ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tidepool

v1.0.1

Build and deploy any kind of web app without leaving the command line. This project is built for autonomous AI agents. Handles auth, Stripe payments, admin p...

1· 198·0 current·0 all-time
by@greydanus

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for greydanus/tidepool.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Tidepool" (greydanus/tidepool) from ClawHub.
Skill page: https://clawhub.ai/greydanus/tidepool
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: tidepool
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install tidepool

ClawHub CLI

Package manager switcher

npx clawhub@latest install tidepool
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill declares and requires the 'tidepool' CLI and its SKILL.md shows CLI usage (pip install tidepool, tidepool init/dev/deploy). There are no unrelated env vars, binaries, or config paths requested that would be inconsistent with a web-deploy CLI.
Instruction Scope
Runtime instructions include network calls (curl https://tidepool.sh/api), installing/running the tidepool CLI, and APIs (tp.http, tp.email, tp.files, tp.db) that allow outbound HTTP and reading project-local secrets at tp_data/secrets.json. These behaviors match a deploy tool but give the agent the ability to make arbitrary outbound requests and read project-local secret files — expected for this purpose but worth attention.
Install Mechanism
Install spec is an external package (uv/pip install tidepool) which is expected for a CLI tool. Installing a third-party Python package from a registry is normal but carries supply-chain risk — verify package provenance (PyPI name, owner, homepage, source) before installing.
Credentials
No required environment variables or system credentials are requested up-front. Payment features (Stripe) are documented but handled via explicit secret push or project secrets — this is proportionate as long as you do not expose unrelated credentials to the skill.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide config changes. Agent autonomous invocation is allowed (platform default) but not coupled with elevated persistent privileges in this package.
Assessment
This skill appears to do what it says (a CLI web app deployer) but it installs a third‑party Python package and performs network operations. Before installing: (1) verify the tidepool package/source (homepage, PyPI owner, repository) to ensure authenticity; (2) avoid pasting real production secrets into prompts — use test keys or inject secrets via your secure secret store rather than terminal history; (3) treat the install as running untrusted code (consider installing in an isolated environment or container); (4) review what will be stored under tp_data/ (secrets.json, db) and do not place system or cloud credentials there; (5) expect the CLI to make outbound HTTP requests (the curl to tidepool.sh/api and tp.http calls) — if you need an offline/sandboxed review, fetch the package source first and inspect it.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🌀 Clawdis
Binstidepool

Install

Install Tidepool CLI (pip/uv)
Bins: tidepool
uv tool install tidepool
latestvk971cq7vs9h86q9fax69hvr1an8374s1
198downloads
1stars
2versions
Updated 12h ago
v1.0.1
MIT-0
@greydanus
latest
Download

Tidepool

Build and deploy any kind of web app without leaving the command line. Build for autonomous AI agents. Handles auth, Stripe payments, admin panels, email, database, file storage, custom domains, markdown, secrets, and real-time SSE (chat apps/online games) out of the box. Minimalist approach.

Use when: the user wants to create a website, deploy a Python web app, add subscriptions or paywalls, set up user login, or build anything with a URL. Provides the tidepool CLI and tp.* runtime API. Deploys in seconds, scales to 10+ replicas. NOT for: non-web tasks, general Python scripting.

Learn the API

Before building anything, fetch the full API reference:

curl -s https://tidepool.sh/api | python3 -m json.tool

This returns every endpoint, every tp.* runtime tool, and usage examples. Read it first.

Workflow

Zero to live Substack clone in one command:

pip install tidepool && tidepool quickstart

Or build from scratch:

tidepool init my-app && cd my-app
# edit main.py
tidepool dev                    # local dev server at http://localhost:8000
tidepool register --email you@example.com
tidepool deploy                 # live at https://my-app.tidepool.sh

Iterate on a live pod:

tidepool pull <hash>            # pull pod code + data to work locally
tidepool dev                    # test changes locally
tidepool push                   # push code, db, secrets, files back to prod
tidepool push --secret STRIPE_KEY=sk_xxx   # override a secret
tidepool push --replace-db                 # replace all db keys instead of merging
tidepool push --sync            # also delete remote files not present locally
tidepool push -y                # skip confirmation prompt

Runtime (import tp)

main.py runs once at startup to register routes and configure the app. The server dispatches requests to handlers.

import tp

tp.auth = 'standard'                          # email/password auth
tp.payments = {'products': [{'id': 'pro', 'name': 'Pro', 'price': 500, 'recurring': 'month'}]}
tp.admin = {'users': ['admin@example.com']}

@tp.route('/')
def home(req):
    posts = tp.db.prefix('post:', reverse=True, limit=10)
    return render_posts(posts, req.user)

@tp.route('/post/:slug', methods=['GET', 'POST'])
def post(req, slug):
    if req.method == 'POST':
        tp.db.set(f'post:{slug}', req.body)
        return None  # 303 redirect
    return tp.db.get(f'post:{slug}')

Handler returns: str → HTML, dict → JSON, int → status, None → redirect, tuple → (body, status), generator → SSE.

Request object: req.path, req.method, req.query, req.user, req.body, req.files.

Key tools

ToolUsage
tp.route(path)@tp.route('/api/:id', methods=['GET','POST'])
tp.page(path, html)tp.page('/about', '<h1>About</h1>')
tp.auth'standard', 'paywall', or config dict
tp.payments{products: [{id, name, price, recurring}]}
tp.admin{users: ['admin@x.com'], models: {...}}
tp.db.get(k), .set(k,v), .delete(k), .prefix(p), .keys(), .count()
tp.files.read(name), .write(name, data), .list(), .delete(name)
tp.email()tp.email('to@x.com', 'Subject', 'body', html='<p>hi</p>')
tp.httptp.http.get(url), .post(url, json={})
tp.secretsRead-only dict from tp_data/secrets.json
tp.statePublic JSON state, readable at ?format=json
tp.background()@tp.background(seconds=3600) for recurring tasks
tp.markdown()Convert markdown string to HTML
tp.create_user()tp.create_user('email', 'pass', subscriptions={})
tp.users()Returns all users (password hashes excluded)
tp.publish()tp.publish({'messages': msgs}) — update public JSON state (ETag polling)

Notes

  • Local dev stores data in tp_data/ (db.json, secrets.json, files/).
  • Secrets go in tp_data/secrets.json — they are read-only at runtime.
  • Static files in static/ are served at /static/.
  • Jinja2 is pre-installed for templating.
  • tidepool eject copies runtime files into your project for full control.

Comments

Loading comments...