ClawHub

Readwise & Reader API

v1.0.0

Manage Readwise highlights, books, daily review, and Reader documents (save-for-later / read-it-later). Use when the user wants to save articles or URLs to Reader, browse their reading list, search saved documents, review highlights, create or manage highlights and notes, check their daily review, list books/sources, or interact with Readwise/Reader in any way.

3· 1.7k·2 current·2 all-time
by@gchapim
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description match the included code: the bundled script talks only to Readwise (api.readwise.io) and Reader endpoints and implements document/highlight/book/review operations. However, the skill registry metadata claims no required environment variables or binaries while the SKILL.md and the included script clearly require READWISE_TOKEN and the presence of curl and jq. That mismatch is unexpected and should be corrected.
Instruction Scope
SKILL.md instructs use of the bundled CLI script and explicitly requires READWISE_TOKEN. The runtime instructions and examples only reference Readwise/Reader API endpoints and local CLI usage; they do not ask the agent to read unrelated files, system configuration, or send data to unknown endpoints. The script itself sets Authorization: Token ${READWISE_TOKEN} and makes calls only to readwise.io endpoints.
Install Mechanism
There is no external install specification; the skill is instruction-only plus a bundled shell script. No remote downloads or extract steps are present in the manifest, so nothing arbitrary is fetched during install.
!
Credentials
The script and SKILL.md require a READWISE_TOKEN (used as Authorization header) and the binaries curl and jq, but the registry metadata lists none of these as required (primaryEnv is none). This is a material inconsistency: a token is necessary for the described functionality and should be declared as the primary credential. The script does not request other secrets, though.
Persistence & Privilege
The skill is not always:true and does not request persistent system-wide privileges. It does not modify other skills or system configs. Autonomous invocation is allowed (platform default) but not combined with other high-risk flags.
What to consider before installing
This skill appears to do exactly what it says (managing Readwise/Reader items) and the bundled script only talks to readwise.io. However, the registry metadata omitted required items: the SKILL.md and scripts require a READWISE_TOKEN and the binaries curl and jq. Before installing, verify the source/trustworthiness of the skill author; confirm you are comfortable providing a READWISE_TOKEN (treat it as a secret) and consider generating a token with minimal scope. Inspect scripts/readwise.sh yourself to confirm no unexpected network calls beyond readwise.io, and ensure your environment has curl and jq available. Ask the publisher to update the registry metadata to declare READWISE_TOKEN as the primary credential and list required binaries; absent that, treat the mismatch as a warning and prefer a skill whose metadata matches its runtime requirements.

Like a lobster shell, security has layers — review code before you run it.

latestvk977abp9jtpzsmwxe65yq2tfds80d20d

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments