ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Trakt

v0.1.0

Track and view your watched movies and TV shows via trakt.tv. Use when user asks about their watch history, what they've been watching, or wants to search for movies/shows.

0· 2k·6 current·6 all-time
byMatt Russell@mjrussell
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is about querying trakt.tv history and search and its runtime instructions rely on the trakt-cli tool and trakt OAuth credentials — that is reasonable and expected. Minor inconsistency: the registry metadata provided with the skill lists no required binaries, but the packaged SKILL.md declares a dependency on the 'trakt-cli' binary.
Instruction Scope
SKILL.md stays on-task: it instructs installing trakt-cli, creating a trakt app, authenticating, and running read-only commands (history, search). It references storing credentials at ~/.trakt.yaml so the CLI can access history; there are no instructions to read unrelated files or exfiltrate data.
Install Mechanism
This is an instruction-only skill with no formal install spec in the registry. The SKILL.md recommends 'npm install -g trakt-cli' — a normal but non-trivial action (global npm install writes system locations and installs third-party code). The absence of a registry install entry (while SKILL.md specifies installation) is an inconsistency to be aware of.
Credentials
No environment variables, secrets, or unrelated credentials are requested by the registry. The only credentialing is user-created trakt OAuth client id/secret (expected for this purpose) and local tokens stored in ~/.trakt.yaml.
Persistence & Privilege
The skill does not request permanent inclusion (always: false) and does not claim to modify other skills or system-wide settings. The CLI will store auth tokens locally (~/.trakt.yaml), which is typical for an OAuth CLI tool.
Assessment
This skill appears to do what it says: it relies on the third‑party 'trakt-cli' npm package and your own trakt OAuth app to read your watch history. Before installing: (1) verify the trakt-cli npm package and its maintainer (inspect package page and source) since the SKILL.md suggests a global npm install; (2) avoid installing global npm packages as root/sudo if possible; (3) be aware authentication tokens will be stored in ~/.trakt.yaml — check its filesystem permissions and contents; (4) note the registry metadata did not list the required binary even though SKILL.md requires it — double-check that your environment has trakt-cli or that you are comfortable installing it. If you do not trust the npm package or the skill source, do not install.

Like a lobster shell, security has layers — review code before you run it.

latestvk973zj4ezbq0tb46adjjewnew97ytgdd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
Binstrakt-cli

Comments