corbits
Enables users to discover and interact with Corbits API proxies, fetch OpenAPI specs, and make API calls efficiently.
Install this skill
Security score
The corbits skill was audited on Feb 21, 2026 and we found 48 security issues across 5 threat categories, including 3 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Direct command execution function call
| 301 | return execSync( |
Template literal with variable interpolation in command context
| 302 | `security find-generic-password -a corbits -s corbits-${service} -w`, |
Piping content to bash shell
| 268 | command -v bun >/dev/null 2>&1 || curl -fsSL https://bun.sh/install | bash |
Node child_process module reference
| 283 | import { execSync } from "child_process"; |
Curl to non-GitHub URL
| 268 | command -v bun >/dev/null 2>&1 || curl -fsSL https://bun.sh/install | bash |
Access to hidden dotfiles in home directory
| 18 | `~/.config/corbits/context.json` persists the current proxy between invocations. Written when a proxy is selected. Format: |
Access to hidden dotfiles in home directory
| 43 | Before running any flow that executes `~/.bun/bin/bun rides.ts` (call flow, search flow step 5), verify init has been completed and at least one wallet is configured. |
Access to hidden dotfiles in home directory
| 47 | test -f ~/.config/corbits/project/rides.ts && echo "rides=ok" || echo "rides=missing"; security find-generic-password -a corbits -s corbits-solana-keypair -w >/dev/null 2>&1 && echo "sol=ok" || echo " |
Access to hidden dotfiles in home directory
| 52 | test -f ~/.config/corbits/project/rides.ts && echo "rides=ok" || echo "rides=missing"; ([ -n "$CORBITS_SOLANA_KEYPAIR" ] || test -s ~/.config/corbits/credentials/solana-keypair) && echo "sol=ok" || ec |
Access to hidden dotfiles in home directory
| 77 | Then read `~/.config/corbits/context.json`. If it exists, also show: "Current proxy: <name> (<url>)". If not, show: "No proxy selected. Run `/corbits search` to find one." |
Access to hidden dotfiles in home directory
| 83 | Read `~/.config/corbits/context.json`. If it exists, show the proxy name and URL. If not, tell the user to search for a proxy first (e.g. `/corbits search openai`). |
Access to hidden dotfiles in home directory
| 100 | cat ~/.config/corbits/context.json 2>/dev/null || echo "none" |
Access to hidden dotfiles in home directory
| 147 | ~/.bun/bin/bun ~/.config/corbits/project/rides.ts GET "<proxy_url><base_path><spec_path>" |
Access to hidden dotfiles in home directory
| 152 | ~/.bun/bin/bun ~/.config/corbits/project/rides.ts <METHOD> "<proxy_url><base_path><spec_path>" '<json_body>' |
Access to hidden dotfiles in home directory
| 164 | cat ~/.config/corbits/context.json 2>/dev/null || echo "none" |
Access to hidden dotfiles in home directory
| 195 | Detect the platform and environment: check `uname -s` (`Darwin` = macOS, `Linux` = Linux) and whether `~/.openclaw` exists (OpenClaw). Use the first matching branch: |
Access to hidden dotfiles in home directory
| 198 | 2. **OpenClaw** — `uname -s` is `Linux` and `~/.openclaw` exists |
Access to hidden dotfiles in home directory
| 214 | mkdir -p ~/.config/corbits/credentials && chmod 700 ~/.config/corbits/credentials |
Access to hidden dotfiles in home directory
| 219 | printf '%s' '<solana_keypair_value>' > ~/.config/corbits/credentials/solana-keypair && chmod 600 ~/.config/corbits/credentials/solana-keypair |
Access to hidden dotfiles in home directory
| 222 | printf '%s' '<evm_key_value>' > ~/.config/corbits/credentials/evm-key && chmod 600 ~/.config/corbits/credentials/evm-key |
Access to hidden dotfiles in home directory
| 227 | echo "sol=$(test -f ~/.config/corbits/credentials/solana-keypair && echo configured || echo skipped) evm=$(test -f ~/.config/corbits/credentials/evm-key && echo configured || echo skipped)" |
Access to hidden dotfiles in home directory
| 234 | If the user wants to do it themselves, show them what to add to `~/.openclaw/openclaw.json` under `skills.entries.corbits.env`: |
Access to hidden dotfiles in home directory
| 251 | If the agent should do it, collect the keys from the user, then read `~/.openclaw/openclaw.json`, merge in `skills.entries.corbits.env` with `CORBITS_SOLANA_KEYPAIR` and `CORBITS_EVM_KEY`, and write i |
Access to hidden dotfiles in home directory
| 259 | On macOS, keys are stored in Keychain. On Linux with Claude Code/OpenCode, keys are stored in `~/.config/corbits/credentials/` with restricted permissions. On OpenClaw, keys are injected as env vars f |
Access to hidden dotfiles in home directory
| 271 | After install, source the shell profile or use the full path (`~/.bun/bin/bun`). |
Access to hidden dotfiles in home directory
| 276 | mkdir -p ~/.config/corbits/project && ~/.bun/bin/bun init -y --cwd ~/.config/corbits/project && ~/.bun/bin/bun add @faremeter/rides --cwd ~/.config/corbits/project |
Access to hidden dotfiles in home directory
| 279 | ### Step 5. Write `~/.config/corbits/project/rides.ts` |
Access to hidden dotfiles in home directory
| 396 | echo '{"id":<id>,"name":"<name>","org_slug":<org_slug_or_null>,"url":"<url>"}' > ~/.config/corbits/context.json |
Access to hidden dotfiles in home directory
| 423 | ~/.bun/bin/bun ~/.config/corbits/project/rides.ts GET "<proxy_url><base_path><spec_path>" |
Access to hidden dotfiles in home directory
| 428 | ~/.bun/bin/bun ~/.config/corbits/project/rides.ts <METHOD> "<proxy_url><base_path><spec_path>" '<json_body>' |
Access to .env file
| 234 | If the user wants to do it themselves, show them what to add to `~/.openclaw/openclaw.json` under `skills.entries.corbits.env`: |
Access to .env file
| 251 | If the agent should do it, collect the keys from the user, then read `~/.openclaw/openclaw.json`, merge in `skills.entries.corbits.env` with `CORBITS_SOLANA_KEYPAIR` and `CORBITS_EVM_KEY`, and write i |
Access to .env file
| 296 | const envVal = process.env[envName]; |
Access to system keychain/keyring
| 259 | On macOS, keys are stored in Keychain. On Linux with Claude Code/OpenCode, keys are stored in `~/.config/corbits/credentials/` with restricted permissions. On OpenClaw, keys are injected as env vars f |
External URL reference
| 14 | `https://api.corbits.dev` |
External URL reference
| 21 | {"id":61,"name":"openai","org_slug":null,"url":"https://openai.api.corbits.dev"} |
External URL reference
| 89 | When fetching an OpenAPI spec, extract the base path from the `servers` field. For example, if `servers[0].url` is `https://api.openai.com/v1`, the base path is `/v1`. All spec paths are relative to t |
External URL reference
| 105 | Print the current proxy name and URL (e.g. "Calling on **open-ai** (`https://...`)"). Do NOT ask for confirmation -- just continue to step 2. |
External URL reference
| 110 | WebFetch https://api.corbits.dev/api/v1/proxies/<id>/openapi |
External URL reference
| 118 | WebFetch https://api.corbits.dev/api/v1/proxies/<id>/endpoints |
External URL reference
| 172 | WebFetch https://api.corbits.dev/api/v1/proxies/<id>/openapi |
External URL reference
| 180 | WebFetch https://api.corbits.dev/api/v1/proxies/<id>/endpoints |
External URL reference
| 268 | command -v bun >/dev/null 2>&1 || curl -fsSL https://bun.sh/install | bash |
External URL reference
| 378 | WebFetch https://api.corbits.dev/api/v1/search?q=<query> |
External URL reference
| 384 | WebFetch https://api.corbits.dev/api/v1/proxies |
External URL reference
| 402 | WebFetch https://api.corbits.dev/api/v1/proxies/<proxy-id>/openapi |
External URL reference
| 414 | WebFetch https://api.corbits.dev/api/v1/proxies/<proxy-id>/endpoints |
External URL reference
| 459 | - The `url` field is computed: `https://{name}.api.corbits.dev` or `https://{name}.{org_slug}.api.corbits.dev` when org_slug is present |
Install this skill with one command
/learn @corbits-infra/corbits