually needs bash, curl, and jq. Actions you run will send the COOLIFY_TOKEN and any environment-variable values you provide (including secrets like DATABASE_URL or SSH keys) to the Coolify API endpoint (COOLIFY_API_URL). Before installing, verify the publisher/source, confirm the manifest is corrected (or that the script is what you expect), restrict the API token's permissions to the minimum needed, and consider creating/using a scoped service token that you can rotate or revoke if anything looks suspicious.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ce83trjphwfqqf27w61fy81812ysg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🚀 Clawdis
Binsnode
EnvCOOLIFY_TOKEN
Primary envCOOLIFY_TOKEN

Comments