ClawHub

Komodo

Manage Komodo infrastructure - servers, Docker deployments, stacks, builds, and procedures. Use when user asks about server status, container management, deployments, builds, or any Komodo-related infrastructure tasks.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
1 · 1.9k · 3 current installs · 3 all-time installs
by@weird-aftertaste
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name and description match the script's behavior (it calls Komodo Core read/execute endpoints). However the registry metadata claims no required environment variables or primary credential, while SKILL.md and scripts clearly require KOMODO_ADDRESS, KOMODO_API_KEY, and KOMODO_API_SECRET. That mismatch is an incoherence and reduces trust.
Instruction Scope
SKILL.md and the CLI limit actions to Komodo API endpoints and provide curl examples that use the declared KOMODO_ADDRESS and API credentials. This is in-scope. Important: create-stack (and the SKILL.md usage) implies reading a local compose file and optionally an env_file and sending them to the Komodo API — which may transmit local file contents (possibly secrets) to the remote service. The examples include an odd example domain (komodo.weird.cyou) and a docs link (komo.do) that should be verified.
Install Mechanism
No install spec and no external downloads; the skill is delivered as a script and SKILL.md. This minimizes install-time risk.
!
Credentials
The CLI legitimately needs KOMODO_ADDRESS, KOMODO_API_KEY, and KOMODO_API_SECRET to function. But the registry metadata does not declare these required env vars or a primary credential, which is inconsistent and could cause users to miss the need to provide or audit credentials. Also, the ability to upload compose and env files means local secrets/credentials could be sent to the configured KOMODO_ADDRESS — ensure the target is trusted and credentials are scoped/minimized.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and has no install hooks. It does not demand persistent system privileges beyond normal execution.
What to consider before installing
This tool appears to be a straightforward Komodo CLI, but there are a few red flags to consider before installing or using it: - Metadata mismatch: The registry metadata omits required env vars, while SKILL.md and the script require KOMODO_ADDRESS, KOMODO_API_KEY, and KOMODO_API_SECRET. Treat that as a sign to verify the publisher before supplying credentials. - Verify the endpoint: Confirm the KOMODO_ADDRESS is the legitimate Komodo Core instance you intend to talk to. The example domains in SKILL.md look unusual; do not use them. - Limit credentials: Use a least-privilege API key/secret and a dedicated service account for this skill. Do not run it with superuser or unrestricted credentials. - Be careful with file uploads: create-stack and similar commands will likely read and POST local compose.yml and env files — those can contain secrets. Don’t upload sensitive local files unless you trust the target server. - Inspect the full script: Although the visible code only makes HTTPS API calls, you should review the remaining (truncated) parts of scripts/komodo.py yourself to ensure there are no hidden endpoints or opportunistic exfiltration. If you cannot verify the source, run it in an isolated environment (container) and monitor outbound network traffic first. - Ask for provenance: Prefer skills with a verifiable source/homepage and maintainer details. If you need this functionality in production, request that the publisher update the registry metadata to declare required env vars and provide a trustworthy source/README. If you want, I can (a) scan the remainder of scripts/komodo.py for suspicious patterns, (b) show the exact lines that read/upload files, or (c) help craft a minimal, safer invocation policy for credentials.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk974czepa55t1s0mjf2g3xp1hh7zs74q

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Komodo Skill

Manage servers, Docker containers, stacks, builds, and procedures via Komodo Core API.

Prerequisites

Set environment variables:

  • KOMODO_ADDRESS - Komodo Core URL (e.g., https://komodo.example.com)
  • KOMODO_API_KEY - API key (starts with K-)
  • KOMODO_API_SECRET - API secret (starts with S-)

Quick Reference

# Set env (or source from credentials file)
export KOMODO_ADDRESS="https://komodo.weird.cyou"
export KOMODO_API_KEY="K-..."
export KOMODO_API_SECRET="S-..."

# List resources
python scripts/komodo.py servers
python scripts/komodo.py deployments
python scripts/komodo.py stacks
python scripts/komodo.py builds
python scripts/komodo.py procedures
python scripts/komodo.py repos

# Server operations
python scripts/komodo.py server <name>
python scripts/komodo.py server-stats <name>

# Deployment operations
python scripts/komodo.py deployment <name>
python scripts/komodo.py deploy <name>
python scripts/komodo.py start <name>
python scripts/komodo.py stop <name>
python scripts/komodo.py restart <name>
python scripts/komodo.py logs <name> [lines]

# Stack operations
python scripts/komodo.py stack <name>
python scripts/komodo.py deploy-stack <name>
python scripts/komodo.py start-stack <name>
python scripts/komodo.py stop-stack <name>
python scripts/komodo.py restart-stack <name>
python scripts/komodo.py create-stack <name> <server> <compose.yml> [env_file]
python scripts/komodo.py delete-stack <name>
python scripts/komodo.py stack-logs <name> [service]

# Build operations
python scripts/komodo.py build <name>
python scripts/komodo.py run-build <name>

# Procedure operations
python scripts/komodo.py procedure <name>
python scripts/komodo.py run-procedure <name>

State Indicators

  • 🟢 Running/Ok
  • 🔴 Stopped
  • ⚪ NotDeployed
  • 🟡 Unhealthy
  • 🔄 Restarting
  • 🔨 Building
  • ⏳ Pending

Direct API Calls

For operations not covered by the CLI, use curl:

# Read operation
curl -X POST "$KOMODO_ADDRESS/read/ListServers" \
  -H "Content-Type: application/json" \
  -H "X-Api-Key: $KOMODO_API_KEY" \
  -H "X-Api-Secret: $KOMODO_API_SECRET" \
  -d '{}'

# Execute operation
curl -X POST "$KOMODO_ADDRESS/execute/Deploy" \
  -H "Content-Type: application/json" \
  -H "X-Api-Key: $KOMODO_API_KEY" \
  -H "X-Api-Secret: $KOMODO_API_SECRET" \
  -d '{"deployment": "my-deployment"}'

API Reference

Read endpoints: ListServers, ListDeployments, ListStacks, ListBuilds, ListProcedures, ListRepos, GetSystemStats, GetLog

Execute endpoints: Deploy, StartDeployment, StopDeployment, RestartDeployment, DeployStack, StartStack, StopStack, RestartStack, RunBuild, RunProcedure

Full API docs: https://komo.do/docs

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…