ClawHub

MAL Anime Tracker

v1.9.3

Track and manage your MyAnimeList anime lists, get anime details, rankings, seasonal updates, and receive new episode notifications.

2· 96·0 current·0 all-time
by@josetseph
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (MAL tracking, notifications) align with required credentials (CLIENT_ID, CLIENT_SECRET, ACCESS_TOKEN, REFRESH_TOKEN), network access to api.myanimelist.net, and notify.message capability declared in manifest. There are no unrelated external services or unexpected credentials requested.
Instruction Scope
Runtime instructions focus on MAL OAuth setup, installing Python deps, and running the provided CLI commands. One minor concern: auth.py prints ACCESS_TOKEN/REFRESH_TOKEN to stdout (SKILL.md instructs capturing these), which can leak tokens into shells/logs if not handled carefully; the cron example pipes output into an openclaw message send command (expected for notification feature).
Install Mechanism
No download/install of arbitrary code; dependencies are standard Python packages (requests, python-dotenv) listed in requirements.txt. The skill is instruction+code and relies on pip installing two well-known libraries.
Credentials
Requested environment variables are limited to MAL OAuth credentials and tokens, which are required for the described functionality. No unrelated secrets, cloud credentials, or system tokens are requested.
Persistence & Privilege
always is false and the skill does not request system-wide configuration changes. It can be invoked autonomously (default), which is expected for a notifier skill and is not excessive here.
Assessment
This package appears to do what it says: it calls the MyAnimeList API and sends notifications via OpenClaw. If you install it, keep these points in mind: - You must provide MAL OAuth credentials (CLIENT_ID, CLIENT_SECRET, ACCESS_TOKEN, REFRESH_TOKEN). Store them in a secrets vault (OpenClaw vault) rather than plaintext .env when possible. - auth.py prints tokens to stdout for you to capture — avoid running it where shell history or logs are retained, or copy printed tokens into a secure vault immediately. - The cron/example sends messages using the openclaw CLI; ensure that the CLI and any chat target IDs are properly controlled (don't send tokens or other secrets in messages). - Review or run the code in an isolated environment before giving it access to production secrets. The codebase has some duplicate logic and modest quality issues, but no indicators of exfiltration to unexpected endpoints. - Optional: verify the manifest/version consistency and review logs for accidental token leakage after first run.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ckkp0cedyafrnp49g9th7y984bnm7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments