ClawHub

Trakt.tv Integration

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Trakt.tv integration, but it needs review because it asks the agent to handle and persist sensitive Trakt credentials without strong safeguards.

Install only if you are comfortable giving the skill ongoing access to your Trakt account and viewing data. Prefer entering secrets locally rather than in chat, use the narrowest Trakt app permissions possible, protect ~/.openclaw/trakt_config.json with owner-only permissions, use a virtual environment for dependencies, and require confirmation before any command that changes watch history.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (15)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print_info("Installing requests...")
        
        try:
            subprocess.run([
                sys.executable, "-m", "pip", "install", 
                "requests", "--break-system-packages"
            ], check=True, capture_output=True)
Confidence
85% confidence
Finding
subprocess.run([ sys.executable, "-m", "pip", "install", "requests", "--break-system-packages" ], check=True, capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
elif sys.platform == 'linux':
            subprocess.run(['xdg-open', url], check=False)
        elif sys.platform == 'win32':
            subprocess.run(['start', url], shell=True, check=False)
        print_success(f"Opened {url}")
    except Exception as e:
        print_info(f"Please visit: {url}")
Confidence
97% confidence
Finding
subprocess.run(['start', url], shell=True, check=False)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
elif sys.platform == 'linux':
                subprocess.run(['xdg-open', pin_url], check=False)
            elif sys.platform == 'win32':
                subprocess.run(['start', pin_url], shell=True, check=False)
            print_success(f"Opened {pin_url}")
        except:
            print_info(f"Please visit: {pin_url}")
Confidence
99% confidence
Finding
subprocess.run(['start', pin_url], shell=True, check=False)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill instructs the agent to read local files, write a persistent config file, access the network, and run shell commands, but it does not declare permissions or present clear boundaries for those capabilities. This increases the risk of over-privileged execution and makes it harder for the platform or user to understand that sensitive local data and external API access are involved.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
A setup script for a media recommendation skill should not silently modify the Python environment by installing packages during execution, especially with --break-system-packages. This broadens the trust boundary from the skill itself to package indexes and local package management, increasing supply-chain and environment integrity risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide explicitly instructs the agent to ask the user for a Trakt Client Secret and then write it into a plaintext config file under the user's home directory. Client secrets are sensitive credentials, and collecting and persisting them through an agent increases the chance of disclosure via logs, prompt history, shell history, filesystem compromise, or unintended reuse by other skills/processes.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The README states that the skill 'automatically triggers when Trakt-related queries are detected' without clearly defining boundaries or requiring explicit user confirmation. In an agent ecosystem, overly broad trigger descriptions can cause the skill to activate on loosely related entertainment queries and unnecessarily access personal Trakt data or perform actions the user did not intend.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README instructs users to store a client secret, access token, and refresh token in ~/.openclaw/trakt_config.json but does not warn that these are sensitive credentials requiring local protection. If that file is exposed through weak permissions, backups, logs, or multi-user systems, an attacker could reuse the tokens or secret to access the user's Trakt account and associated viewing data.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The phrase "or similar" broadens the activation scope in an open-ended way, which can cause the skill to run for loosely related requests without clear user intent. In a skill that can access account history, watchlists, local config files, and external APIs, ambiguous invocation increases the chance of unintended data access or actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill description says it can track what the user is watching, check watchlists, and provide personalized suggestions, but it does not warn that this requires accessing private viewing history and account-linked data. Without a privacy warning and consent cue, users may not realize the skill is handling sensitive preference and behavioral data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script stores the Trakt client secret in plaintext under the user's home directory without setting restrictive permissions or warning the user about sensitivity. Local plaintext secret storage increases the chance of credential disclosure through other local users, backups, logs, or malware.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The client persists the Trakt client secret, access token, and refresh token in a JSON file under the user's home directory without setting restrictive file permissions or warning the user that long-lived credentials are being stored locally. On multi-user systems, shared environments, backups, or if local malware gains file access, these secrets could be stolen and used to access or modify the user's Trakt account.

Ssd 3

Medium
Confidence
97% confidence
Finding
This is a true secret-handling issue: the installation flow has the agent solicit the user's Client Secret and retain it in ~/.openclaw/trakt_config.json. Even if intended for legitimate setup, persistent local storage of a long-lived secret in plaintext materially increases exposure and can enable unauthorized API use or token minting if the file is accessed by malware, another local user, backups, or telemetry.

Ssd 3

Medium
Confidence
90% confidence
Finding
The guide instructs the agent to request a one-time PIN from the user and use it to complete authentication. Although the PIN is temporary, it is still an authentication factor, and asking the user to disclose it to the agent creates an opportunity for interception in chat transcripts, logs, or by a compromised agent, enabling account authorization without the user's continued control.

Session Persistence

Medium
Category
Rogue Agent
Content
2. **Trakt.tv account** with Pro subscription (required for automatic watch tracking)

3. **Trakt API application** - Create at <https://trakt.tv/oauth/applications>

4. **Configuration file:** `~/.openclaw/trakt_config.json` (see setup below)
Confidence
93% confidence
Finding
Create at <https://trakt.tv/oauth/applications> 4. **Configuration file:** `~/.openclaw/trakt_config.json` (see setup below) ## Setup ### 1. Create Trakt Application 1. Visit <https://trakt.tv/oau

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal