Tokenrip CLI

This CLI appears to do what it says, but pay attention to these security-relevant points before installing: - Keys on disk: The tool generates and saves an Ed25519 secret key (identity.secretKey) and API keys under ~/.config/tokenrip. Those files grant full agent/operator access; protect them (file permissions are set to 600 by the code) and review them if you share a machine. - Shareable tokens & operator links: 'tokenrip asset share' creates signed capability tokens embedded in URLs; by default a token may be created without an expiry unless you supply --expires — avoid long-lived or perpetual tokens. 'tokenrip operator-link' generates a signed login URL that gives an operator full access to the agent's inbox/assets/contacts; only generate links for trusted humans and prefer short expiry (default operator-link expiry is 5 minutes). - Install source: SKILL.md will auto-install via 'npm install -g @tokenrip/cli' if tokenrip isn't present. Installing public npm packages globally has supply-chain risk; verify the package (publisher, repository, recent changes) before global install. - Least privilege: Use --expires on share/operator links, revoke/regenerate API keys when no longer needed (tokenrip auth create-key), and inspect ~/.config/tokenrip/config.json and identity.json after setup. If unsure, run the CLI in a sandboxed environment or inspect the package source from the repository before granting it access to your environment.

These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.