Bunpro
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears to sync Bunpro progress as described, but it requires a sensitive browser-derived Bunpro token and stores personal learning data locally.
This appears safe for its stated purpose if you trust the included scripts. Before using it, understand that the frontend token is a sensitive Bunpro credential and that the generated bunpro.db file may contain private progress and account information.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who obtains this token may be able to access Bunpro API data until the token expires.
The skill requires a browser-derived frontend JWT rather than a limited official API key. This is disclosed and used for the stated Bunpro API sync, but it is still a sensitive account credential.
you need the Frontend API Token from your browser ... Object.fromEntries(new URLSearchParams(document.cookie.replace(/; /g, '&'))).frontend_api_token
Use the environment variable method instead of passing the token on the command line, keep it out of chats/logs/shell history, and refresh or revoke it if exposed.
The local database may contain personal learning history and account details, which could be exposed if the folder is shared, backed up insecurely, or committed to a repository.
The skill intentionally persists user profile, review, queue, and progress information locally for later analysis.
fetches your Japanese grammar progress from Bunpro and stores it in a local SQLite database
Store the database in a private directory, avoid committing bunpro.db to source control, and delete it when you no longer need the backup.
Users may need to inspect the included scripts and ensure dependencies are installed from trusted sources.
The artifact set includes readable scripts and no remote installer, but provenance is not identified. The code also imports requests while the declared binary requirement only lists python3.
Source: unknown; No install spec — this is an instruction-only skill.
Review the scripts before use and install any missing Python dependency, such as requests, from a trusted package source.