Octolens
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a coherent Octolens API querying helper, but it requires an Octolens API key and includes optional setup commands that users should handle carefully.
This skill looks safe for its stated purpose if you trust the publisher and intend to query Octolens. Before using it, verify the package source, avoid running the optional remote sudo Node installer unless you trust it, and provide only a least-privileged Octolens API key. Treat returned mentions, keywords, saved views, and the API key as sensitive account data.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Providing the token lets the skill read Octolens data available to that API key.
The skill needs a user-provided Octolens account token. This is expected for the integration, but the token grants access to account-specific mentions, keywords, and saved views.
The Octolens API requires a Bearer token for authentication. The user should provide their API key... Always ask the user for their API key before making any API calls.
Use the least-privileged or read-only Octolens key available, provide it only when needed, and avoid sharing the key in logs or transcripts.
Users have less publisher/provenance context before trusting the skill with an API key.
The registry metadata does not provide an upstream source or homepage for independent provenance checks. The included code is simple and the static scan is clean, so this is a provenance note rather than a concern.
Source: unknown Homepage: none
Confirm this is the intended Octolens package or review the bundled scripts before supplying credentials.
If followed, this setup command gives a remote installer elevated privileges on the local machine.
The README includes a user-directed optional setup command that runs a remote NodeSource script with sudo. It is not automatic skill behavior, but it is a higher-risk installation pattern users should notice.
curl -fsSL https://deb.nodesource.com/setup_18.x | sudo -E bash - sudo apt-get install -y nodejs
Prefer an already-installed trusted Node.js 18+ runtime or install Node through your normal package-management process; only run remote sudo setup scripts if you trust the source.