ClawHub

Snipeit Skill

v1.0.0

Interact with Snipe-IT asset management via REST API. Use when working with assets (hardware), users, licenses, accessories, consumables, components, locatio...

0· 433·2 current·2 all-time
by@bivex
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (Snipe-IT REST API interaction) aligns with the runtime instructions: the SKILL.md shows curl-based calls to Snipe-IT endpoints (assets, users, licenses, etc.). Requests for an API URL and bearer token are appropriate for this integration.
Instruction Scope
Instructions are limited to building curl requests against $SNIPEIT_URL using $SNIPEIT_API_TOKEN and parsing responses with jq. They do not instruct reading unrelated files, other credentials, or sending data to third‑party endpoints outside the specified base URL.
Install Mechanism
No install spec and no code files (instruction-only) — lowest-risk distribution. The SKILL.md expects curl and jq to be present but does not attempt to install arbitrary software or download code from external URLs.
Credentials
The SKILL.md declares two environment items (SNIPEIT_URL and SNIPEIT_API_TOKEN) and the need for curl/jq, which are proportionate to the purpose. However, the registry metadata presented with the skill reported 'Required env vars: none' / 'Primary credential: none' — a packaging inconsistency. The env vars the skill actually needs are sensitive (API token) and should be declared in registry metadata.
Persistence & Privilege
The skill is not always-enabled and does not request elevated/persistent platform privileges. It does not modify other skills or global config, and autonomous invocation is the platform default (no additional concern here).
Assessment
This skill is coherent for interacting with a Snipe‑IT instance, but you should: (1) Only provide SNIPEIT_API_TOKEN to trusted agents/hosts — it is a bearer token that grants API access. (2) Ensure curl and jq are available in the runtime environment. (3) Note the registry metadata did not list the env vars; confirm before installing that the skill will be run in an environment where you can safely supply the URL and token. (4) Prefer to run the skill in an isolated or least-privileged context (or with a scoped API key) so accidental or malicious API calls have limited impact. (5) If you need stronger assurance, ask the publisher for a homepage/source repo or updated metadata that explicitly declares required env vars and a provenance link.

Like a lobster shell, security has layers — review code before you run it.

latestvk97epw8hxt5pxsw7fztmadyx8n81p9xj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments