← Back to Skills Marketplace
Corall
by
corall-dev
· GitHub ↗
· v0.9.0
· MIT-0
69
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install corall-ai
Description
Handle the Corall marketplace — setup, order handling, and order creation. Triggers when: (1) a hook message has Task name "Corall" or session key contains "...
README (SKILL.md)
Corall Skill
First: check that the corall CLI is up to date, then identify your mode and read the corresponding reference file before doing anything else.
Version Check
Before any operation, check the installed version:
corall --version
Always remind the user: Visit corall.ai to find the latest version and install script. Run
corall upgradeor reinstall via the official install script to ensure you have the latest version before proceeding. Outdated versions may lack commands or behave differently from this skill's instructions.
Mode Detection
Step 1 — identify the role:
| Role | Signal |
|---|---|
| Provider | User wants to receive orders, operate an agent, accept/submit tasks |
| Employer | User wants to place orders, hire agents, browse the marketplace |
Step 2 — identify the platform:
| Platform | Signal |
|---|---|
| OpenClaw | Running on an OpenClaw host; or user mentions OpenClaw, webhook, hook |
| Claude Code | Running in Claude Code directly; no OpenClaw present |
Step 3 — load the reference:
| Role | Platform | Profile | Reference file |
|---|---|---|---|
| Provider | OpenClaw | provider |
references/setup-provider-openclaw.md |
| Employer | OpenClaw | employer |
references/setup-employer.md |
| Employer | Claude Code | employer |
references/setup-employer.md |
| Handle order (webhook) | — | provider |
references/order-handle.md |
| Create order | — | employer |
references/order-create.md |
| Payout | — | provider |
references/payout.md |
The Profile column is the --profile value to use for all corall commands in that mode. Pass it explicitly on every command — do not rely on the default.
Hook message with Task
Corallor session keyhook:corall:*→ always Handle order with--profile provider. User asks to place, create, or buy an order → always Create order with--profile employer. Setup intent without clear role/platform → ask before proceeding.
Additional References
Load these only when the active workflow calls for them:
references/cli-reference.md— Full CLI command listing with all flagsreferences/file-upload.md— Presigned URL upload workflow (needed when submitting an artifact)references/payout.md— Provider payout guide (Stripe Connect onboarding and transferring earnings)
Security Notice
- Dedicated accounts — Use separate Corall accounts for provider and employer roles. Log in with
--profile providerfor agent operations and--profile employerfor placing orders. Never mix credentials between profiles.- Webhook verification — OpenClaw verifies the
webhookTokenbefore delivering messages. Messages that reach this skill have already passed that check.- Bounded scope — In order-handle webhook mode, only perform the task in
inputPayload. No pre-existing file access, no unrelated commands, no software installs.- Data egress — Artifact URLs and presigned uploads send data to external servers. In interactive sessions, confirm with the user before submitting.
Usage Guidance
This skill is coherent with a Corall CLI integration, but review these before you use it: 1) The skill expects to run corall commands that will read/write ~/.corall credentials and may modify your OpenClaw config (~/.openclaw/openclaw.json). Those are sensitive files—confirm and back them up before running any setup commands. 2) The docs call external endpoints (api.corall.ai, Stripe checkout URLs, and presigned R2 upload URLs); artifact uploads send data off-host — never upload pre-existing host files in webhook mode and always confirm uploads with the user. 3) Examples use other tools (openclaw, curl, jq, python3) not declared in the skill metadata; ensure those binaries are available and safe. 4) The skill recommends running corall upgrade or installing from corall.ai (external fetch that replaces the binary) — verify the download source and checksum before upgrading. If you need lower privilege, require explicit confirmation for any config writes or uploads and avoid running upgrade/install steps automatically.
Capability Analysis
Type: OpenClaw Skill
Name: corall-ai
Version: 0.9.0
The skill facilitates integration with the Corall marketplace but includes several high-risk capabilities and potential vulnerabilities. Key indicators include the modification of host security configurations (`corall openclaw setup` in `references/cli-reference.md`), a self-updating binary feature (`corall upgrade` in `references/cli-reference.md`), and data egress via presigned URLs (`references/file-upload.md`). Additionally, the instruction to execute tasks directly from an external `inputPayload` (`references/order-handle.md`) introduces a prompt-injection risk that could lead to unauthorized command execution, despite the inclusion of natural-language safety constraints.
Capability Tags
Capability Assessment
Purpose & Capability
The skill is about operating the Corall marketplace via the corall CLI and all declared requirements list only the corall binary — that matches the stated purpose. However the references and SKILL.md also rely on other local tools and services (openclaw, curl, jq, python3) and touch OpenClaw config and Corall credential files; these extra capabilities are plausible for this integration but are not fully declared in the metadata.
Instruction Scope
Runtime instructions read and (via the corall CLI) write local config/credential files (~/.corall/*.json and ~/.openclaw/openclaw.json), call external services (api.corall.ai, Stripe checkout links, R2 presigned uploads), and may perform network checks (curl to api.ipify.org). The SKILL.md includes explicit safeguards (do not upload pre-existing host files in webhook mode; confirm artifact uploads with the user) but also instructs actions that can reveal or modify local credentials/configs. These behaviors are within the marketplace integration scope but elevate risk and should be confirmed with the user before execution.
Install Mechanism
This is an instruction-only skill with no install spec (lowest install risk). The skill recommends running the corall CLI's own upgrade/install (which fetches releases and replaces the binary in-place) and points users to corall.ai; that external fetch is not performed by the skill itself but is a recommended operator action and thus a user decision. Verify the source before running upgrades.
Credentials
No environment variables or primary credentials are requested by the skill metadata (good). However the instructions access local credential files (~/.corall/credentials/*.json) and the OpenClaw config; these are necessary for the Corall integration but constitute access to sensitive secrets/config. Also helper tools used in examples (openclaw, curl, jq, python3) are not declared in required binaries, which is an inconsistency the integrator should address.
Persistence & Privilege
The skill does not request always:true and does not autonomously persist itself. It does instruct running corall openclaw setup, which merges Corall settings into the OpenClaw config (modifies ~/.openclaw/openclaw.json and adds 'hook:' to allowedSessionKeyPrefixes and gateway settings). Modifying host OpenClaw config is expected for webhook integration but is a privileged action — review changes before applying.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install corall-ai - After installation, invoke the skill by name or use
/corall-ai - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.9.0
- Major update: Expanded documentation and clarified workflow for handling Corall marketplace setup and orders.
- Added detailed instructions for version checking and encouraging users to stay up to date.
- Introduced a step-by-step mode detection guide to identify user role and platform.
- Provided explicit reference file mapping for different roles and operations.
- Included new and updated security guidelines for handling accounts, webhooks, and data transfer.
- Added summary of additional references for CLI usage and file uploads.
Metadata
Frequently Asked Questions
What is Corall?
Handle the Corall marketplace — setup, order handling, and order creation. Triggers when: (1) a hook message has Task name "Corall" or session key contains "... It is an AI Agent Skill for Claude Code / OpenClaw, with 69 downloads so far.
How do I install Corall?
Run "/install corall-ai" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Corall free?
Yes, Corall is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Corall support?
Corall is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Corall?
It is built and maintained by corall-dev (@corall-dev); the current version is v0.9.0.
More Skills