ClawHub

Starwars

v1.0.0

CLI for AI agents to lookup Star Wars universe info for their humans. Uses SWAPI. No auth required.

0· 1.2k·0 current·0 all-time
by@jeffaf
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the declared behavior (queries SWAPI). Required binaries (bash, curl, jq) are proportionate for a small CLI that calls a public API. However, the SKILL.md and README refer to a './starwars' wrapper and 'scripts/starwars' being present — no such script is included in the package, creating a mismatch between claimed capabilities and what's actually provided.
!
Instruction Scope
Runtime instructions tell the agent to run a local CLI wrapper (./starwars people "name" etc.). The skill package contains only README.md and SKILL.md with no scripts. It's unclear whether the agent should install the CLI, fetch it from an external URL, or already have it on PATH. The instructions do not ask for unrelated files or credentials, but they give the agent broad discretion to run a local executable that isn't present — risk arises if the agent attempts to download or execute code without explicit, auditable source.
Install Mechanism
There is no formal install spec (instruction-only), which is low risk in principle. The README documents manual installation that clones a GitHub repo and symlinks a script into /usr/local/bin; because no script is bundled, a user or agent would need to obtain code externally. That external fetch is not specified within SKILL.md and therefore increases risk until the script source is inspected.
Credentials
The skill requests no environment variables or credentials, which is appropriate for a public, unauthenticated API like SWAPI. Required binaries are reasonable for the described operations.
Persistence & Privilege
Skill is not set to always:true and does not request special persistence or system-wide configuration changes. The README suggests optional manual installation into system paths, which is normal for a CLI but should be done only after code review.
What to consider before installing
This skill claims to be a simple SWAPI CLI and does not request secrets, which is good — but the package does not include the 'starwars' script the instructions reference. Before installing or running anything: (1) verify the actual CLI source (follow the README's GitHub link and inspect scripts/starwars or official releases); (2) do not symlink or install any script into /usr/local/bin until you have reviewed its contents and network behavior; (3) prefer downloading releases from the repository's official releases page (avoid pastebins or unverified URLs); (4) if you let an agent invoke the skill autonomously, ensure you trust it to fetch/install code or restrict it to use only an already-reviewed binary; and (5) check that the script only calls swapi.dev (or other expected hosts) and does not phone home to unexpected endpoints. If the author can provide the script source inline in the package or a signed release URL, that would resolve the main concern.

Like a lobster shell, security has layers — review code before you run it.

latestvk97062rb2gk81r9dg6sn8jhc6d80jmv5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

⚔️ Clawdis
Binsbash, curl, jq

Comments