Kmoe Manga Download
PassAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for downloading Kmoe manga, but users should notice that it relies on an external CLI, handles Kmoe account credentials, and can run optional post-download callback commands.
Before installing, verify that you trust the kmoe-manga-downloader package and the kmdr CLI. Prefer prompted password entry over command-line passwords, use only authorized Kmoe accounts, choose a scoped download folder, and approve any callback script before it runs.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the package gives third-party code local execution on the user's machine.
The skill requires installing and running an external Python package to obtain the kmdr CLI. This is central to the stated purpose, but the artifact does not pin a version or provide package provenance.
pip install kmoe-manga-downloader
Install only from a trusted package source, verify the package name and maintainer, and consider using an isolated Python environment.
Kmoe credentials may be stored or used by the kmdr CLI, and passing a password with -p could expose it through shell history or process listings.
The skill explicitly uses Kmoe account credentials and can manage multiple accounts in a credential pool. This is expected for a downloader that needs authenticated access, but it is sensitive account authority.
kmdr login -u <username> [-p <password>] ... Manage multiple accounts for failover when one account's quota is exhausted.
Use the password prompt instead of putting passwords directly in commands, and only add accounts that the user owns or is authorized to use.
An unsafe callback could modify files, send data, or run unintended commands after downloads complete.
The CLI supports user-supplied post-download callback scripts, including template variables populated from manga metadata. This is disclosed and optional, but it is a local command-execution surface.
`-c, --callback` — Post-download callback script ... callbacks support template variables: `{v.name}`, `{b.name}`Only run callbacks the user explicitly approves, keep callback commands narrowly scoped, and be careful when inserting template variables into shell commands.