ClawHub

bangumi-tracker

v1.0.0

Manage Bangumi collections and track watch progress via OAuth. Use when user wants to track anime/book/game/music progress, manage wish/doing/collect lists,...

0· 34·0 current·0 all-time
by@mountlynx
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (Bangumi tracking via OAuth) matches the SKILL.md and the code: it implements OAuth, calls bgm.tv API endpoints, and stores tokens. There are no unrelated credentials, binaries, or services requested.
Instruction Scope
SKILL.md only instructs creating an OAuth app, configuring client_id/secret, running the included Python script, and using a local callback. It does not request reading unrelated files or sending data to third-party endpoints outside bgm.tv.
Install Mechanism
No install spec is provided (instruction-only + bundled Python script). That lowers installation risk; the included script is intended to be run locally and no external archive downloads or npm/go packages are pulled.
Credentials
No environment variables or unrelated credentials are required. The script stores client_secret and tokens in Windows Credential Manager (via ctypes) and on other platforms under ~/.bangumi, which is proportional for an OAuth client. One minor note: the code uses ctypes to call Windows Cred APIs and sets CRED_PERSIST_LOCAL_MACHINE (machine-level persistence), which is more persistent than per-user storage; you may want to review whether that behavior is acceptable in your environment.
Persistence & Privilege
Skill is not force-enabled (always:false) and does not request elevated platform privileges. It stores credentials only in its own config paths or the OS credential store and does not modify other skills or global agent settings.
Assessment
This skill appears to be a straightforward local OAuth client for Bangumi and is consistent with its description. Before installing or running: (1) verify the script contents yourself (especially the truncated parts) to be sure it only talks to bgm.tv and does not exfiltrate data; (2) confirm you are comfortable storing client_secret/access tokens in Windows Credential Manager or ~/.bangumi; (3) if you prefer less persistence, inspect/modify the code to change credential persistence or storage path; (4) only create an OAuth app with callback http://localhost:17321 as instructed and do not reuse high-privilege client secrets; (5) run in an isolated environment (virtualenv or VM) if you cannot verify the full source. If you want, I can scan the remainder of bangumi_tracker.py (it was truncated here) for any network calls, third-party endpoints, or obfuscated behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bqzkjz9rq2rn2x8fy2m0cx9847dqz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments