ClawHub
Back to skill
v1.0.3

Trakt Read-only

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:07 AM.

Analysis

The artifacts match a read-only Trakt.tv query skill, with the main caution being its documented use of Trakt credentials and optional OAuth secrets for playback/device-flow features.

GuidanceThis looks coherent for a read-only Trakt.tv integration. Before installing, be comfortable with the agent seeing your Trakt activity/profile results, and only configure the optional OAuth token/client secret if you need playback or device-flow support.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityInfoConfidenceHighStatusNote
SKILL.md
Use `{baseDir}/scripts/trakt-api.sh` ... `watching` ... `recent [limit]` ... `playback <type> <start_at> <end_at>` — playback progress (OAuth required)

The skill gives the agent a local script for making external Trakt API calls. This is expected for the purpose and documented as read-only, but users should notice that the agent can invoke these Trakt-querying commands.

User impactThe agent can retrieve Trakt viewing/profile/playback information when the skill is invoked.
RecommendationUse the skill only for Trakt-related requests and keep the documented read-only guardrails in place.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
metadata
Source: unknown
Homepage: none

The registry metadata does not provide an upstream source or homepage for provenance checking. The included script is still present for review and no remote installer is specified.

User impactYou cannot easily verify the package against an upstream project from the provided metadata.
RecommendationReview the included files before use and install only from a registry/source you trust.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
README.md
TRAKT_ACCESS_TOKEN: "YOUR_TRAKT_OAUTH_TOKEN", // required for playback
TRAKT_CLIENT_SECRET: "YOUR_TRAKT_CLIENT_SECRET" // required for device token exchange

The skill may use OAuth account secrets for playback and device-token exchange. This is disclosed and purpose-aligned, but these values are more sensitive than a public Trakt client ID.

User impactIf configured, the agent can use OAuth-protected Trakt access for the documented playback/device-flow features.
RecommendationConfigure OAuth variables only if needed, keep them out of shared logs or repositories, and revoke/rotate them if exposed.