Skillv1.0.0

ClawScan security

IMDb Redux Overview API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 28, 2026, 10:16 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and code match its stated purpose (calling JustOneAPI's IMDb redux-overview endpoint) and do not request unrelated access.
Guidance: This skill appears to do only what it claims: call JustOneAPI's IMDb overview endpoint. Before installing, ensure you trust the JustOneAPI token you will provide and that the token has minimal scope. Be aware the token is sent in the URL query (may be logged or leaked via referer), so avoid using long-lived, high-privilege tokens; rotate or revoke the token if you stop using the skill. Confirm your runtime has a recent Node (v18+) so fetch is available, and verify network access to https://api.justoneapi.com. If you need stronger privacy, ask the maintainer to use an Authorization header instead of a query token.

Purpose & Capability: okName/description, required binary (node), and required env var (JUST_ONE_API_TOKEN) align with a small CLI helper that calls JustOneAPI's IMDb endpoint. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope: okSKILL.md instructs the agent to collect the IMDb id and call the specific GET endpoint. The runtime instructions and the included bin/run.mjs only prepare query parameters, inject the provided token, perform an HTTP GET to api.justoneapi.com, and output the JSON. The skill does not instruct reading arbitrary files or sending data to other endpoints.
Install Mechanism: okNo install spec or external downloads are present; the skill is instruction-only with a small local Node script (bin/run.mjs). This is low-risk compared with remote installers or archive extraction.
Credentials: noteOnly JUST_ONE_API_TOKEN is required and is the declared primary credential, which is proportionate. Note: the implementation sends the token as a query parameter (token=...), which is likely required by the API but can expose the token in logs, referer headers, and analytics — consider token-scoping and rotation practices.
Persistence & Privilege: okalways is false and the skill does not request persistent system configuration or modify other skills. It does not ask to store credentials or alter agent-wide settings.