Ambit Cli
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent Ambit CLI guide, but it can use Fly.io and Tailscale privileges to create, deploy, route, or remove private network resources, so users should review commands and credentials carefully.
Install this only if you intend to let the agent help manage Ambit/Fly.io/Tailscale infrastructure. Before running commands, confirm the target organization, network, app, region, and whether the command could destroy resources or skip prompts. Use trusted and preferably pinned CLI/template sources, protect the Tailscale API token, and clean up routers, DNS/routes, and apps you no longer need.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user who runs these commands may allow the CLI to change cloud apps, Tailscale routing, DNS, and related account resources.
The skill requires delegated access to Fly.io and Tailscale, including an API token, to perform its network and deployment operations.
- `flyctl` installed and authenticated (`fly auth login`) - Tailscale installed and connected (`tailscale up`) - A Tailscale API access token (`tskey-api-...`)
Use the least-privileged or short-lived Tailscale token available, verify the Fly.io organization and network names before running commands, and revoke tokens that are no longer needed.
Mistaken or overly broad commands could create costs, remove private network resources, or change application availability.
The skill is explicitly for mutating infrastructure, including creation, deployment, and destruction of private networks.
Use this skill for any task involving the ambit CLI: creating or destroying private networks, deploying apps to a private network
Require clear user intent before create, deploy, or destroy operations; avoid confirmation-skipping flags for destructive or costly actions unless the user explicitly requests them.
The behavior of the downloaded CLI depends on the external package version and publisher provenance.
The skill directs users to execute an external npm package, while the registry artifact itself contains no install spec or bundled code for review.
If `ambit` is not already installed, run it directly via Nix: ```bash npx @cardelli/ambit ```
Install from a trusted source, pin a known-good version when possible, and review the package or publisher before giving it Fly.io or Tailscale credentials.
A template repository or branch could change over time, affecting what gets deployed.
The documented template mode can deploy code fetched from GitHub, including default branch or branch references.
Template mode — fetches a template from a GitHub repository and deploys it
Prefer pinned tags or commits, and review templates before deploying them into a private network.
The router and related DNS/routes may continue operating and incurring cloud/network effects after the initial task.
The skill intentionally creates a persistent router connected to the user's tailnet; this persistence is core to the product but should be visible to the user.
Ambit creates a router on Fly.io that joins the user's Tailscale network and advertises the private IPv6 subnet for that ambit.
Track created Ambit networks and routers, audit them periodically in Fly.io and Tailscale, and destroy unused resources.