ClawHub

Dokploy

v1.0.0

Manage Dokploy deployments, projects, applications, and domains via the Dokploy API.

4· 2.8k·10 current·10 all-time
by@joshuarileydev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, SKILL.md and the scripts all align: this is a CLI to call a Dokploy API (projects, apps, domains, deployments). However the registry metadata at the top of the report claims "Required env vars: none" and "Primary credential: none", while .clawdhub/package.json and SKILL.md/scripts clearly require DOKPLOY_API_URL and DOKPLOY_API_KEY. That metadata mismatch is suspicious (likely packaging oversight) but the requested env vars themselves are coherent with the stated purpose.
Instruction Scope
Runtime instructions and scripts only call the Dokploy API (base $DOKPLOY_API_URL/api) using curl and parse JSON with jq. The scripts do read and write a local config file ($HOME/.dokployrc) to persist DOKPLOY_API_URL and DOKPLOY_API_KEY; they also prompt for confirmations on destructive actions. No instructions try to read unrelated system data or call unexpected external endpoints.
Install Mechanism
There is no install spec — the skill is instruction + shell scripts only (no downloads or package installs). This is lower-risk from an installer/execution viewpoint.
!
Credentials
The scripts require an API key (DOKPLOY_API_KEY) and URL (DOKPLOY_API_URL), which is appropriate for an API client, but the registry metadata omitted these. The CLI persists the API key to $HOME/.dokployrc in clear text (export lines). Storing secrets on disk is expected for a CLI but is sensitive — users should be aware the key ends up in their home directory. No unrelated credentials are requested.
Persistence & Privilege
The skill does not set always:true and does not request elevated or platform-wide privileges. It only writes/reads its own config file in the user's home directory and does not modify other skills or global agent settings.
What to consider before installing
This skill appears to be a straightforward CLI for a Dokploy API, but note two issues before installing: (1) the package/registry metadata failed to declare the required environment variables (DOKPLOY_API_URL and DOKPLOY_API_KEY) even though the scripts and SKILL.md require them — treat this as a packaging/integrity red flag and review the included scripts yourself; (2) the CLI will persist your API key in $HOME/.dokployrc (plain export lines), so only use an API key you trust to be stored on disk and restrict file permissions. Ensure you trust the Dokploy instance you point it at, have curl and jq installed, and inspect the scripts if you are in a sensitive or multi-tenant environment. If you need higher assurance, ask the publisher to correct the registry metadata and provide a signed/reviewed release.

Like a lobster shell, security has layers — review code before you run it.

latestvk979wey3aa6d1hjm3de9ns91v17zd03c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments