Trakt.tv
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: trakt-tv Version: 1.0.0 The skill bundle is benign, providing a legitimate integration with the Trakt API. All `curl` commands in `SKILL.md` and the `get_trakt_token.sh` script exclusively target the official `api.trakt.tv` domain for authentication and API interactions. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, obfuscation, or prompt injection attempts against the agent to subvert its intended behavior. The `SKILL.md` instructions guide the agent on standard API usage, and the `get_trakt_token.sh` script facilitates a standard OAuth 2.0 flow for token acquisition.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can use your Trakt access token to read and change Trakt account data such as watchlists, viewing history, collections, and ratings.
The skill requires OAuth credentials that let the agent authenticate to the user's Trakt account. This is expected for the integration, but it is sensitive account authority.
requires: {"env": ["TRAKT_CLIENT_ID", "TRAKT_CLIENT_SECRET", "TRAKT_ACCESS_TOKEN"]}, "primaryEnv": "TRAKT_ACCESS_TOKEN"Use a Trakt application/token you are comfortable delegating to the agent, store tokens securely, and revoke or rotate them if you stop using the skill.
A mistaken or overly broad request could change your Trakt watchlist, history, collection, or ratings.
The documented curl commands include authenticated POST endpoints that can add, remove, mark watched, or rate items in the user's Trakt account.
curl -X POST https://api.trakt.tv/sync/watchlist/remove ... -H "Authorization: Bearer $TRAKT_ACCESS_TOKEN"
Ask the agent to preview the exact Trakt change before mutating actions, especially removals or bulk updates.
Running the helper script will prompt for Trakt credentials, exchange an OAuth code, and print tokens for configuration.
Setup asks the user to execute an included shell script to complete OAuth token generation. The script is user-directed and purpose-aligned, but it handles credentials.
chmod +x get_trakt_token.sh ./get_trakt_token.sh
Inspect the script before running it, run it only from a trusted copy of the skill, and avoid sharing terminal output containing tokens.