Karakeep
v1.0.3Official skill for how to use karakeep (the bookmark manager) and interact with it programmatically.
⭐ 0· 101·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description, required binary (karakeep), and required env vars (KARAKEEP_API_KEY, optional KARAKEEP_SERVER_ADDR) all match the stated purpose of interacting with a Karakeep instance. The install spec (npm @karakeep/cli) produces the karakeep binary declared as required.
Instruction Scope
SKILL.md instructs installing the CLI, setting the API key/server address, and using the CLI to manage bookmarks. The visible instructions do not ask the agent to read unrelated files, secrets, or system config. (Note: the provided excerpt included a truncation marker; the visible content contains only expected CLI usage.)
Install Mechanism
Install uses an npm package (@karakeep/cli) which is a reasonable way to provide a CLI but carries the normal npm supply-chain risk (postinstall scripts, arbitrary code at install-time). The SKILL.md also references an official Docker image (ghcr.io) which is a standard distribution. No suspicious download URLs or extract-from-arbitrary-URL installs were found.
Credentials
Required env vars are limited to the API key and server address for the Karakeep service — proportional to the stated functionality. Minor metadata inconsistency: SKILL.md marks KARAKEEP_SERVER_ADDR as optional but the registry 'requires.env' lists both env vars; this is likely a small metadata mismatch rather than a substantive risk.
Persistence & Privilege
Skill is not marked always:true and does not request permanent elevated privileges or modifications to other skills. Autonomous invocation is allowed (platform default) but not combined with other concerning indicators.
Assessment
This skill looks coherent for controlling a Karakeep instance: it needs the karakeep CLI and your Karakeep API key (and optionally the server address). Before installing, verify the npm package and Docker image come from the official Karakeep project (check the repository link and publisher), and prefer the Docker image or a vetted package provider if you don't fully trust the npm supply chain. Only provide an API key with the minimum necessary scope; if possible create a scoped or revocable token. Note the small metadata mismatch about whether the server address is required — double-check configuration when you install. If you have high security requirements, inspect the package source code or run installation in an isolated environment (container/VM) and review the repository at https://github.com/karakeep-app/karakeep before handing over credentials.Like a lobster shell, security has layers — review code before you run it.
Plugin bundle (nix)
Skill pack · CLI binary · Config
SKILL.mdCLIConfig
CLI help (from plugin)
karakeep --help
latestvk97dr4fzpr3htttx61qg4esw8d84tvjs
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📦 Clawdis
Binskarakeep
EnvKARAKEEP_API_KEY, KARAKEEP_SERVER_ADDR
Environment variables
KARAKEEP_API_KEYrequired— The API key for your Karakeep instanceKARAKEEP_SERVER_ADDRoptional— The server address for your Karakeep instance.Install
Node
Bins: karakeep
npm i -g @karakeep/cli