ClawHub

Trakt Read-only

v1.0.3

Read-only Trakt.tv skill for checking a user’s currently watching item, recent episode history, watched shows list, stats, profile, and playback progress (OA...

0· 342·0 current·0 all-time
byMagolo Dennis Ooki@dennisooki
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (read-only Trakt client) aligns with required binaries (curl, jq), the primary credential (TRAKT_CLIENT_ID), and the functionality implemented in scripts (watching, recent, profile, stats, playback via OAuth).
Instruction Scope
SKILL.md and README direct the agent to run the included shell script and only to call https://api.trakt.tv. The SKILL.md lists TRAKT_ACCESS_TOKEN and TRAKT_CLIENT_SECRET (used only for OAuth playback/device flows) in addition to the registry-declared env vars; this is reasonable but a small metadata mismatch (registry required-env lists only TRAKT_CLIENT_ID and TRAKT_USERNAME). The script does not read unrelated files or contact other endpoints.
Install Mechanism
No install spec (instruction-only with an included script) — nothing is downloaded or extracted at install time. Risk is low because the only code is the provided bash script and supporting docs.
Credentials
Declared primary credential (TRAKT_CLIENT_ID) and required envs (TRAKT_CLIENT_ID, TRAKT_USERNAME) match the read-only use. Optional OAuth env vars (TRAKT_ACCESS_TOKEN, TRAKT_CLIENT_SECRET) are only needed for playback/device flows and are not required for normal read-only queries.
Persistence & Privilege
Skill is not always-enabled, does not request system-wide config writes, and does not modify other skills. Autonomous invocation is allowed but this is the platform default and not in itself a red flag here.
Assessment
This skill appears to do exactly what it says: run the included shell script to query Trakt's API. Before installing: (1) provide only TRAKT_CLIENT_ID and TRAKT_USERNAME for read-only use — only set TRAKT_ACCESS_TOKEN or TRAKT_CLIENT_SECRET if you intend to run OAuth playback/device commands; (2) keep any tokens/secrets in the agent's secure environment (do not commit them to git); (3) if you want extra caution, run the script locally once to inspect behavior (it only calls api.trakt.tv and uses curl/jq); and (4) note that the registry metadata lists only two required env vars while the docs mention optional OAuth vars — this is expected for optional features but verify you only supply secrets when needed.

Like a lobster shell, security has layers — review code before you run it.

latestvk979zt7wmxmcn19mvfm7sejh7581xvp8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📺 Clawdis
Binscurl, jq
EnvTRAKT_CLIENT_ID, TRAKT_USERNAME
Primary envTRAKT_CLIENT_ID

Comments