ClawHub
Back to skill
v0.1.0

Readeck

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 4:50 AM.

Analysis

This is a simple Readeck API instruction skill; it uses a Readeck API key and can add, list, update, or delete bookmarks, which is disclosed and aligned with its purpose.

GuidanceBefore installing or using this skill, make sure the Readeck URL is your intended server, provide only the API key you want the agent to use, and double-check any bookmark ID before update or delete actions.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
### Delete Entry

```bash
curl -X DELETE "$READECK_URL/api/bookmarks/$ID" \
  -H "Authorization: Bearer $READECK_API_KEY"
```

The skill documents a destructive Readeck API operation. Deleting bookmarks is consistent with 'managing bookmarks,' but it can remove user data if the wrong ID is used.

User impactThe agent could delete a saved Readeck entry when asked to manage bookmarks, which may be difficult to undo depending on Readeck's behavior.
RecommendationConfirm the bookmark ID and intended action before allowing delete or update operations.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
metadata
Source: unknown
Homepage: none

The artifact has limited provenance information. This is a minor note because there is no code or install step, only runtime instructions.

User impactUsers have less external context for verifying who maintains the skill or where its instructions came from.
RecommendationReview the SKILL.md instructions before use and verify the Readeck API endpoint is your intended server.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
Configure Readeck access via:
- Request parameters: `url` and `apiKey`
- Environment variables: `READECK_URL` and `READECK_API_KEY`

The skill uses a bearer API key for the user's Readeck account. This is expected for the integration, but users should recognize that the key grants account access for the documented bookmark operations.

User impactAnyone using the configured API key can access or change the associated Readeck bookmarks according to that key's permissions.
RecommendationUse a Readeck API key with the narrowest available permissions, keep it private, and only provide it when you intend the agent to operate on that Readeck account.