curl · curl project
curl for AI Agents
Call HTTP APIs with explicit methods, headers, authentication, retries, and failure handling.
Install for an Agent
Choose an official installation path that matches the runtime. Pin a version for team or CI use, then record the version before the first task.
Structured Output for Reliable Automation
Prefer a machine-readable format. Treat stdout as the result channel and stderr as diagnostics so the agent can parse failures separately.
R0–R3 Command Risk Guide
Risk is assigned per command. R0 is local or remote read-only, R1 is reversible local write, R2 changes remote state, and R3 can be irreversible or production-impacting.
Read-only does not mean public
R0 only means the command does not change local or remote state. A read-only command may still return secrets, identity data, configuration, or production data. Expose only the minimum needed for the task, and never place it in logs, prompts, or commits.
How the Agent Readiness Score Is Built
Readiness describes how reliably an agent can operate the tool. It does not make every command safe and it does not replace an independent execution test.
Documentation indicates an agent-readiness score of 84/100. A bounded local smoke test is recorded for 8.7.1; review its limitations before relying on untested commands.
Generate a Skill or Agent Policy
Choose an agent and safety mode to generate a copyable artifact with installation, allowed commands, approval boundaries, and the evidence limitation.
---
name: curl-agent-workflow
description: Use curl for HTTP APIs, file transfers, health checks with explicit command risk and evidence boundaries.
---
# curl agent workflow
Use this skill when the task needs HTTP APIs, file transfers, health checks, webhook calls.
## Evidence boundary
- Registry confidence: `verified`
- Documentation checked: `2026-07-10`
- Locally tested version: `8.7.1`
- Treat only the recorded executed checks as independently verified; every unlisted command remains documentation-only.
## Executed smoke checks
- `curl --version` — passed; exit 0. The recorded smoke check completed successfully.
- `curl --fail --silent --show-error --max-time 5 file://$PWD/package.json` — passed; exit 0. The recorded smoke check completed successfully.
- `curl --fail --silent --show-error --max-time 5 file://$PWD/package.json | jq -e '.name == "clifinder-net"'` — passed; exit 0. The bounded local file response passed the recorded jq assertion.
- `curl --fail --silent --show-error --max-time 5 file://$PWD/not-a-real-qa-file` — expected-failure; exit 37. curl returned its documented local-file open error and kept the diagnostic on stderr.
## Installation
- Homebrew (macos, linux): `brew install curl`
- winget (windows): `winget install cURL.cURL`
## Authentication
- Methods: none, basic, bearer token, client certificate, netrc
- Secret environment variables: `HTTP_TOKEN`
- Minimum permissions: Pass scoped tokens through environment-backed headers and never print request secrets.
- Credential storage: For headless runs, inject HTTP_TOKEN from the CI or platform secret manager at process start. For local interactive use, prefer the CLI or operating-system credential store when the official client supports one. Never save values in repository files.
- Never print, persist, or commit credential values.
## Allowed commands (read-only)
- `curl --fail-with-body --silent --show-error --header "Accept: application/json" https://api.example.com/items` — R0: Performs a failing-fast GET request and preserves the response body.
## Commands requiring explicit approval (read-only)
- None recorded.
## Forbidden commands (read-only)
- R2 `curl --fail-with-body --request POST --header "Content-Type: application/json" --data @payload.json https://api.example.com/items` — Sends a state-changing POST request.
- R3 `curl --fail-with-body --request DELETE https://api.example.com/items/ID` — Sends a potentially destructive DELETE request.
## Execution rules
1. Mode boundary: R0 exact commands may be used; R1, R2, and R3 commands are forbidden.
2. Confirm the selected account, project, context, database, namespace, or environment before any command.
3. Prefer structured output using `--fail-with-body`, `--silent`, `--show-error`.
4. Capture the exact command, exit code, stdout, and stderr separately.
5. A generated prefix policy must prompt unless that exact prefix is explicitly marked suffix-safe; do not infer safety from the executable name.
6. Never broaden credentials or disable safety controls to make a command succeed.
## Official sources
- [curl manual](https://curl.se/docs/manpage.html)
- [curl manual source repository](https://github.com/curl/curl)
Verification History and Official Evidence
CLI Finder records documentation review separately from real execution. Installation, help, exit codes, and output cannot be called Verified until they were run.