Helmet
v0.3.0Access the Helmet public-library network (Helsinki Metropolitan Area — Helsinki, Espoo, Vantaa, Kauniainen — on helmet.finna.fi, built on Finna/VuFind) from...
⭐ 1· 79·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description, required binary 'helmet', and the npm install of @helmet-ai/helmet align with a CLI wrapper for Helmet/Finna. The CLI-focused design (commands, --json output) is coherent with the stated purpose.
Instruction Scope
SKILL.md stays within the library-account scope (search, loans, holds, fines). It instructs the agent to run the helmet CLI with --json and to rely on locally stored profiles/sessions. Minor inconsistency: metadata lists ~/.config/helmet/config.json as a configPath but SKILL.md also documents session files at ~/.config/helmet/sessions/<id>.json (not listed). The skill requires an interactive 'helmet login' once per card to save card number + PIN; the agent will rely on these local stores thereafter.
Install Mechanism
Install spec is a published npm package (@helmet-ai/helmet) that produces the 'helmet' binary. This is a common delivery mechanism for CLIs. Included scripts merely proxy to the installed 'helmet' binary or a local build (no obfuscated downloads or remote URLs).
Credentials
No environment variables or external credentials are requested, which is appropriate. However, the CLI stores sensitive library card numbers and PINs locally (and caches session cookies). The skill states sessions are stored at ~/.config/helmet/sessions/<id>.json (mode 0600) and that profiles/config.json will contain card and PIN — the permissions and encryption of config.json are not specified. Storing PINs locally is functional but raises sensitive-data handling considerations.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It persists profile and session files under the user's ~/.config/helmet directory, which is expected for a CLI that manages logins.
Assessment
This skill appears to do what it says (control the Helmet library CLI), but before installing: 1) Verify the npm package publisher and review the package's README/source on npm/GitHub if available — the registry metadata here lacks a homepage and owner details. 2) Inspect installed files after npm install (look for unexpected network calls or code). 3) Be aware the CLI stores library card numbers and PINs locally; check permissions on ~/.config/helmet/config.json and consider whether you want PINs saved plaintext. 4) If you must test, run the CLI in an isolated account/container and avoid storing high-value credentials there. 5) Confirm the agent environment can perform the required interactive 'helmet login' or pre-populate profiles securely before allowing autonomous calls.Like a lobster shell, security has layers — review code before you run it.
latestvk9741pqyfbn296z65rran6prnh84zkmq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binshelmet
Install
Install Helmet CLI (npm)
Bins: helmet
npm i -g @helmet-ai/helmet