AFOL Rebrickable
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a purpose-aligned Rebrickable integration, but it uses Rebrickable credentials and can modify your collection, so use the dry-run and confirmation safeguards.
Install only if you are comfortable giving the skill a Rebrickable API key and optional user token. Keep the default Rebrickable API URL, use dry-run before changes, and only approve mutations after the agent restates exactly what it will change.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed and configured, the agent can read Rebrickable account data and, with mutation safeguards, change lists or lost-part records.
The skill requires a Rebrickable API key and optionally a user token for private collection endpoints. This is expected for the integration, but it grants account-level access.
export REBRICKABLE_API_KEY=...\nexport REBRICKABLE_USER_TOKEN=... # needed for user collection endpoints
Use environment variables rather than pasting credentials into chat, keep tokens private, and revoke or rotate them if exposed.
A confirmed command can change your Rebrickable collection lists or lost-parts records.
The skill can create, update, and delete Rebrickable list data, but it documents explicit confirmation and dry-run safeguards.
Mutating operations require explicit user confirmation in the current conversation before execution... The CLI enforces this mechanically: mutating commands fail unless `--yes` is passed, and `--dry-run` prints the request shape
Use `--dry-run` first and only approve `--yes` after checking the platform, list ID, set or part, color, and quantity.
The agent might treat an add request as enough to proceed without an additional confirmation step.
This secondary guidance is less explicit than SKILL.md about mutation confirmation. It appears aimed at service selection, but could be read too broadly.
If ONLY ONE service is configured:\n - Use that service without asking...\n- User: "Add 10179 to my Rebrickable list"\n You: [Call addSetsToList directly without asking]
Follow the stricter SKILL.md rule: restate the exact mutation and wait for explicit confirmation before passing `--yes`.
If the base URL is changed to an untrusted host, the API key could be sent there.
The CLI supports a configurable API base URL while also sending the Rebrickable Authorization header. This is a common testing/proxy option, but credentials should only be sent to trusted Rebrickable-compatible endpoints.
parser.add_argument("--base-url", default=os.getenv("REBRICKABLE_BASE_URL", DEFAULT_BASE_URL), help="Rebrickable API base URL")Leave the base URL at the default unless you intentionally use a trusted Rebrickable-compatible endpoint.