ClawHub

Wallabag

v1.0.1

Manage Wallabag bookmarks through the Wallabag Developer API with OAuth2 authentication, including creating, reading, updating, deleting, searching, and tag...

0· 479·1 current·1 all-time
byFlorian Brandel@fbrandel
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The script, README, SKILL.md and reference docs consistently implement Wallabag API operations using OAuth password-grant and API endpoints — this aligns with the skill name and description. Required tools (bash, curl, jq for tag ops) and env vars (base URL, client id/secret, username/password) are appropriate for this purpose.
Instruction Scope
Runtime instructions limit activity to the Wallabag API and to in-process token handling. The SKILL.md and script do not read unrelated system files or exfiltrate data to external endpoints beyond the user-supplied WALLABAG_BASE_URL. The script temporarily writes curl responses to a temp file but removes them.
Install Mechanism
This is an instruction-only skill with a bundled script; there is no install that downloads or executes remote code. No third-party package downloads or unusual install locations are used.
!
Credentials
The SKILL.md and script require five sensitive environment variables (WALLABAG_BASE_URL, CLIENT_ID, CLIENT_SECRET, USERNAME, PASSWORD). Those requirements are proportionate to a password-grant OAuth implementation, but the registry metadata indicates 'Required env vars: none' and 'Primary credential: none', which is inconsistent and misleading. Requesting full account credentials is sensitive; there is no alternative OAuth flow implemented in the script (e.g., interactive authorization code flow).
Persistence & Privilege
The skill does not request persistent installation, does not set always:true, and does not modify other skills or system-wide settings. Tokens are held in-process only and not persisted to disk by design.
What to consider before installing
Before installing or enabling this skill: - Be aware the script uses the OAuth password grant: you must supply WALLABAG_USERNAME and WALLABAG_PASSWORD plus a client id/secret. This means you are giving the skill full account credentials; use a dedicated, low-privilege account and client if possible. - The registry metadata omitted required env vars and credentials — treat that as a red flag: confirm the listed required environment variables in SKILL.md are accurate before trusting the skill. - Review scripts/wallabag.sh yourself (it is small and readable). It uses curl and jq, stores tokens only in memory, and removes temporary files; these behaviours are reasonable but verify they meet your policies. - Avoid running auth --show-token in environments where stdout may be logged; it will print the token JSON when requested. - If you prefer not to provide a password to the agent, ask the skill author to implement an authorization-code flow or a token-only flow so long-lived credentials are not supplied. If you cannot verify the code or do not want to expose account credentials, do not install or enable the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk976yysvp9z6a9hb7ddzmkp8wh81qt77

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments