ClawHub

Trakt.tv

v1.0.0

Interact with the Trakt API to manage your watchlist, collection, ratings, and discover content

6· 1.5k·4 current·6 all-time
by@d-meagher
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the requested credentials and included helper script. The skill only talks to api.trakt.tv and trakt.tv and its examples are standard Trakt API calls.
Instruction Scope
Runtime instructions are limited to constructing curl requests, performing OAuth with Trakt, and asking the user to add credentials to ~/.openclaw/openclaw.json. This is expected. Minor scope issues: SKILL.md and the helper script mention TRAKT_REFRESH_TOKEN (used for refresh flow) but it's not listed in the declared requires.env; the helper script also requires jq and curl, yet the skill metadata does not declare required binaries.
Install Mechanism
No install spec — instruction-only skill plus a small shell helper. No downloads from external/untrusted URLs or archive extraction.
Credentials
The env vars requested (client id/secret/access token) are appropriate for a Trakt integration. Two minor inconsistencies: TRAKT_REFRESH_TOKEN is used/suggested in examples but not listed in requires.env/primaryEnv, and the helper script requires jq (and curl) but required binaries are declared as none.
Persistence & Privilege
always is false and the skill asks the user to put credentials into the OpenClaw config — normal behavior. The skill does not request system-wide privileges or modify other skills' configs.
Assessment
This skill appears to be a straightforward Trakt API helper. Before installing: 1) Verify the skill source (homepage is missing and README references a placeholder GitHub URL), since you will store API secrets for your Trakt account. 2) Inspect get_trakt_token.sh before running it (it performs OAuth against api.trakt.tv and prints the tokens and a JSON snippet to add to ~/.openclaw/openclaw.json). 3) Ensure jq and curl are installed — the script will fail without jq. 4) Consider creating a dedicated Trakt application name for this skill and treat the client secret/access token as sensitive (store openclaw.json with restrictive file permissions). 5) Note the metadata omission: TRAKT_REFRESH_TOKEN is recommended by the skill but not declared in requires.env; add it if you want token refresh to work. If you are comfortable reviewing the small script and trust the skill author, it is coherent with its stated purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dc164cezf59syykcz6tk8mh808272

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvTRAKT_CLIENT_ID, TRAKT_CLIENT_SECRET, TRAKT_ACCESS_TOKEN
Primary envTRAKT_ACCESS_TOKEN

Comments