ClawHub

Books

v1.0.0

CLI for AI agents to search and lookup books for their humans. Uses Open Library API. No auth required.

1· 1.4k·3 current·3 all-time
by@jeffaf
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (book lookups via Open Library) align with the declared binaries (bash, curl, jq) and the documented API usage. No credentials or unusual system access are requested.
!
Instruction Scope
SKILL.md instructs the agent to run a wrapper at {skill_folder}/books (and scripts/books) to call the Open Library API. However, this package contains only README.md and SKILL.md — the referenced executable wrappers/scripts are missing, so the instructions cannot be followed as-is. That gap could lead integrators to fetch external code or the agent to attempt to run non-existent binaries.
Install Mechanism
There is no install spec in the registry (instruction-only skill), which is low-risk. But the README includes an installation example that clones a GitHub repository (https://github.com/jeffaf/books-skill.git). If a user follows that README to install, they will pull and run code from an external source — a behavior not enforced or vetted by the skill package itself and which increases risk.
Credentials
No environment variables, credentials, or config paths are requested. The required tools (bash, curl, jq) are appropriate and proportionate for a CLI that queries a public API.
Persistence & Privilege
always is false and the skill does not request persistent privileges or modify other skills. Autonomous invocation is allowed by default (disable-model-invocation=false) — this is normal for skills and not, by itself, problematic.
What to consider before installing
This skill's purpose and declared requirements are reasonable for querying the Open Library API, but the package as provided does not include the executable wrapper scripts the SKILL.md expects. Before installing or running anything: 1) do not run commands that clone or execute code from external repos without inspecting that code; 2) request the missing scripts from the skill author or inspect the GitHub repo referenced in README (verify repository owner, check commits, review the scripts for network calls/hidden behavior); 3) if you must clone the repo, review the scripts locally for any unexpected commands (remote endpoints, data exfiltration, or use of secrets) before making them executable; 4) prefer skills that include the code being executed in the package or that have a vetted install spec. If you want, I can try to fetch and inspect the referenced GitHub repo (if you permit me to access the network) or guide you through what to check in the scripts.

Like a lobster shell, security has layers — review code before you run it.

latestvk97evh79yx3yr5b40c9tzncp1n80kevd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📚 Clawdis
Binsbash, curl, jq

Comments