ClawHub

Trakt Read-only

PassAudited by ClawScan on May 1, 2026.

Overview

The artifacts match a read-only Trakt.tv query skill, with the main caution being its documented use of Trakt credentials and optional OAuth secrets for playback/device-flow features.

This looks coherent for a read-only Trakt.tv integration. Before installing, be comfortable with the agent seeing your Trakt activity/profile results, and only configure the optional OAuth token/client secret if you need playback or device-flow support.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Info
#ASI02: Tool Misuse and Exploitation
What this means

The agent can retrieve Trakt viewing/profile/playback information when the skill is invoked.

Why it was flagged

The skill gives the agent a local script for making external Trakt API calls. This is expected for the purpose and documented as read-only, but users should notice that the agent can invoke these Trakt-querying commands.

Skill content
Use `{baseDir}/scripts/trakt-api.sh` ... `watching` ... `recent [limit]` ... `playback <type> <start_at> <end_at>` — playback progress (OAuth required)
Recommendation

Use the skill only for Trakt-related requests and keep the documented read-only guardrails in place.

Low
#ASI03: Identity and Privilege Abuse
What this means

If configured, the agent can use OAuth-protected Trakt access for the documented playback/device-flow features.

Why it was flagged

The skill may use OAuth account secrets for playback and device-token exchange. This is disclosed and purpose-aligned, but these values are more sensitive than a public Trakt client ID.

Skill content
TRAKT_ACCESS_TOKEN: "YOUR_TRAKT_OAUTH_TOKEN", // required for playback
TRAKT_CLIENT_SECRET: "YOUR_TRAKT_CLIENT_SECRET" // required for device token exchange
Recommendation

Configure OAuth variables only if needed, keep them out of shared logs or repositories, and revoke/rotate them if exposed.

Info
#ASI04: Agentic Supply Chain Vulnerabilities
What this means

You cannot easily verify the package against an upstream project from the provided metadata.

Why it was flagged

The registry metadata does not provide an upstream source or homepage for provenance checking. The included script is still present for review and no remote installer is specified.

Skill content
Source: unknown
Homepage: none
Recommendation

Review the included files before use and install only from a registry/source you trust.