Trakt.tv
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can use your Trakt access token to read and change Trakt account data such as watchlists, viewing history, collections, and ratings.
The skill requires OAuth credentials that let the agent authenticate to the user's Trakt account. This is expected for the integration, but it is sensitive account authority.
requires: {"env": ["TRAKT_CLIENT_ID", "TRAKT_CLIENT_SECRET", "TRAKT_ACCESS_TOKEN"]}, "primaryEnv": "TRAKT_ACCESS_TOKEN"Use a Trakt application/token you are comfortable delegating to the agent, store tokens securely, and revoke or rotate them if you stop using the skill.
A mistaken or overly broad request could change your Trakt watchlist, history, collection, or ratings.
The documented curl commands include authenticated POST endpoints that can add, remove, mark watched, or rate items in the user's Trakt account.
curl -X POST https://api.trakt.tv/sync/watchlist/remove ... -H "Authorization: Bearer $TRAKT_ACCESS_TOKEN"
Ask the agent to preview the exact Trakt change before mutating actions, especially removals or bulk updates.
Running the helper script will prompt for Trakt credentials, exchange an OAuth code, and print tokens for configuration.
Setup asks the user to execute an included shell script to complete OAuth token generation. The script is user-directed and purpose-aligned, but it handles credentials.
chmod +x get_trakt_token.sh ./get_trakt_token.sh
Inspect the script before running it, run it only from a trusted copy of the skill, and avoid sharing terminal output containing tokens.