Trakt
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is a coherent Trakt.tv helper that uses a disclosed CLI and read-only account access, with a couple of normal but important setup and credential considerations.
This skill appears safe for its stated purpose. Before installing, make sure you trust the trakt-cli npm package and understand that authenticated history lookups require Trakt credentials stored locally in ~/.trakt.yaml.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the CLI gives that npm package executable code on the user's machine.
The skill relies on installing an external global npm package, and the instruction does not pin a version. This is expected for a CLI-based integration but means the user should trust the package source.
npm install -g trakt-cli
Verify the npm package and source before installing, and consider pinning a known-good version if reproducibility matters.
The CLI can access personal Trakt watch-history data after authentication.
The skill needs Trakt authentication to access the user's watch history. The access is disclosed and described as read-only, matching the stated purpose.
History requires authentication - Read-only access to watch history
Use a Trakt app/token with only the needed permissions, avoid sharing ~/.trakt.yaml, and revoke the Trakt app if you stop using the skill.
Anyone or any process with access to that local file may be able to use the saved Trakt credentials.
The skill discloses persistent local storage of Trakt credentials. This is expected for authenticated CLI use, but it is still credential material on disk.
Credentials saved to `~/.trakt.yaml`
Keep the credentials file private, check its file permissions, and remove or rotate credentials if the machine is shared or compromised.