Back to skill
Skillv0.3.2
ClawScan security
AniList CLI · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 5, 2026, 4:51 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions match its stated purpose (a CLI wrapper around AniList), but the npm package has no linked homepage/source in the metadata so verify the package before installing.
- Guidance
- This skill appears coherent for running an AniList CLI, but before installing: 1) check the npm package page (npmjs) and repository for @mtsku/anilist-cli — confirm the maintainer, recent activity, and source code. 2) Prefer installing in a contained environment (container or VM) or install locally rather than globally to limit system impact. 3) Inspect the package source (or its GitHub repo) to see how it stores auth tokens (where it writes config). 4) Only provide your AniList token if you trust the package; if unsure, use public read endpoints without auth or use a known upstream client. If you can't find a trustworthy source for the npm package, treat the install as risky and avoid providing secrets.
Review Dimensions
- Purpose & Capability
- okName and description describe an AniList CLI. Declared requirement (node) and the install package (@mtsku/anilist-cli) align with that purpose; the CLI binary anilistcli matches commands listed in SKILL.md.
- Instruction Scope
- okSKILL.md only instructs the agent to check for the binary, optionally run npm install -g, and execute anilistcli commands (search, discover, profile, list management, auth). It does not instruct reading unrelated files or env vars. Note: it recommends a global npm install which modifies system-wide node modules.
- Install Mechanism
- noteInstall uses npm (package @mtsku/anilist-cli), which is a common and expected mechanism for Node CLIs. However, the skill metadata lists no homepage/source and the registry owner is not human-readable; this reduces traceability and increases risk of installing an untrusted npm package.
- Credentials
- okThe skill declares no required environment variables and the SKILL.md references only a token provided via the CLI (anilistcli auth set-token). That is proportional to an API-backed CLI. The SKILL.md does not disclose where the token will be stored (local config file, home directory, etc.), which is an implementation detail worth verifying.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request system config paths or other skills' credentials. The main persistent effect is installing a global npm binary and whatever config the CLI writes locally when you run auth set-token.