v0.1.0

Duolingo Tracker

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:02 AM.

Analysis

This skill is purpose-aligned for checking Duolingo stats, but users should treat the optional Duolingo JWT cookie like a password.

GuidanceInstall only if you are comfortable with a skill using your Duolingo session JWT for authenticated stats. Prefer the unauthenticated username mode for basic public stats, and never share the JWT in outputs, logs, screenshots, or shared shell profiles.

Findings (1)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

SKILL.md

Copy the value of the `jwt_token` cookie ... Save it: `export DUOLINGO_JWT="your_token_here"`

The skill asks the user to provide a Duolingo browser-session JWT. This is sensitive credential material, even though it is disclosed, optional, and used for the stated Duolingo stats purpose.

User impactIf the JWT is accidentally shared or logged, someone else may be able to access Duolingo account data until the token expires or is revoked.

RecommendationUse username-only public stats when possible. If using the JWT, treat it like a password, do not paste it into public chats or logs, and refresh or revoke the session if it may have been exposed.