corbits
Enables users to discover and interact with Corbits API proxies, fetch OpenAPI specs, and make API calls efficiently.
Install this skill
Security score
The corbits skill was audited on May 13, 2026 and we found 46 security issues across 5 threat categories, including 3 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Piping content to bash shell
| 282 | command -v bun >/dev/null 2>&1 || curl -fsSL https://bun.sh/install | bash |
Curl to non-GitHub URL
| 282 | command -v bun >/dev/null 2>&1 || curl -fsSL https://bun.sh/install | bash |
Access to hidden dotfiles in home directory
| 18 | `~/.config/corbits/context.json` persists the current proxy between invocations. Written when a proxy is selected. Format: |
Access to hidden dotfiles in home directory
| 43 | Before running any flow that executes `~/.bun/bin/bun rides.ts` (call flow, search flow step 5), verify init has been completed and at least one wallet is configured. |
Access to hidden dotfiles in home directory
| 47 | test -f ~/.config/corbits/project/rides.ts && echo "rides=ok" || echo "rides=missing"; security find-generic-password -a corbits -s corbits-solana-keypair -w >/dev/null 2>&1 && echo "sol=ok" || echo " |
Access to hidden dotfiles in home directory
| 52 | test -f ~/.config/corbits/project/rides.ts && echo "rides=ok" || echo "rides=missing"; ([ -n "$CORBITS_SOLANA_KEYPAIR" ] || test -s ~/.config/corbits/credentials/solana-keypair) && echo "sol=ok" || ec |
Access to hidden dotfiles in home directory
| 77 | Then read `~/.config/corbits/context.json`. If it exists, also show: "Current proxy: <name> (<url>)". If not, show: "No proxy selected. Run `/corbits search` to find one." |
Access to hidden dotfiles in home directory
| 83 | Read `~/.config/corbits/context.json`. If it exists, show the proxy name and URL. If not, tell the user to search for a proxy first (e.g. `/corbits search openai`). |
Access to hidden dotfiles in home directory
| 117 | cat ~/.config/corbits/context.json 2>/dev/null || echo "none" |
Access to hidden dotfiles in home directory
| 152 | ~/.bun/bin/bun ~/.config/corbits/project/rides.ts GET "<proxy_url><base_path><spec_path>" |
Access to hidden dotfiles in home directory
| 157 | ~/.bun/bin/bun ~/.config/corbits/project/rides.ts <METHOD> "<proxy_url><base_path><spec_path>" '<json_body>' |
Access to hidden dotfiles in home directory
| 173 | cat ~/.config/corbits/context.json 2>/dev/null || echo "none" |
Access to hidden dotfiles in home directory
| 192 | Detect the platform and environment: check `uname -s` (`Darwin` = macOS, `Linux` = Linux) and whether `~/.openclaw` exists (OpenClaw). Use the first matching branch: |
Access to hidden dotfiles in home directory
| 195 | 2. **OpenClaw** — `uname -s` is `Linux` and `~/.openclaw` exists |
Access to hidden dotfiles in home directory
| 228 | mkdir -p ~/.config/corbits/credentials && chmod 700 ~/.config/corbits/credentials |
Access to hidden dotfiles in home directory
| 233 | printf '%s' '<solana_keypair_value>' > ~/.config/corbits/credentials/solana-keypair && chmod 600 ~/.config/corbits/credentials/solana-keypair |
Access to hidden dotfiles in home directory
| 236 | printf '%s' '<evm_key_value>' > ~/.config/corbits/credentials/evm-key && chmod 600 ~/.config/corbits/credentials/evm-key |
Access to hidden dotfiles in home directory
| 241 | echo "sol=$(test -f ~/.config/corbits/credentials/solana-keypair && echo configured || echo skipped) evm=$(test -f ~/.config/corbits/credentials/evm-key && echo configured || echo skipped)" |
Access to hidden dotfiles in home directory
| 248 | If the user wants to do it themselves, show them what to add to `~/.openclaw/openclaw.json` under `skills.entries.corbits.env`: |
Access to hidden dotfiles in home directory
| 265 | If the agent should do it, collect the keys from the user, then read `~/.openclaw/openclaw.json`, merge in `skills.entries.corbits.env` with `CORBITS_SOLANA_KEYPAIR` and `CORBITS_EVM_KEY`, and write i |
Access to hidden dotfiles in home directory
| 273 | On macOS, keys are stored in Keychain. On Linux with Claude Code/OpenCode, keys are stored in `~/.config/corbits/credentials/` with restricted permissions. On OpenClaw, keys are injected as env vars f |
Access to hidden dotfiles in home directory
| 285 | After install, source the shell profile or use the full path (`~/.bun/bin/bun`). |
Access to hidden dotfiles in home directory
| 290 | mkdir -p ~/.config/corbits/project && ~/.bun/bin/bun init -y --cwd ~/.config/corbits/project && ~/.bun/bin/bun add @faremeter/rides --cwd ~/.config/corbits/project |
Access to hidden dotfiles in home directory
| 293 | ### Step 5. Write `~/.config/corbits/project/rides.ts` |
Access to hidden dotfiles in home directory
| 295 | Use the Read tool to read `rides.ts` from this skill's directory (the same directory as this SKILL.md file) and write its contents to `~/.config/corbits/project/rides.ts`. If the skill directory is no |
Access to hidden dotfiles in home directory
| 331 | mkdir -p ~/.config/corbits |
Access to hidden dotfiles in home directory
| 332 | jq -n --argjson id <id> --arg name "<name>" --arg url "<url>" '{id: $id, name: $name, org_slug: null, url: $url}' > ~/.config/corbits/context.json |
Access to hidden dotfiles in home directory
| 337 | mkdir -p ~/.config/corbits |
Access to hidden dotfiles in home directory
| 338 | jq -n --argjson id <id> --arg name "<name>" --arg org_slug "<org_slug>" --arg url "<url>" '{id: $id, name: $name, org_slug: $org_slug, url: $url}' > ~/.config/corbits/context.json |
Access to hidden dotfiles in home directory
| 361 | ~/.bun/bin/bun ~/.config/corbits/project/rides.ts GET "<proxy_url><base_path><spec_path>" |
Access to hidden dotfiles in home directory
| 366 | ~/.bun/bin/bun ~/.config/corbits/project/rides.ts <METHOD> "<proxy_url><base_path><spec_path>" '<json_body>' |
Access to .env file
| 248 | If the user wants to do it themselves, show them what to add to `~/.openclaw/openclaw.json` under `skills.entries.corbits.env`: |
Access to .env file
| 265 | If the agent should do it, collect the keys from the user, then read `~/.openclaw/openclaw.json`, merge in `skills.entries.corbits.env` with `CORBITS_SOLANA_KEYPAIR` and `CORBITS_EVM_KEY`, and write i |
Access to system keychain/keyring
| 212 | Store non-empty keys in Keychain: |
Access to system keychain/keyring
| 273 | On macOS, keys are stored in Keychain. On Linux with Claude Code/OpenCode, keys are stored in `~/.config/corbits/credentials/` with restricted permissions. On OpenClaw, keys are injected as env vars f |
External URL reference
| 14 | `https://api.corbits.dev` |
External URL reference
| 21 | {"id":61,"name":"openai","org_slug":null,"url":"https://openai.api.corbits.dev"} |
External URL reference
| 89 | When fetching an OpenAPI spec, extract the base path from the `servers` field. For example, if `servers[0].url` is `https://api.openai.com/v1`, the base path is `/v1`. All spec paths are relative to t |
External URL reference
| 99 | WebFetch https://api.corbits.dev/api/v1/proxies/<id>/openapi |
External URL reference
| 104 | WebFetch https://api.corbits.dev/api/v1/proxies/<id>/endpoints |
External URL reference
| 122 | Print the current proxy name and URL (e.g. "Calling on **open-ai** (`https://...`)"). Do NOT ask for confirmation -- just continue to step 2. |
External URL reference
| 282 | command -v bun >/dev/null 2>&1 || curl -fsSL https://bun.sh/install | bash |
External URL reference
| 312 | WebFetch https://api.corbits.dev/api/v1/search?q=<query> |
External URL reference
| 318 | WebFetch https://api.corbits.dev/api/v1/proxies |
External URL reference
| 352 | WebFetch https://api.corbits.dev/api/v1/proxies/<proxy-id>/endpoints |
External URL reference
| 399 | - The `url` field is computed: `https://{name}.api.corbits.dev` or `https://{name}.{org_slug}.api.corbits.dev` when org_slug is present |