ClawHub

NLB

v0.1.0

check loans and search resources from the National Library Board of Singapore

1· 1.4k·2 current·2 all-time
by@kk17
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description (NLB: check loans and search resources) aligns with the instructions to open NLB pages and search the catalogue. However, several of the skill's features (checking loans and recommendations) explicitly require a logged-in myLibrary account, yet the skill declares no credentials, environment variables, or guidance on how credentials are to be provided or protected. That omission is an incoherence between claimed capability and declared requirements.
!
Instruction Scope
SKILL.md tells the agent to open NLB login and mylibrary pages and to 'Use user myLibrary username and password to login'. It otherwise only constructs catalogue URLs for searches. The instructions do not ask the agent to read unrelated files or system state, but they do require handling sensitive credentials without specifying how (no secure input, no env var names, no guidance to avoid pasting secrets into chat). This ambiguity may lead the agent to request credentials in-chat or otherwise mishandle them.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. Nothing is downloaded or written to disk, which minimizes install-time risk.
!
Credentials
The skill requests no environment variables or primary credential in metadata but its functionality (checking loans, recommendations) requires account credentials. The absence of declared credential inputs or a secure mechanism to supply them is disproportionate and unclear — environment/credential handling is underspecified.
Persistence & Privilege
The skill is not marked always:true and does not request any persistent system-wide configuration or modify other skills. Autonomous invocation is allowed (platform default), but there are no extra persistence or privilege requests in the manifest.
What to consider before installing
This skill appears to be a simple, instruction-only helper for searching the NLB catalogue and checking loans, but it explicitly requires your myLibrary login to check loans/recommendations while providing no secure mechanism for supplying credentials. Before installing or using: (1) Do not paste your username/password into chat if the agent asks — instead sign into the NLB site yourself in a browser and only let the agent operate on non-sensitive data you explicitly provide. (2) Prefer workflows that use official API tokens or browser-based authentication rather than sending passwords. (3) Verify the skill's source/author before sharing any credentials; this skill's package metadata is 'unknown'. (4) If you decide to use it, ask the maintainer to declare how credentials should be handled (env vars, OAuth, or explicit user-driven browser login) so you can evaluate the privacy risk. Because of the missing credential-handling details, treat this skill with caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cx961kjk63nrq9yzc8pnhjh80mxje

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📚 Clawdis

Comments