Back to skill
Skillv1.0.0
ClawScan security
IMDb Release Expectation API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 10:16 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is a thin, coherent wrapper around a JustOneAPI IMDb endpoint and only requests the expected Node runtime and a single API token needed to call that API.
- Guidance
- This skill appears to do only what it says: call JustOneAPI's IMDb release-expectation endpoint. Before installing, confirm you are comfortable giving the skill an API token for JustOneAPI and ensure the token has minimal scope. Note the token will be sent as a URL query parameter by the included script (per the OpenAPI manifest), which can be captured in proxy or server logs—if possible prefer an auth method that uses headers. Test with a non-privileged token first and verify the responses match expectations. Finally, be aware of the small mismatch between the SKILL.md's requested output format (summary + raw JSON) and the script, which currently prints only the JSON response.
Review Dimensions
- Purpose & Capability
- okName/description, required binary (node), and required env var (JUST_ONE_API_TOKEN) align with a small HTTP client for JustOneAPI's IMDb endpoint. No unrelated credentials, binaries, or config paths are requested.
- Instruction Scope
- noteSKILL.md limits scope to calling the documented GET endpoint and asks the agent to request missing parameters before calling. The included run.mjs implements only a direct HTTP call and prints the JSON response. Minor mismatch: SKILL.md asks the agent to echo operation ID and a short summary before raw JSON, but the script itself writes only the JSON response; this is a usability mismatch, not a security concern.
- Install Mechanism
- okNo install spec or external downloads; skill is instruction-only with an included Node script. Nothing is fetched from arbitrary URLs or written to unexpected locations.
- Credentials
- okOnly JUST_ONE_API_TOKEN is required and declared as the primary credential. That is proportional for an API client. Note: the manifest and script pass the token as a query parameter, which may expose it in logs or proxies—this is an API design detail rather than a misalignment with the skill's purpose.
- Persistence & Privilege
- okSkill does not request persistent/always-on presence, does not modify other skills or system settings, and does not require elevated privileges.