AFOL BrickOwl
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly a coherent BrickOwl API wrapper, but one included reference file contradicts the stated safety rules by telling the agent that marketplace write actions need no approval.
Review this skill carefully before installing. If you use it, keep the BrickOwl API key private, run dry-runs first, and do not allow any inventory create, update, delete, wishlist, or bulk action unless the agent restates the exact change and you explicitly confirm it.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could create, update, or delete BrickOwl listings without first confirming the exact action with the user.
This directly conflicts with SKILL.md's safety rule that mutating BrickOwl operations require explicit confirmation. Because the same file describes create, update, and delete listing tools, following this guidance could cause marketplace changes without a clear approval step.
- **NO User Approval Required**: Unlike BrickLink tools, these execute immediately without approval flow
Remove or correct the conflicting reference guidance so all mutating actions require dry-run review and explicit user confirmation before using --yes.
Anyone or any agent using this key through the skill may be able to view private store data and perform authorized marketplace changes.
The skill requires a BrickOwl API key, which gives the CLI authenticated access to user account data and write actions. This is expected for the integration, but it is sensitive delegated authority.
Required environment variable:\n\n```bash\nexport BRICKOWL_API_KEY=...\n```
Use a dedicated least-privilege BrickOwl API key if possible, keep it out of transcripts/logs, and approve any write action only after reviewing the exact requested change.
The documented command may not run as written, which could lead users or agents to improvise around the intended wrapper.
The file manifest lists scripts/brickowl_cli.py but not scripts/brickowl, so the documented entry point appears inconsistent with the provided files. This may be a packaging or documentation issue rather than malicious behavior.
Primary interface: `scripts/brickowl`.
Verify the actual command before use, and update the package so the documented entry point exists or points to scripts/brickowl_cli.py.