Wanikani
PassAudited by ClawScan on May 1, 2026.
Overview
This skill is coherent for syncing WaniKani data locally, but users should treat both the API token and the saved database as private.
Install this if you are comfortable giving it a WaniKani API token and keeping a local copy of your learning data. Prefer an environment variable over a command-line token, use a private data directory, avoid committing the database or token to source control, and ensure any Python dependencies come from a trusted environment.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone running the skill grants it access to the WaniKani data allowed by that token.
The script authenticates to WaniKani with the user's API token, which is expected for syncing but is still delegated account access.
"Authorization": f"Bearer {api_token}"Use the environment variable method, prefer the least-privileged or read-only token if available, and do not paste, share, or commit the token.
The local database can contain WaniKani profile, subscription, assignment, review, and progress data.
The skill intentionally creates persistent local data that may later be reused for analysis or queried by other tools.
store it locally in SQLite. Once synced, you (or other services) can query the data
Store the database in a private directory, avoid committing it to repositories, and only share it with tools or services you trust.
Users may need to rely on an existing or separately installed Python package for the sync script to run.
The script depends on the non-stdlib requests package, while the supplied install information says there is no install spec, so dependency version/provenance is not declared.
import requests
Install dependencies from a trusted source and consider declaring or pinning the requests dependency for clearer provenance.