ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

karakeep-sh

v1.0.3

Karakeep bookmark manager with full native RESTful API support including notes, updates, and deletion.

0· 726·1 current·1 all-time
byVandee@vandeefeng
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's purpose (Karakeep REST bookmark manager) matches what the script does (calls a user-provided Karakeep API), but the registry metadata declares no required environment variables or primary credential while the script clearly requires KARAKEEP_SERVER_URL and KARAKEEP_API_KEY. That omission is incoherent with the stated purpose.
Instruction Scope
SKILL.md instructs the agent to require KARAKEEP_SERVER_URL and KARAKEEP_API_KEY and to always ask the user for confirmation before deletes; the script does check the env vars, but the kb-delete function performs the DELETE immediately (no interactive confirmation). Otherwise the SKILL.md operations map closely to script functions and are within the scope of a bookmark client.
Install Mechanism
This is an instruction-only skill with a single shell script and no install spec, so nothing is downloaded or installed automatically. That minimizes install risk.
!
Credentials
The skill requires a service URL and an API key (sensitive credential) to operate, but the registry metadata lists no required env vars and no primary credential. Additionally, the script assumes availability of jq and curl but the metadata lists no required binaries. Requiring an API key is proportional to the purpose, but failing to declare it in metadata is a red flag.
Persistence & Privilege
The skill does not request persistent/always-on privileges, does not modify other skills, and runs only when invoked. It executes network calls to the user-provided API endpoint only, which matches its purpose.
What to consider before installing
This skill's code is a straightforward shell client that requires two environment variables (KARAKEEP_SERVER_URL and KARAKEEP_API_KEY) and the jq utility, but the registry metadata does not declare them — that mismatch is the main concern. Before installing: (1) confirm you trust the skill owner (source unknown); (2) do not export your API key globally if you don't trust the skill — consider using a throwaway account or scoped key; (3) inspect the script (it is included) and prefer sourcing it in a constrained shell or running it from an isolated environment; (4) note that SKILL.md asks the agent to confirm before deletes but the kb-delete function issues DELETE immediately — instruct the agent to always prompt the user before running kb-delete; and (5) ask the publisher to update registry metadata to declare required env vars and binaries. If you need stronger assurance, request a signed/source-linked release or run the script in a sandbox first.

Like a lobster shell, security has layers — review code before you run it.

latestvk976bf2bh06nr5g7d290jqt9j182y77n
726downloads
0stars
4versions
Updated 9h ago
v1.0.3
MIT-0
Vandee@vandeefeng
latest
Download

Karakeep Skill

Advanced Karakeep bookmark management with full REST API support.

Add KARAKEEP_SERVER_URL and KARAKEEP_API_KEY to environment variables and jq for pretty-printing JSON responses.

If they are missing, provied a clear guide to the user.

IMPORTANT:always ask user to confirm beefore you delete a bookmark,

Complete Function Reference

Use this script karakeep-script.sh

We have the functions below:

FunctionDescription
kb-createCreate bookmark (supports note)
kb-update-noteUpdate bookmark note
kb-deleteDelete bookmark
kb-getGet bookmark details
kb-listList all bookmarks (with limit)
kb-contentGet markdown content
kb-searchSearch with qualifiers
kb-listsList all lists
kb-create-listCreate new list
kb-add-to-listAdd to list
kb-remove-from-listRemove from list
kb-attach-tagsAttach tags
kb-detach-tagsDetach tags

Available Operations

Create Bookmark with Note

# Link bookmark with note
kb-create link "https://example.com" "Example Site" "My analysis and notes here..."

# Text bookmark with note
kb-create text "Text content here" "My Note" "Additional notes..."

Update Bookmark Note

kb-update-note "bookmark_id" "Updated note content..."

Delete Bookmark

kb-delete "bookmark_id"

Get Bookmark

kb-get "bookmark_id"

Search Operations

# Search with qualifiers (uses MeiliSearch backend)
kb-search "is:fav after:2023-01-01 #important"
kb-search "machine learning is:tagged"
kb-search "list:reading #work"

# Search with custom limit and sort order
kb-search "python" 50 "desc"  # 50 results, descending order

# Available qualifiers:
# - is:fav, is:archived, is:tagged, is:inlist
# - is:link, is:text, is:media
# - url:<value>, #<tag>, list:<name>
# - after:<YYYY-MM-DD>, before:<YYYY-MM-DD>

# Sort options: relevance (default), asc, desc

API Parameters:

  • q (required): Search query string with qualifiers
  • limit (optional): Results per page (default: server-controlled)
  • sortOrder (optional): asc | desc | relevance (default)
  • cursor (optional): Pagination cursor
  • includeContent (optional): Include full content (default: true)

List Management

# List all lists
kb-lists

# Create new list
kb-create-list "Reading List" "📚"

# Add bookmark to list
kb-add-to-list "bookmark_id" "list_id"

# Remove bookmark from list
kb-remove-from-list "bookmark_id" "list_id"

Tag Management

# Attach tags
kb-attach-tags "bookmark_id" "important" "todo" "work"

# Detach tags
kb-detach-tags "bookmark_id" "oldtag" "anotherold"

Notes

  • All responses are in JSON format
  • Bookmark IDs are returned in creation responses
  • Use jq for pretty-printing JSON responses
  • API rate limits may apply

Comments

Loading comments...