ClawHub

Cosin

v1.0.2

Use this skill when an agent needs to operate the `cosin` CLI from the terminal. `cosin` accepts only relative paths, lists available skills through the `ski...

0· 153·0 current·0 all-time
byC9@0xcipher0

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for 0xcipher0/cosin.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Cosin" (0xcipher0/cosin) from ClawHub.
Skill page: https://clawhub.ai/0xcipher0/cosin
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install cosin

ClawHub CLI

Package manager switcher

npx clawhub@latest install cosin
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The SKILL.md describes using a CLI to call a COS API and COS-backed skills; the inputs it asks for (bearer token, method, path, JSON, headers) match that purpose. There are no unrelated binaries, config paths, or credentials requested.
Instruction Scope
Instructions are limited to running the cosin CLI and validating inputs. Two minor issues: the doc references SKILLS_BASE_URL as how /cos/... calls are built (but does not declare or require that env var), and it recommends passing the bearer token on the command line (which is insecure because command-line args can be visible to other local users/processes). Otherwise the instructions stay within the stated scope and do not ask the agent to read unrelated files or secrets.
Install Mechanism
No install spec or code is provided; this is instruction-only so nothing is downloaded or written to disk by the skill itself.
Credentials
The skill does not request any environment variables or other credentials from the agent registry. It does require a COS bearer token at runtime (expected for a CLI that authenticates to an API). The SKILL.md mentions SKILLS_BASE_URL (internal build step) without declaring it as required, which is an informational mismatch but not a direct credential request.
Persistence & Privilege
The skill is not always-on and does not request elevated or persistent system privileges. It does not modify other skills or agent-wide configs.
Assessment
This is an instruction-only skill for running the cosin CLI; it does not install code or request extra credentials beyond the COS bearer token you must supply at runtime. Before installing or enabling: 1) Ensure you have a trusted cosin binary installed from a known source — the skill assumes that CLI is present. 2) Be careful with the bearer token: the SKILL.md suggests passing it as --key on the command line, but command-line arguments can be seen by other local processes/users (use a more secure mechanism if available, such as a protected environment variable or a secrets manager). 3) Note the doc references SKILLS_BASE_URL for resolving /cos/... calls; verify where that value comes from in your environment and that the target endpoints (including skills.bankofuniverse.org and the COS API host) are expected. 4) Do not hardcode tokens in repo files as the doc warns. If you need higher assurance, ask the skill author for the expected cosin release URL or checksum and for clarification about SKILLS_BASE_URL.

Like a lobster shell, security has layers — review code before you run it.

latestvk979bgxmxq5h4mr4fsmv8mp4mh83dw5z
153downloads
0stars
2versions
Updated 1mo ago
v1.0.2
MIT-0
C9@0xcipher0
latest
Download

Cosin CLI

Use cosin to call the COS API and COS-backed skills from the terminal.

What the CLI does

cosin now accepts only relative paths.

There are three request styles:

  1. skills Calls https://skills.bankofuniverse.org/skills directly and prints the upstream body directly.

  2. Normal COS API paths such as /v1/me These are sent directly to the COS API host.

  3. Skill paths under /cos/... These are converted internally into x402 pay-and-call requests:

  • keeps the same request path
  • builds the target URL from SKILLS_BASE_URL
  • sends that target URL to POST /agent/pay-and-call on the COS API host

Users should not pass absolute URLs to the CLI anymore.

Gather inputs

Collect these inputs before running the CLI:

  • A COS bearer token for --key
  • An HTTP method
  • A relative path starting with /
  • Optional JSON for --json
  • Optional repeatable headers for --header or -H
  • Optional --base-url override for normal COS API calls

Ask for the token if the user has not provided one. Treat it as sensitive.

Protect credentials

  • Treat the --key value as sensitive
  • Do not print, commit, or hardcode the token
  • Keep the token in the command line argument, not in repo files

Run the CLI

Use one of these command shapes:

cosin --key <token> <METHOD> <PATH> [--json '<json>'] [--header 'Name: value'] [--base-url <url>]
cosin --key <token> agent [status|me] [--base-url <url>]
cosin --key <token> skills

Important flags:

  • --key <token> for the required bearer token
  • --json <json> for an optional JSON request body
  • --header 'Name: value' or -H 'Name: value' for repeatable custom headers
  • --base-url <url> to override the default COS API base URL for direct API calls
  • --version or -v to print the installed CLI version
  • --help or -h to print usage

Subcommand notes:

  • skills does not accept --json
  • skills does not accept custom headers
  • agent does not accept --json
  • agent does not accept custom headers

Supported paths

Built-in catalog

Use this to discover available skills:

cosin --key <token> skills

Expected upstream skills include:

  • /cos/crypto/chainlink/random Returns a random value from the Chainlink-based skill endpoint.
  • /cos/crypto/price/:symbol Returns the latest price for a supported token symbol.

Supported symbols for /cos/crypto/price/:symbol:

  • BTC
  • ETH
  • HYPE
  • SOL
  • TRX
  • USDT
  • USDC

Direct COS API calls

Use normal API paths to call COS directly:

cosin --key <token> GET /v1/me
cosin --key <token> POST /v1/orders --json '{"symbol":"BTCUSDT"}'

Skill calls through /cos/...

Use /cos/... when you want to call a skill through COS:

cosin --key <token> GET /cos/crypto/chainlink/random
cosin --key <token> GET /cos/crypto/price/BTC

Internally, the CLI turns those into x402 pay-and-call requests to the COS backend.

Use the agent shortcut

Use agent, agent status, or agent me as a convenience alias for GET /agent/me.

cosin --key <token> agent
cosin --key <token> agent status
cosin --key <token> agent me

Do not combine agent with --json or custom headers.

Validate inputs before running

  • Ensure the path starts with /
  • Do not pass absolute URLs
  • Use skills, not GET /skills
  • Ensure --json is valid JSON
  • Ensure headers use Name: value
  • For /cos/crypto/chainlink/random, only use GET
  • For /cos/crypto/price/:symbol, only use GET and only the supported symbols

Read the output

Expect the CLI to:

  • Print an HTTP status line for normal API requests, /cos/... skill calls, and agent
  • Print only the upstream body for the skills subcommand
  • Pretty-print JSON response bodies
  • Print <empty response body> for empty responses
  • Return a non-zero exit code for unsuccessful HTTP responses or CLI argument errors

Work locally in this repo

Use the local build when working inside this repository:

bun run build
./dist/index.js --key <token> agent
./dist/index.js --key <token> skills
./dist/index.js --key <token> GET /v1/me
./dist/index.js --key <token> GET /cos/crypto/chainlink/random

Use the published command shape locally when that is more convenient:

bun x cosin --key <token> agent
bun x cosin --key <token> skills
bun x cosin --key <token> GET /v1/me
bun x cosin --key <token> GET /cos/crypto/price/BTC

Comments

Loading comments...