Coolify
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used on the wrong UUID or with the wrong parameters, the agent could restart services, force deployments, delete databases, or change application secrets.
The skill documents force deployments, database deletion, and bulk environment-variable changes. These are expected for a Coolify admin skill, but mistakes could affect production services.
{baseDir}/scripts/coolify deploy --uuid abc-123 --force ... {baseDir}/scripts/coolify databases delete --uuid db-123 ... applications envs bulk-updateConfirm target UUIDs and ask for explicit user approval before destructive, bulk, or force operations; prefer least-privilege Coolify tokens.
Anyone or any agent process with access to the token could act against the associated Coolify account within the token's permissions.
The skill requires a Coolify API token that may allow reading, modifying, and deploying resources. This is purpose-aligned but gives the agent delegated account authority.
Create token with appropriate permissions (`read`, `write`, `deploy`) ... Set `COOLIFY_TOKEN` environment variable
Use a token scoped to only the projects and actions needed, rotate it if exposed, and avoid using broad administrative tokens when possible.
The skill may fail or require manual adjustment if the expected script name or binaries are not present.
The declared binary requirement lists node, while the skill documentation and included bash script depend on bash, curl, and jq. The examples also reference scripts/coolify while the manifest contains scripts/coolify.sh.
metadata: {"openclaw":{"requires":{"bins":["node"],"env":["COOLIFY_TOKEN"]}...}} ... **bash, curl, jq** — Required for running bash scriptsVerify the installed script path and required tools before use; maintainers should align metadata with the actual bash/curl/jq requirements.