Book Review Skill
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may trust that no data leaves the device while other included documentation says the skill uses an external AI provider.
This contradicts the safe-version positioning in SKILL.md and the source comments that claim no external API calls and local-template processing only, making the privacy claims unreliable.
✅ **AI Generation**: Generate in-depth expanded reviews based on DeepSeek API
The publisher should remove or correct stale DeepSeek/API documentation, or accurately declare any external provider use before users install or configure the skill.
Users could unnecessarily create or expose a service credential for a version of the skill that does not appear to need it.
The README instructs users to provide an API key even though the registry requirements and safe-version SKILL.md declare no credentials, and the included code does not read this variable.
export DEEPSEEK_API_KEY=sk-your-api-key
Do not provide API keys for this skill unless the publisher updates the metadata and code review clearly shows why they are required.
Users may be led to point the skill at private notes or cache reading data despite the reviewed runtime not needing filesystem access.
The README describes broad personal note-library paths and a cache directory without clear exclusions, retention, or approval boundaries, while the safe-version code claims no filesystem access.
export BOOK_REVIEW_NOTE_PATHS=~/Documents/Notes,~/Obsidian ... BOOK_REVIEW_CACHE_DIR=~/.cache/book-review
Avoid configuring note paths or cache locations for this skill until the publisher reconciles the documentation and clearly scopes any local indexing behavior.