Back to skill
Skillv1.0.0
ClawScan security
Wanikani · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 16, 2026, 2:37 PM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill appears to do exactly what it says — fetch WaniKani data and store it in a local SQLite DB using your WaniKani API token — and its requirements and behavior are proportionate, though you should still review the full script before running it.
- Guidance
- This skill is coherent with its stated purpose, but take these precautions before running: 1) Inspect the full scripts (scripts/sync.py and scripts/queries.py) in your environment to ensure there are no hidden network calls or logging of your token (the prompt shows truncated sections). 2) Run in a virtualenv or isolated container and avoid passing your token on the command line (use an environment variable as recommended). 3) Confirm network traffic is only to api.wanikani.com and no other domains. 4) Note the DB (wanikani.db) will be created in the specified data directory — store it securely if it contains sensitive progress data. 5) If you share your machine or backups, treat the WANIKANI_API_TOKEN and DB as sensitive. If you want higher assurance, provide the complete, untruncated script text for review or run the tool in an isolated environment first.
Review Dimensions
- Purpose & Capability
- okName/description, required binary (python3), and required env var (WANIKANI_API_TOKEN) align with a tool that calls the WaniKani API and stores data locally. Database schema and query helpers match the stated goal of offline analysis and stats.
- Instruction Scope
- okSKILL.md and the visible Python code limit activity to calling the WaniKani API (https://api.wanikani.com/v2), writing/reading a local SQLite DB, and producing SQL reports. Instructions do not ask for unrelated files, other environment variables, or external endpoints beyond the WaniKani API.
- Install Mechanism
- okNo install spec; the skill is instruction-only with included Python scripts. This is low-risk — no downloads or archive extraction. Running requires a local Python runtime and the requests library (the script imports requests).
- Credentials
- okOnly WANIKANI_API_TOKEN is required and declared as primaryEnv. No other credentials or secret environment variables are requested. The token is used exclusively for Authorization headers to the WaniKani API in the visible code.
- Persistence & Privilege
- okSkill is not always-enabled and does not request elevated privileges. It writes a local wanikani.db file in the chosen data directory (expected for a sync tool) and does not modify other skills or system-wide configs in the visible code.