Coolify
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: coolify Version: 2.1.1 The `SKILL.md` file contains explicit instructions for the AI agent to read sensitive local files, specifically `~/.ssh/id_rsa` and `github-app-key.pem`, using `$(cat <file>)` and then passing their content to the Coolify API. While the skill's stated purpose includes managing private keys, this instruction represents a significant prompt injection risk against the AI agent. An agent, if not properly sandboxed or configured for explicit user confirmation, could be prompted to exfiltrate these sensitive local files to the Coolify API without the user's full understanding or intent for that specific file. The `scripts/coolify.sh` itself appears to be a standard API client and does not contain direct malicious logic, but the high-risk instructions in the markdown make the skill suspicious.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used on the wrong UUID or with the wrong parameters, the agent could restart services, force deployments, delete databases, or change application secrets.
The skill documents force deployments, database deletion, and bulk environment-variable changes. These are expected for a Coolify admin skill, but mistakes could affect production services.
{baseDir}/scripts/coolify deploy --uuid abc-123 --force ... {baseDir}/scripts/coolify databases delete --uuid db-123 ... applications envs bulk-updateConfirm target UUIDs and ask for explicit user approval before destructive, bulk, or force operations; prefer least-privilege Coolify tokens.
Anyone or any agent process with access to the token could act against the associated Coolify account within the token's permissions.
The skill requires a Coolify API token that may allow reading, modifying, and deploying resources. This is purpose-aligned but gives the agent delegated account authority.
Create token with appropriate permissions (`read`, `write`, `deploy`) ... Set `COOLIFY_TOKEN` environment variable
Use a token scoped to only the projects and actions needed, rotate it if exposed, and avoid using broad administrative tokens when possible.
The skill may fail or require manual adjustment if the expected script name or binaries are not present.
The declared binary requirement lists node, while the skill documentation and included bash script depend on bash, curl, and jq. The examples also reference scripts/coolify while the manifest contains scripts/coolify.sh.
metadata: {"openclaw":{"requires":{"bins":["node"],"env":["COOLIFY_TOKEN"]}...}} ... **bash, curl, jq** — Required for running bash scriptsVerify the installed script path and required tools before use; maintainers should align metadata with the actual bash/curl/jq requirements.