AFOL Brickset
ReviewAudited by ClawScan on May 10, 2026.
Overview
This looks like a purpose-aligned Brickset integration, but it needs Brickset credentials and can change collection or wishlist data when explicitly confirmed.
Before installing, confirm you are comfortable giving the skill a Brickset API key and, for private workflows, a user hash or login credentials. Keep the API base URL pointed at Brickset, use dry-run for collection or wishlist changes, and only approve --yes after the exact account change is restated correctly.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If these credentials are provided, the agent can authenticate to Brickset and access private collection, wishlist, and notes workflows.
The skill uses Brickset API credentials, an account user hash, and optionally username/password for login. This is expected for Brickset account workflows, but it is sensitive account access.
export BRICKSET_API_KEY=...; export BRICKSET_USER_HASH=...; export BRICKSET_USERNAME=...; export BRICKSET_PASSWORD=...
Provide only the intended Brickset credentials, prefer BRICKSET_USER_HASH over username/password, and do not paste or log secrets in chat.
A confirmed mutation can add or remove sets, change quantities, update wishlist state, ratings, or personal notes on the user's Brickset account.
The skill can modify Brickset account state, but the main instructions disclose the risk and require confirmation plus a --yes guard.
Mutating operations require explicit user confirmation in the current conversation before execution... The CLI enforces this mechanically: mutating commands fail unless `--yes` is passed, and `--dry-run` prints the request shape with credentials redacted.
Use --dry-run first and only allow --yes after checking the exact set ID, owned/wanted state, quantity, rating, and note text.
If BRICKSET_BASE_URL or --base-url is set to an untrusted host, Brickset credentials or login data could be sent there.
Credential-bearing API calls can be directed to a configurable base URL. The default is Brickset, but overriding it would send API credentials to the configured endpoint.
parser.add_argument("--base-url", default=os.getenv("BRICKSET_BASE_URL", DEFAULT_BASE_URL), help="Brickset API base URL")Keep the default Brickset API URL unless you intentionally trust the replacement endpoint.
The documented command may not run as written, and users may be tempted to create or fetch an unreviewed wrapper.
The file manifest lists scripts/brickset_cli.py but not a scripts/brickset wrapper, so the documented command path is not fully represented in the provided files.
Primary interface: `scripts/brickset`.
Verify the expected executable path before use and avoid downloading replacement helper scripts from untrusted sources.