AFOL Rebrickable
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: afol-rebrickable Version: 1.0.0 The Rebrickable AFOL skill bundle is a legitimate tool for managing LEGO collections and searching catalogs via the Rebrickable API. The core logic in `scripts/rebrickable_cli.py` is a well-structured Python CLI that uses standard libraries and includes explicit safety features, such as a `--dry-run` mode and automated redaction of API keys and user tokens in output logs. The `SKILL.md` file provides clear instructions for the AI agent, emphasizing the need for user confirmation before performing any data-modifying operations. No evidence of data exfiltration, malicious command execution, or harmful prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed and configured, the agent can read Rebrickable account data and, with mutation safeguards, change lists or lost-part records.
The skill requires a Rebrickable API key and optionally a user token for private collection endpoints. This is expected for the integration, but it grants account-level access.
export REBRICKABLE_API_KEY=...\nexport REBRICKABLE_USER_TOKEN=... # needed for user collection endpoints
Use environment variables rather than pasting credentials into chat, keep tokens private, and revoke or rotate them if exposed.
A confirmed command can change your Rebrickable collection lists or lost-parts records.
The skill can create, update, and delete Rebrickable list data, but it documents explicit confirmation and dry-run safeguards.
Mutating operations require explicit user confirmation in the current conversation before execution... The CLI enforces this mechanically: mutating commands fail unless `--yes` is passed, and `--dry-run` prints the request shape
Use `--dry-run` first and only approve `--yes` after checking the platform, list ID, set or part, color, and quantity.
The agent might treat an add request as enough to proceed without an additional confirmation step.
This secondary guidance is less explicit than SKILL.md about mutation confirmation. It appears aimed at service selection, but could be read too broadly.
If ONLY ONE service is configured:\n - Use that service without asking...\n- User: "Add 10179 to my Rebrickable list"\n You: [Call addSetsToList directly without asking]
Follow the stricter SKILL.md rule: restate the exact mutation and wait for explicit confirmation before passing `--yes`.
If the base URL is changed to an untrusted host, the API key could be sent there.
The CLI supports a configurable API base URL while also sending the Rebrickable Authorization header. This is a common testing/proxy option, but credentials should only be sent to trusted Rebrickable-compatible endpoints.
parser.add_argument("--base-url", default=os.getenv("REBRICKABLE_BASE_URL", DEFAULT_BASE_URL), help="Rebrickable API base URL")Leave the base URL at the default unless you intentionally use a trusted Rebrickable-compatible endpoint.