Skillv1.0.10

ClawScan security

Calibre Catalog Read · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 4, 2026, 10:51 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code, required binaries, and environment variables are coherent with a Calibre read/search and one-book analysis pipeline; the only notable surprises are that it can write analysis/comments back to Calibre and that it loads .env files and includes cached book text inside the package.
Guidance: What to consider before installing: - This skill needs access to your Calibre Content server and uses CALIBRE_PASSWORD (with optional CALIBRE_USERNAME). Only provide credentials you intend the skill to use and prefer least-privileged accounts. - Despite the 'read-only' emphasis, the one-book pipeline can apply analysis as HTML into the book's comments metadata on the Calibre server — if you strictly need no remote writes, do not enable the analysis/apply pipeline. - The scripts load .env files (cwd .env and ~/.openclaw/.env) and will import any keys found there into the process environment. Put only credentials you are comfortable exposing to installed skills into those files (or avoid having unrelated secrets present when running this skill). - The skill reads /etc/resolv.conf for host discovery and writes state/cache files under its own skill directory; review those files if you need to audit what it stores locally. The package also includes cached book text files in its state/cache directory — review for privacy or copyright concerns before installing in a shared environment. - If you want maximum assurance, run the commands manually in a test environment first (the SKILL.md contains the exact node/uv/calibredb/ebook-convert invocations), or inspect the specific scripts in your environment before giving it production credentials. Confidence note: assessment is based on included SKILL.md and scripts; some files were truncated in the input but the visible code and metadata are internally consistent. If you want higher confidence, provide the full content of the truncated portions (to confirm there are no hidden network calls or unexpected external endpoints).

Review Dimensions

Purpose & Capability: noteName/description (read-only catalog lookup + one-book analysis) matches the required binaries (calibredb, ebook-convert, node, uv) and scripts. The only mismatch worth calling out is that, while described as read-only for metadata edits, the workflow explicitly includes an analysis -> comments HTML apply step and metadata declares modifiesRemoteData:["calibre:comments-metadata"] — so it will modify 'comments' metadata on the Calibre server (a limited, declared write), not general title/author/series metadata. That modification is declared but may be surprising to a user expecting strictly read-only behavior.
Instruction Scope: noteSKILL.md and scripts stick to catalogue listing/search/export, text extraction, analysis (subagent or local fallback), DB upsert, and applying comments. The runtime reads .env files (cwd .env and ~/.openclaw/.env), probes /etc/resolv.conf (WSL nameservers) for host failover, and reads/writes state/cache under the skill directory. These file reads are explainable for host discovery and credential loading but are outside a minimal 'list/search' operation; the loader will import any keys found in those .env files into process.env which could surface unrelated secrets if present.
Install Mechanism: okNo install spec — instruction-only skill with included scripts. No external downloads or obscure installers are present in the manifest; the scripts expect system binaries already installed (calibredb, ebook-convert, node, uv).
Credentials: noteDeclared required env is CALIBRE_PASSWORD (primary credential) with optional CALIBRE_USERNAME and several CALIBRE_* URL/host env vars; these are appropriate for connecting to a Calibre Content server. Caveat: the scripts load .env files and will populate process.env with any keys found there (if not already set), which can lead to other environment values being read into the runtime. This is likely intended for convenience but means installing this skill will cause it to read local env files that may contain unrelated secrets.
Persistence & Privilege: okalways:false (no forced global inclusion). The skill writes only to its own state paths (skills/calibre-catalog-read/state/..., state/cache/...) as declared. It does perform a declared remote modification limited to Calibre 'comments' metadata; it does not request system- or platform-wide privileges, nor does it alter other skills' configs.