Calibre Catalog Read
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill’s Calibre lookup and analysis purpose is coherent, but it exposes credential-handling risks and persists bundled/full book text caches.
Install only if you are comfortable with this skill reading/exporting selected Calibre books and updating their comments. Before use, delete bundled state/cache files, use a limited Calibre account/password, verify the subagent dependency/model, and review generated comments before applying them to your library.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A Calibre password could appear in process listings, logs, or the agent transcript if a command fails.
The Calibre password is read from the environment, placed directly into the calibredb command arguments, and the full command can be printed on failure.
if (!password && passwordEnv) password = process.env[passwordEnv] || ''; ... if (auth.password) r.push('--password', auth.password); ... throw new Error(`calibredb failed ... CMD: ${cmd.map(x => JSON.stringify(x)).join(' ')}`)Mask secrets in all error messages, avoid passing passwords as command-line arguments when possible, and use a least-privilege Calibre account.
Private or copyrighted library content can be retained inside the skill directory and may be exposed to future runs, backups, reviews, or package distribution.
The published artifact includes a persistent cache file containing extracted book text; the manifest also lists multiple large files under state/cache/pipeline.
海賊列伝 上巻 目次 ... はじめに ... 本書の材料蒐集にはひとかたならぬ苦労をした。
Remove bundled cache files before publishing/installing, add cleanup/retention controls, and cache only user-approved book text for the shortest necessary time.
A malicious or corrupted book text or model output could persist unwanted HTML or instructions in Calibre comments.
Subagent/model-provided analysis fields are embedded directly into HTML comments without visible HTML escaping or sanitization.
summary = str(analysis.get("summary", "")).strip() ... lines.append(f"<p><strong>{tr['summary']}:</strong> {summary}</p>") ... lines.append(f"<li>{h}</li>")Escape or sanitize all model-generated fields before writing HTML, and let the user review generated comments before applying them.
Selected book text may be processed by another agent/model, which may involve a remote provider depending on the chosen runtime.
The analysis workflow hands extracted book text files to a spawned subagent for processing.
source_files: array of text file paths (read all in order) ... Read all files in `source_files` in order and analyze combined content.
Use only trusted subagent profiles/models, confirm provider retention/privacy terms, and avoid running analysis on sensitive books unless acceptable.
Running the analysis pipeline can change a book’s comments field, even though catalog lookup operations are read-only.
The skill discloses a scoped path that exports a book, analyzes it, caches results, and updates Calibre comments metadata.
One-book AI reading workflow (`export -> analyze -> cache -> comments HTML apply`) ... "modifiesRemoteData":["calibre:comments-metadata"]
Run the pipeline only for a specific book you intend to update, and keep backups or test on a non-critical library first.
The installed dependency may change over time, so later installs may not match the reviewed behavior.
The setup instructions use an unpinned '@latest' install for a dependent skill.
npx clawhub@latest install subagent-spawn-command-builder pnpm dlx clawhub@latest install subagent-spawn-command-builder
Pin dependency versions or verify the dependent skill before installing.