CLI-Hub Skill for CLI-Anything
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent catalog/installer guide, but using it means installing and running third-party Python CLI packages from a live catalog that was not reviewed here.
Install only if you are comfortable using an external live catalog and third-party PyPI packages. Review the package and command before installing or running any CLI, use an isolated environment when possible, and do not let the agent install or execute downstream tools without explicit approval.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The available tools and install commands may change over time, and those downstream packages were not part of this artifact review.
The skill depends on a live remote catalog that can change after review and may influence which external packages users or agents install.
The catalog is auto-updated and provides... One-line `cli-hub install` commands for each tool
Treat the live catalog as external content: review the selected package, source, and command before installing, and prefer isolated environments such as a virtualenv or container.
A chosen CLI package can add executable commands and may modify local files or interact with installed software when run.
Installing and running PyPI packages executes third-party code in the user's environment; this is central to the skill's purpose but materially affects the local system.
`cli-hub` is a lightweight wrapper around `pip`. When you run `cli-hub install gimp`, it installs a separate Python package (`cli-anything-gimp`) with its own CLI entry point
Do not allow automatic installs or command execution without explicit user approval; inspect commands and run only trusted packages.
If a user installs and runs a downstream CLI, the agent may be able to make persistent changes in the connected software or project.
The downstream CLIs are intended to let agents operate real software and maintain state, which is useful but should be bounded by user intent.
Each CLI provides stateful operations, JSON output for agents, REPL mode, and integrates with real software backends.
Approve each downstream CLI and task scope explicitly, especially for tools that edit media, automate browsers, manage networks, or change projects.