ClawHub

Twexapi CLI

v0.1.1

Use this skill when the task should be done through the twexapi command-line client, including installing the CLI, configuring app or profile auth, previewin...

0· 93·0 current·0 all-time
by@yeahjjyy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included code and SKILL.md: this is a command-line client for twexapi endpoints, with support for saved app configs and profiles, dry-run previews, and both convenience commands and raw path requests. The code and instructions only request the API key, cookies, auth_token, and an optional config-dir/base-url — all relevant to the stated purpose.
Instruction Scope
SKILL.md and the code limit actions to installing/running the CLI, building HTTP requests to the twexapi base URL, and reading/writing the CLI config (default ~/.twexapi/config.json). There are no instructions to scan unrelated system files, exfiltrate arbitrary data, or call unexpected external endpoints beyond the configured base URL. The CLI warns about paths that may contain the auth_token in URLs and recommends dry-run before write actions.
Install Mechanism
No custom install spec is embedded; SKILL.md recommends installing the published npm package or running the local node entrypoint. This is a common, low-risk install pattern. Users should still verify the npm package's origin before installing globally.
Credentials
The skill uses TWEXAPI_KEY, TWEXAPI_BASE_URL, and TWEXAPI_CONFIG_DIR (all relevant to a CLI that calls an API). Registry metadata did not declare required env vars, but the code and README document them. Important: saved app configs and profiles may store API keys, cookies, auth_token, and ct0 in plain JSON at ~/.twexapi/config.json (or a custom config-dir). This is expected for this tool but increases risk on shared machines or CI unless an isolated config-dir is used.
Persistence & Privilege
The skill does persist its own config under a dedicated directory and will write config files (saveConfig). It does not request always:true, does not alter other skills, and does not require system-wide privileges. Use of an isolated --config-dir is supported and recommended for safer testing.
Assessment
This skill appears to do what it says: it's a CLI for twexapi and needs an API key and/or cookie/auth_token to make requests. Before installing: 1) Verify you trust the npm package/source (npm install -g runs third-party code). 2) Be aware that credentials (API key, cookies, auth_token, ct0) are stored as plain JSON by default at ~/.twexapi/config.json — use --config-dir or TWEXAPI_CONFIG_DIR to isolate or avoid leaving secrets on shared machines/CI. 3) Prefer --dry-run before performing write actions and avoid pasting long-lived tokens into shared logs. 4) If you need higher assurance, inspect the included source files (they're present here) or run the CLI from a local checkout rather than installing globally.

Like a lobster shell, security has layers — review code before you run it.

latestvk97773ap49a6ks74fpgqzwpem5836shk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments