are.na claw
v2.2.0Simple CLI wrapper for the are.na API. Lists channels, adds blocks, watches feeds. No AI, no automation, no external integrations. Just API calls.
⭐ 0· 570·0 current·0 all-time
byphilkoell@koellins
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The declared purpose (CLI wrapper for are.na) matches required binaries (curl, python3). However, the SKILL.md repeatedly refers to a Python script named `arena` as the single-file CLI, but that script is not present in the file manifest — only install.sh, README.md, and SKILL.md are included. A CLI that relies on a missing executable is incoherent: either the package is incomplete or it expects you to fetch code from an external repository (the README's GitHub URL is placeholder-like).
Instruction Scope
SKILL.md instructs storing API tokens in local files (~/.arena_token, ~/.openclaw/.arena_tokens) and running commands that will write/read those files, yet the skill metadata lists no required config paths. The SKILL.md also claims 'No file writes' in the allowed-tools header while describing token storage and auth commands — this is a direct contradiction about whether local file writes occur.
Install Mechanism
There is no platform install spec; the included install.sh simply copies a local `arena` file into ~/bin. That is low-risk in itself, but since the `arena` file is not included in the manifest, the script as provided will fail or mislead the user unless the missing file is fetched from elsewhere. The README points at a GitHub URL that looks like a placeholder, so confirm the real source before running install.sh.
Credentials
The skill declares no required environment variables (reasonable for a CLI that uses user-provided tokens), but it does implicitly require write/read access to token files in the user's home directory (~/.arena_token and ~/.openclaw/.arena_tokens). Those config paths were not declared in the registry metadata. The absence of declared config paths combined with instructions to store tokens in home directories is an inconsistency users should note.
Persistence & Privilege
The skill does not request always:true and does not declare elevated privileges. Its expected persistence is limited to storing user tokens in home-directory files under the user's control, which is typical for a CLI. Still, because the actual CLI binary/script is missing from the bundle, it's unclear what code would perform those writes.
What to consider before installing
Do not run install.sh or any installer until you verify the actual CLI script and its source. Things to do before installing: (1) Confirm the real upstream repository and check that the `arena` Python script is present and readable in that repo; (2) Inspect the script to ensure it only talks to api.are.na and does not transmit tokens elsewhere; (3) Verify where it writes tokens (it claims ~/.arena_token and ~/.openclaw/.arena_tokens) and decide if that storage location and format are acceptable; (4) If a GitHub URL is provided, prefer installing directly from a trusted release or review the file contents locally before making them executable; (5) If anything in the package or its instructions is vague or missing (e.g., the missing `arena` file), treat it as incomplete and avoid running it. Because of the missing main script and contradictory instructions about file writes/config paths, treat this skill as suspicious until its source and contents are verified.Like a lobster shell, security has layers — review code before you run it.
apivk974sgmwf4ec6jm7hc79v48dwd817nfeare.navk974sgmwf4ec6jm7hc79v48dwd817nfeclivk974sgmwf4ec6jm7hc79v48dwd817nfecurationvk97arbp4882a53163tt292t8nh817y5winspirationvk97arbp4882a53163tt292t8nh817y5wlatestvk974sgmwf4ec6jm7hc79v48dwd817nfemulti-accountvk97arbp4882a53163tt292t8nh817y5w
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🪬 Clawdis
Binscurl, python3