Skillv1.0.4

ClawScan security

Calibre Metadata Apply · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 4, 2026, 10:51 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to do what it says (apply Calibre metadata) but has several operational choices that could expose credentials or metadata (auto-loading dotfiles, optional plaintext password saving, ability to pass password on the command line, and optional subagent/model usage) and those warrant caution before installation.
Guidance: This skill is functionally coherent for editing Calibre metadata, but review and limit sensitive behaviors before use: - Avoid storing credentials in plaintext. Do not use `--save-plain-password`. Prefer exporting CALIBRE_PASSWORD in the environment and pass via `--password-env CALIBRE_PASSWORD` rather than inline `--password` on the command line. - Be aware the scripts automatically load .env files from the current directory and ~/.openclaw/.env. Remove unrelated secrets from those files (e.g., AWS keys) or run the skill from a clean working directory. - The skill can delegate heavy analysis to a subagent/model. If metadata or book-related text is sensitive, disable subagent orchestration or ensure the configured model endpoints are trusted; otherwise metadata may be sent to external model endpoints. - Inspect or audit the included scripts (calibredb_apply.mjs, run_state.mjs, handle_completion.mjs) in your environment before running. Confirm that you’re comfortable with the local state file location (skills/.../state/runs.json) and the documented auth cache (~/.config/calibre-metadata-apply/auth.json). - Prefer dry-run and explicit user approval before any `--apply`. The skill’s required flow includes a dry-run first; follow that. What would raise confidence to High: a) the author/owner is known and trusted, b) removal or hardening of plaintext password saving and explicit disabling of inline `--password` usage in code, and c) a configurable opt-out that prevents automatic .env hydration and disables subagent/model delegation by default.

Review Dimensions

Purpose & Capability: okName/description align with required binaries and behavior: it legitimately requires `calibredb` and Node, and the main declared credential is CALIBRE_PASSWORD. The included scripts implement metadata lookups, dry-run/apply flow, and run-state management consistent with an edit/apply skill.
Instruction Scope: concernSKILL.md and scripts stick to metadata-edit workflows, but the skill explicitly supports using a subagent for heavy analysis and notes that 'text/metadata sent to subagent can reach model endpoints configured by runtime profile.' That means metadata (and possibly other text) can be forwarded to external model endpoints unless the caller disables subagent processing. The scripts also read local dotfiles (.env in cwd and ~/.openclaw/.env) automatically to hydrate env vars, which may pull unrelated secrets into the process if present. The README/policy allow saving auth and even saving plain passwords if the user requests it—this broadens the data surface beyond the simple 'apply metadata' claim.
Install Mechanism: okNo external installer or remote download is declared; this is instruction+scripts only. That keeps install risk low because nothing is fetched from arbitrary URLs during install.
Credentials: concernThe registry lists only CALIBRE_PASSWORD as required, which is appropriate, but the code automatically hydrates .env files (process.cwd()/.env and ~/.openclaw/.env) and will set any variables found there. That can unexpectedly import unrelated secrets into the skill's environment. The script also can accept/insert a plaintext password onto calibredb command lines (it builds commands with `--password <value>` if `auth.password` is present) and the README documents optional saving of auth (including a --save-plain-password option). These behaviors increase the chance credentials are exposed (process lists, logs, or config files).
Persistence & Privilege: concernThe skill writes local state at skills/.../state/runs.json (declared) and documents an auth cache at ~/.config/calibre-metadata-apply/auth.json; README explicitly allows saving auth and even plain passwords via `--save-plain-password`. 'always' is false, and the skill does not request system-wide privileges, but the optional persistent storage of credentials (including plaintext) and retained run state are notable persistence/privacy concerns.