ClawHub

Checkly Cli Skills

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Checkly CLI guide, but users should treat deploy, import, and credential commands as real actions on their Checkly account or local project.

Install this only if you want agent help managing Checkly projects. Confirm the active Checkly account before running import or deploy, review diffs before committing generated files, avoid --force unless reviewed or in controlled CI, and keep API keys in secret stores rather than source code or shared logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The quick-start section presents `npx checkly deploy` as a routine next step without warning that it creates or updates remote Checkly resources and enables scheduled monitoring. In an agent skill context, this can lead users or automated systems to perform unintended state-changing actions against a live account.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The skill instructs users to delete the CLI config file to log out, but it does so without an explicit warning that this removes locally stored credentials and may affect other sessions or automation on the machine. In an agent setting, terse destructive filesystem guidance can be copied or executed without the user understanding the credential-loss implications.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger metadata includes very broad terms like "configuration" and "project setup," which can cause this skill to activate outside the intended Checkly-specific context. In an agent system, overbroad routing increases the chance that unrelated user requests are handled by this skill, leading to incorrect guidance, context leakage across tasks, or unsafe tool behavior if downstream actions rely on the selected skill.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The documentation shows use of environment variables including an API key and even demonstrates pulling a secret from process.env, but it does not warn against hardcoding, logging, or committing secrets. In a configuration-focused skill, users may copy the example directly, so omission of secret-handling guidance increases the risk of credential exposure through source control, verbose output, or insecure local setup.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The skill instructs users to run `npx checkly import plan` and later notes that it creates directory structures and writes files, but it does not prominently warn that these changes happen in the current working project. In a migration/import skill, this can lead to unintended file modifications, overwritten generated content, or accidental commits if a user runs it from the wrong repository or without backups.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation explicitly states that verbose mode may show request/response details and environment variables, but it does not warn users that secrets, tokens, cookies, or PII could be exposed in terminal logs, CI logs, or shared artifacts. In a monitoring/testing context, verbose debugging is common, which makes accidental secret disclosure more likely and increases the practical risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal