📦 Insforge Cli — 技能工具
v0.1.0Use this skill whenever the user needs backend infrastructure management — creating database tables, running SQL, deploying serverless functions, managing st...
0· 205·0 当前·0 累计
by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's instructions largely match an InsForge CLI for managing infrastructure, but there are inconsistencies and persistence behaviors (credential storage, auto-install of agent skills, and npm installs) that deserve caution before installing or running it.
评估建议
This instruction-only skill looks like a legitimate CLI reference for an InsForge backend tool, but treat it cautiously because:
- Metadata omits required credentials and install details that the SKILL.md explicitly uses (INSFORGE_* env vars, stored tokens). That mismatch is unexpected.
- The instructions tell you to run global npm installs (npm install -g @insforge/cli) and npx to auto-install other agent skills; those actions download and execute third-party code and create persistent files (...详细分析 ▾
ℹ 用途与能力
The name/description (backend infra management for InsForge) align with the included command reference (db, functions, storage, deployments, secrets, schedules). However the package metadata declares no required credentials or install steps while SKILL.md explicitly references auth tokens, project IDs, and environment variables (e.g., INSFORGE_ACCESS_TOKEN, INSFORGE_EMAIL/PASSWORD). That mismatch between declared requirements and the instructions is unexpected.
⚠ 指令范围
The runtime instructions direct the agent/user to install an external CLI (npm install -g @insforge/cli), run authentication flows (including a local callback server), create project files (.insforge/project.json), install additional agent skills via npx (npx skills add insforge/agent-skills), and read/write credentials at ~/.insforge/credentials.json. The commands include exporting/importing DB backups and retrieving decrypted secrets (insforge secrets get), which legitimately access sensitive data but also expand the blast radius for exfiltration. Auto-installing agent skills into .agents/skills/ may change the agent environment and is out-of-band behavior that should be validated.
⚠ 安装机制
The registry lists no install spec, but SKILL.md instructs global npm installs (npm install -g @insforge/cli) and npx to install agent skills. Installing packages globally and npx pull from external registries; that is a standard but higher-risk install pattern because it fetches and executes remote code. The skill metadata lacks a trusted homepage/source URL, making it harder to verify the npm packages and their authors before running.
⚠ 凭证需求
The SKILL.md expects environment variables and credentials (INSFORGE_ACCESS_TOKEN, INSFORGE_PROJECT_ID, INSFORGE_EMAIL, INSFORGE_PASSWORD) and describes storing access/refresh tokens in ~/.insforge/credentials.json. But the registry metadata declared no required env vars or primary credential. Requesting/using secrets and providing CLI flows to retrieve decrypted secrets is proportionate for a CLI of this purpose, yet the metadata omission and the ability to fetch secrets and DB exports means this skill will have access to highly sensitive data — verify only least-privilege credentials are used.
⚠ 持久化与权限
The skill's instructions create persistent artifacts (project link file .insforge/project.json, ~/.insforge/credentials.json) and perform auto-installation of agent skills into .agents/skills/insforge/. While persistent state is normal for a CLI, the combination of storing credentials, modifying workspace/agent skill directories, and installing software from npm expands long-term privileges and should be allowed only if you trust the source.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.1.02026/3/12
Initial release of insforge-cli — a command-line tool for InsForge backend infrastructure management. - Supports authentication, project management, database queries and schema management, edge/serverless functions, storage buckets, frontend deployments, secrets management, scheduled tasks (cron jobs), and backend logs. - Provides structured command outputs, comprehensive environment variable overrides, and detailed exit codes for automation. - Includes safeguards and notes for destructive actions, soft delete behavior, and invocation URL formats. - Commands are organized by category and documented with common use cases and workflows. - Additional documentation available via built-in docs command.
● 可疑
安装命令
点击复制官方npx clawhub@latest install insforge-cli
镜像加速npx clawhub@latest install insforge-cli --registry https://cn.longxiaskill.com镜像同步中
技能文档
Command-line tool for managing InsForge Backend-as-a-Service projects.
Critical: Session Start Checks
First, ensure the CLI is installed. Run insforge whoami — if the command is not found, install it:
npm install -g @insforge/cli
Then verify authentication and project:
insforge whoami # verify authentication
insforge current # verify linked project
If not authenticated: insforge login
If no project linked: insforge create (new) or insforge link (existing)
Global Options
| Flag | Description |
|---|---|
--json | Structured JSON output (for scripts and agents) |
-y, --yes | Skip confirmation prompts |
Exit Codes
| Code | Meaning |
|---|---|
| 0 | Success |
| 1 | General error (e.g., HTTP 400+ from function invoke) |
| 2 | Not authenticated |
| 3 | Project not linked |
| 4 | Resource not found |
| 5 | Permission denied |
Environment Variables
| Variable | Description |
|---|---|
INSFORGE_ACCESS_TOKEN | Override stored access token |
INSFORGE_PROJECT_ID | Override linked project ID |
INSFORGE_EMAIL | Email for non-interactive login |
INSFORGE_PASSWORD | Password for non-interactive login |
Commands
Authentication
insforge login— OAuth (browser) or--emailfor password login. See references/login.mdinsforge logout— clear stored credentialsinsforge whoami— show current user
Project Management
insforge create— create new project. See references/create.mdinsforge link— link directory to existing projectinsforge current— show current user + linked projectinsforge list— list all orgs and projectsinsforge metadata— show backend metadata (auth config, database tables, storage buckets, edge functions, AI models, realtime channels). Use--jsonfor structured output. Run this first to discover what's configured before building features.
Database — insforge db
insforge db query— execute raw SQL. See references/db-query.mdinsforge db tables / indexes / policies / triggers / functions— inspect schemainsforge db rpc [--data ]— call database function (GET if no data, POST if data)insforge db export— export schema/data. See references/db-export.mdinsforge db import— import from SQL file. See references/db-import.md
Edge Functions — insforge functions
insforge functions list— list deployed functionsinsforge functions code— view function sourceinsforge functions deploy— deploy or update. See references/functions-deploy.mdinsforge functions invoke [--data ] [--method GET|POST]— invoke function
Storage — insforge storage
insforge storage buckets— list bucketsinsforge storage create-bucket [--private]— create bucket (default: public)insforge storage delete-bucket— delete bucket and all its objects (destructive)insforge storage list-objects [--prefix] [--search] [--limit] [--sort]— list objectsinsforge storage upload --bucket [--key ]— upload fileinsforge storage download --bucket [--output ]— download file
Deployments — insforge deployments
insforge deployments deploy [dir]— deploy frontend app. See references/deployments-deploy.mdinsforge deployments list— list deploymentsinsforge deployments status [--sync]— get deployment status (--sync fetches from Vercel)insforge deployments cancel— cancel running deployment
Secrets — insforge secrets
insforge secrets list [--all]— list secrets (values hidden;--allincludes deleted)insforge secrets get— get decrypted valueinsforge secrets add [--reserved] [--expires ]— create secretinsforge secrets update [--value] [--active] [--reserved] [--expires]— update secretinsforge secrets delete— soft delete (marks inactive; restore with--active true)
Schedules — insforge schedules
insforge schedules list— list all scheduled tasks (shows ID, name, cron, URL, method, active, next run)insforge schedules get— get schedule detailsinsforge schedules create --name --cron --url --method [--headers ] [--body ]— create a cron job (5-field cron format only)insforge schedules update [--name] [--cron] [--url] [--method] [--headers] [--body] [--active]— update scheduleinsforge schedules delete— delete schedule (with confirmation)insforge schedules logs [--limit] [--offset]— view execution logs
Logs — insforge logs
insforge logs [--limit ]— fetch backend container logs (default: 20 entries)
| Source | Description |
|---|---|
insforge.logs | Main backend logs |
postgREST.logs | PostgREST API layer logs |
postgres.logs | PostgreSQL database logs |
function.logs | Edge function execution logs |
Source names are case-insensitive:postgrest.logsworks the same aspostgREST.logs.
Documentation — insforge docs
insforge docs— list all topicsinsforge docs instructions— setup guideinsforge docs— feature docs (db / storage / functions / auth / ai / realtime×typescript / swift / kotlin / rest-api)
For writing application code with the InsForge SDK, use the insforge (SDK) skill instead, and use the insforge docs to get specific SDK documentation.Non-Obvious Behaviors
Functions invoke URL: invoked at {oss_host}/functions/{slug} — NOT /api/functions/{slug}. Exits with code 1 on HTTP 400+.
Secrets delete is soft: marks the secret inactive, not destroyed. Restore with insforge secrets update KEY --active true. Use --all with secrets list to see inactive ones.
Storage delete-bucket is hard: deletes the bucket and every object inside it permanently.
db rpc uses GET or POST: no --data → GET; with --data → POST.
Schedules use 5-field cron only: minute hour day month day-of-week. 6-field (with seconds) is NOT supported. Headers can reference secrets with ${{secrets.KEY_NAME}}.
Common Workflows
Set up database schema
insforge db query "CREATE TABLE posts (
id UUID DEFAULT gen_random_uuid() PRIMARY KEY,
title TEXT NOT NULL,
content TEXT,
author_id UUID REFERENCES auth.users(id),
created_at TIMESTAMPTZ DEFAULT now()
)"
insforge db query "ALTER TABLE posts ENABLE ROW LEVEL SECURITY"
insforge db query "CREATE POLICY \"public_read\" ON posts FOR SELECT USING (true)"
insforge db query "CREATE POLICY \"owner_write\" ON posts FOR INSERT WITH CHECK (auth.uid() = author_id)"
FK to users: alwaysauth.users(id). RLS current user:auth.uid().
Deploy an edge function
# Default source path: insforge/functions/{slug}/index.ts
insforge functions deploy my-handler
insforge functions invoke my-handler --data '{"action": "test"}'
Deploy frontend
Always verify the local build succeeds before deploying. Local builds are faster to debug and don't waste server resources.
# 1. Build locally first npm run build
# 2. Deploy insforge deployments deploy ./dist --env '{"VITE_API_URL": "https://my-app.us-east.insforge.app"}'
Environment variable prefix by framework:
| Framework | Prefix | Example |
|---|---|---|
| Vite | VITE_ | VITE_INSFORGE_URL |
| Next.js | NEXT_PUBLIC_ | NEXT_PUBLIC_INSFORGE_URL |
| Create React App | REACT_APP_ | REACT_APP_INSFORGE_URL |
| Astro | PUBLIC_ | PUBLIC_INSFORGE_URL |
| SvelteKit | PUBLIC_ | PUBLIC_INSFORGE_URL |
- [ ]
npm run buildsucceeds locally - [ ] All required env vars configured with correct framework prefix
- [ ] Edge function directories excluded from frontend build (if applicable)
- [ ] Never include
node_modules,.git,.env,.insforge, or build output in the zip - [ ] Build output directory matches framework's expected output (
dist/,build/,.next/, etc.)
Backup and restore database
insforge db export --output backup.sql
insforge db import backup.sql
Schedule a cron job
# Create a schedule that calls a function every 5 minutes insforge schedules create \ --name "Cleanup Expired" \ --cron "/5 " \ --url "https://my-app.us-east.insforge.app/functions/cleanup" \ --method POST \ --headers '{"Authorization": "Bearer ${{secrets.API_TOKEN}}"}'
# Check execution history insforge schedules logs
Cron Expression Format
InsForge uses 5-field cron expressions (pg_cron format). 6-field expressions with seconds are NOT supported.
┌─────────────── minute (0-59) │ ┌───────────── hour (0-23) │ │ ┌─────────── day of month (1-31) │ │ │ ┌───────── month (1-12) │ │ │ │ ┌─────── day of week (0-6, Sunday=0) │ │ │ │ │
| Expression | Description |
|---|---|
| Every minute |
/5 | Every 5 minutes |
0 | Every hour (at minute 0) |
0 9 | Daily at 9:00 AM |
0 9 1 | Every Monday at 9:00 AM |
0 0 1 | First day of every month at midnight |
30 14 1-5 | Weekdays at 2:30 PM |
Secret References in Headers
Headers can reference secrets stored in InsForge using the syntax ${{secrets.KEY_NAME}}.
{
"headers": {
"Authorization": "Bearer ${{secrets.API_TOKEN}}",
"X-API-Key": "${{secrets.EXTERNAL_API_KEY}}"
}
}
Secrets are resolved at schedule creation/update time. If a referenced secret doesn't exist, the operation fails with a 404 error.
Best Practices
- Use 5-field cron expressions only
/5 for every 5 minutes- Store sensitive values as secrets
${{secrets.KEY_NAME}} in headers for API keys and tokens
- Create secrets first via the secrets API before referencing them- Target InsForge functions for serverless tasks
https://your-project.region.insforge.app/functions/{slug}
- Ensure the target function exists and has status: "active"- Monitor execution logs
Common Mistakes
| Mistake | Solution |
|---|---|
| Using 6-field cron (with seconds) | Use 5-field format only: minute hour day month day-of-week |
| Referencing non-existent secret | Create the secret first via secrets API |
| Targeting non-existent function | Verify function exists and is active before scheduling |
| Schedule not running | Check isActive is true and cron expression is valid |
Recommended Workflow
1. Create secrets if needed -> insforge secrets add KEY VALUE
- Create/verify target function ->
insforge functions list
- Create schedule ->
insforge schedules create
- Verify schedule is active ->
insforge schedules get
- Monitor execution logs ->
insforge schedules logs
Debug with logs
insforge logs function.logs # function execution issues
insforge logs postgres.logs # database query problems
insforge logs insforge.logs # API / auth errors
insforge logs postgrest.logs --limit 50
Best Practices
- Start with function.logs for function issues
- Use postgres.logs for query problems
- Check insforge.logs for API errors
Common Debugging Scenarios
| Problem | Check |
|---|---|
| Function not working | function.logs |
| Database query failing | postgres.logs, postgREST.logs |
| Auth issues | insforge.logs |
| API returning 500 errors | insforge.logs, postgREST.logs |
Non-interactive CI/CD
INSFORGE_EMAIL=$EMAIL INSFORGE_PASSWORD=$PASSWORD insforge login --email -y
insforge link --project-id $PROJECT_ID --org-id $ORG_ID -y
insforge db query "SELECT count(*) FROM users" --json
Project Configuration
After create or link, .insforge/project.json is created:
{
"project_id": "...",
"appkey": "...",
"region": "us-east",
"api_key": "ik_...",
"oss_host": "https://{appkey}.{region}.insforge.app"
}
oss_host is the base URL for all SDK and API operations. api_key is the admin key for backend API calls.
Never commit this file to version control or share it publicly.
Do not edit this file manually. Useinsforge linkto switch projects.