Safety Report

TRIGGERcmd - Run commands on your computers remotely

Name: TRIGGERcmd - Run commands on your computers remotely
Rating: 5 (2 reviews)
Author: rvmey

@rvmey

Control TRIGGERcmd computers remotely by listing and running commands via the TRIGGERcmd REST API.

387Downloads

3Installs

2Stars

5Versions

API Integration4,971 Workflow Automation3,323 Math & Science439

Security Analysis

high confidence

Clean0.08 risk

The skill is coherent with its stated purpose — it uses a TRIGGERcmd API token and curl/jq to list and run remote commands — but there is a small registry metadata mismatch you should be aware of and you should take the usual care with your API token.

Feb 18, 20261 files2 concerns

Purpose & Capabilitynote

Name and description match the runtime instructions: the skill only calls the TRIGGERcmd REST API and needs curl and jq. One minor inconsistency: the registry metadata lists 'Primary credential: none' while the SKILL.md clearly treats TRIGGERCMD_TOKEN as the primary credential (with a file fallback). This appears to be a metadata bookkeeping error rather than functional misalignment.

Instruction Scopeok

SKILL.md is instruction-only and confines actions to: reading an API token (env var or single file), building Authorization headers, calling https://www.triggercmd.com/api endpoints, and parsing responses with jq. It does not instruct reading unrelated system files or contacting unexpected endpoints. It warns not to print or log the token and to confirm before running side-effecting commands.

Install Mechanismok

There is no install spec and no code files; the skill is instruction-only and relies on existing curl and jq binaries. This is the lowest-risk install model.

Credentialsnote

The single required secret (TRIGGERCMD_TOKEN) is appropriate and expected for a REST-API integration. The SKILL.md documents a reasonable file fallback (~/.TRIGGERcmdData/token.tkn) with permission guidance. The only issue is the registry metadata claiming no primary credential, which conflicts with the declared required env var in the skill — this is likely a metadata mismatch.

Persistence & Privilegeok

The skill does not request permanent presence (always: false), does not modify other skills or system-wide agent settings, and the runtime instructions do not require elevated privileges. Autonomous invocation is allowed (platform default) but not combined with other high-risk factors.

Guidance

This skill looks like a straightforward wrapper for the TRIGGERcmd REST API and is internally consistent aside from a small metadata mismatch. Before installing: 1) Confirm you trust the skill source (published source is unknown; homepage is triggercmd.com). 2) Use a limited-scope API token if TRIGGERcmd supports token scopes, and prefer setting TRIGGERCMD_TOKEN as an environment variable for ephemeral sessions rather than storing it on disk. 3) If you use the file fallback, ensure ~/.TRIGGERcmdData/token.tkn is created with chmod 600 as recommended. 4) Always review the exact command the agent plans to run and ask for confirmation before executing actions that have side effects on your machines. 5) If you need stronger assurance, request the publisher add proper registry metadata (mark TRIGGERCMD_TOKEN as primary credential) or provide a signed source/repository for inspection.

Latest Release

v1.0.4

- The run_command documentation now uses computer and command names directly instead of requiring IDs. - Example payload construction for run_command now uses jq to safely escape and inject arguments, reducing the risk of JSON injection. - Clarified tips for omitting parameters in the run_command section. - No code or logic changes; documentation enhancements only.

Popular Skills

self-improving-agent

@pskoett · 1,456 stars

Gog

@steipete · 672 stars

Tavily Web Search

@arun-8687 · 620 stars

Find Skills

@JimLiuxinghai · 529 stars

Proactive Agent

@halthelobster · 426 stars

Summarize

@summarize · 415 stars

Published by @rvmey on ClawHub