Letterboxd Watchlist
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: letterboxd-watchlist Version: 0.1.2 The skill's stated purpose and agent instructions are benign, explicitly limiting the agent's scope. The `scripts/scrape_watchlist.py` script properly sanitizes the username input, preventing shell injection. However, the script directly uses the user-provided `--out` file path without further sanitization or restriction. This creates an arbitrary file write vulnerability, allowing an attacker to potentially overwrite sensitive system files (e.g., `/etc/passwd`, `~/.bashrc`, `~/.ssh/authorized_keys`) with the scraped watchlist data if the OpenClaw agent does not enforce path restrictions. While this is a critical vulnerability, it does not demonstrate malicious intent by the script itself, classifying it as suspicious rather than malicious.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill will contact Letterboxd for the named public profile and may overwrite the chosen output file if it already exists.
The tool performs network scraping against Letterboxd and writes to the user-supplied output path. This is expected for the stated purpose, but it is still an action the user should understand.
url = f"{BASE}/{username}/watchlist/page/{page}/" ... with open(path, "w", newline="", encoding="utf-8") as f:Use it only for public watchlists, keep the default-style CSV/JSONL output path in a safe working folder, and avoid pointing `--out` at important existing files.
The skill may fail or behave differently from expectations if `uv` or a suitable Python runner is not available.
The usage examples rely on local execution through `uv`, while the registry metadata lists no required binaries or install spec. This is a small setup/declaration gap, not evidence of hidden behavior.
uv run scripts/scrape_watchlist.py <username> --out watchlist.csv
Declare the required runner explicitly, or run the reviewed script with an available trusted Python environment.