MAL-Updater
v0.1.6Multi-provider anime → MyAnimeList sync and recommendations skill with guarded auth, review-queue triage, health checks, bootstrap auditing, and user-systemd...
⭐ 0· 136·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (MyAnimeList sync + provider ingestion + recommendations) match the repository contents: Python CLI, Crunchyroll/HIDIVE provider implementations, MAL client integration, review queue, and systemd install helpers. Declared runtime binaries (python3/python) are appropriate.
Instruction Scope
SKILL.md instructs running the repo-local Python CLI, running bootstrap-audit, staging secrets under an external runtime tree (.MAL-Updater/), and optionally installing a user-level systemd daemon via the provided scripts. These are within the stated purpose. Note: the agent/operator will be instructed to create/stage credentials and to install a long-lived daemon that performs network requests and token refreshes; that is expected but worth explicit operator review before enabling unattended mode.
Install Mechanism
No external install spec or remote downloads. All code is included in the repo and intended to be executed in-place via PYTHONPATH=src python3 -m mal_updater.cli. That reduces supply-chain ambiguity. Scripts will render/install user systemd units on the host (user-level only).
Credentials
Primary credential declared (MAL_UPDATER_MAL_CLIENT_ID) is consistent with the MAL OAuth requirement. The repo prefers staging secrets in .MAL-Updater/secrets/ rather than environment variables for provider credentials; registry metadata naming an env var may be a mild mismatch with SKILL.md (operator should confirm how to supply the MAL client id). Crunchyroll/HIDIVE credentials are requested only when those providers are enabled, which matches the described workflow.
Persistence & Privilege
The skill requires (optional) installation of a user-level systemd service that runs a long-lived daemon which persists state and tokens under the workspace runtime tree. That provides persistent background networked behavior and token storage; it is legitimate for this skill but increases attack surface. always:false and normal agent-autonomy settings mitigate risk, but operators should inspect the unit/script and secure .MAL-Updater/secrets/ (restrict permissions).
Assessment
This repo appears to implement what it claims: a local Python CLI and optional user-level daemon that fetches provider data (Crunchyroll/HIDIVE), maps it to MyAnimeList, and can perform guarded writes. Before installing or enabling unattended operation: 1) Review scripts/install_user_systemd_units.sh and the rendered .service unit to confirm you understand what the daemon will run and its environment; 2) Verify where the MAL client id and provider credentials are read from (SKILL.md recommends staging into .MAL-Updater/secrets/), and secure that directory with restrictive local permissions; 3) Confirm you trust the upstream source (homepage repo) and optionally scan the included code for network endpoints you don’t recognize; 4) Use bootstrap-audit and run dry-run-sync / health-check first; and 5) Only enable the user-systemd daemon on hosts where persistent background networked access and stored tokens are acceptable. The only small inconsistency: the registry metadata lists a primaryEnv name while most docs instruct storing credentials in the external secrets directory — confirm which mechanism your deployment expects.Like a lobster shell, security has layers — review code before you run it.
latestvk971yjehb9vscmwkd5w7jj5vj983vtqn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📺 Clawdis
OSLinux
Any binpython3, python
Primary envMAL_UPDATER_MAL_CLIENT_ID