Back to skill
Skillv1.0.0
ClawScan security
IMDb Recommendations API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 8:46 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, documentation, and required environment variables are consistent with its stated purpose (calling JustOneAPI's IMDb recommendations endpoint) and do not request unexplained access.
- Guidance
- This skill appears to do exactly what it claims: call JustOneAPI's IMDb recommendations endpoint using JUST_ONE_API_TOKEN and an IMDb id. Before installing, confirm you trust JustOneAPI to receive requests from your agent (the token will be sent to api.justoneapi.com). Ensure Node is available in the environment. Avoid pasting the token into chat or logs; provide it via the environment variable as instructed. If you need the agent to never call external APIs autonomously, consider disabling autonomous invocation in your agent settings.
Review Dimensions
- Purpose & Capability
- okName/description, declared requirements (node, JUST_ONE_API_TOKEN), and the included code (bin/run.mjs) all match a simple HTTP client that calls GET /api/imdb/title-more-like-this-query/v1 with an API token and id. There are no unrelated credentials or binaries requested.
- Instruction Scope
- okSKILL.md limits runtime actions to collecting the required parameter (id) and invoking the provided node script with the declared token. The instructions do not ask the agent to read other files, secrets, or system configuration, nor do they instruct exfiltration to unexpected endpoints.
- Install Mechanism
- okThis is an instruction+helper-script skill with no install spec. No downloads or archive extraction occur; only a node script is included, which is low risk and proportional to the purpose.
- Credentials
- okThe single required environment variable is JUST_ONE_API_TOKEN (declared as primaryEnv) and is used solely to populate the token query parameter for the API call. No unrelated secrets or config paths are requested.
- Persistence & Privilege
- okalways:false and normal model invocation settings. The skill does not request persistent system-level privileges or modify other skills; it simply runs the included Node helper when invoked.