ClawHub

Hardcover Bookshelf Skill

v0.1.0

Talk to a user's Hardcover bookshelf via the Hardcover GraphQL API. Use when the user wants to manage reading activity in natural language: start a book, fin...

0· 105·0 current·0 all-time
by@diwakergupta
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, README, SKILL.md, and the bundled TypeScript client all implement Hardcover GraphQL calls to list, start, finish, and count books. The single required env var (HARDCOVER_TOKEN) is the service API token and is proportional to the stated purpose.
Instruction Scope
Runtime instructions only direct the agent to run the local CLI (npx tsx src/cli.ts ...) and require HARDCOVER_TOKEN. The code only reads that env var and calls the official Hardcover endpoint; it does not instruct reading unrelated system files or exfiltrating data to third-party endpoints.
Install Mechanism
No remote downloads or arbitrary installers are used — the skill bundles TypeScript source and relies on Node/tsx. The registry install spec only lists node; SKILL.md and package.json expect running npm / npx/tsx for local execution. Minor inconsistency: the CLI's usage() prints 'bun run ...' while the rest of docs/commands use 'npx tsx' (likely harmless but inconsistent).
Credentials
Only HARDCOVER_TOKEN is required and correctly documented (including the 'Bearer ' prefix). That single credential directly maps to Hardcover API access. Note: possession of this token grants read/write access to the user's Hardcover account (can list and mutate user_books), which is expected for this skill.
Persistence & Privilege
Skill is not always-on and does not request elevated privileges or modify other skill/system configs. It can be invoked autonomously (platform default), which would allow it to perform API mutations if given the token — this is expected for a skill that performs write operations.
Assessment
This skill appears to do exactly what it claims: it runs a local TypeScript client that calls Hardcover's GraphQL API. Before installing, consider: (1) HARDCOVER_TOKEN is the only secret required — supply only the Hardcover API token and understand it grants the skill permission to read and change your Hardcover shelves (start/finish/create entries). (2) The skill runs local code (no remote downloads), so inspect src/client.ts if you want to verify behavior; its network calls go only to https://api.hardcover.app/v1/graphql. (3) The CLI docs and package.json use npx/tsx; the code's usage() message mentions bun — a minor docs inconsistency only. (4) If you are concerned about autonomous actions, remember the skill can be invoked by the agent to perform mutations; only provide the token to trusted skills and revoke it from your Hardcover account if you stop using the skill.
src/client.test.ts:140
Environment variable access combined with network send.
src/client.ts:15
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.

Like a lobster shell, security has layers — review code before you run it.

booksvk97e3et7ear7b4vm48hhwd6j4h832xregoodreadsvk97e3et7ear7b4vm48hhwd6j4h832xrehardcovervk97e3et7ear7b4vm48hhwd6j4h832xrelatestvk97e3et7ear7b4vm48hhwd6j4h832xre

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode, npx
EnvHARDCOVER_TOKEN
Primary envHARDCOVER_TOKEN

Install

Node

Comments