ClawHub

Karakeep Save

v1.0.0

Save bookmarks to Karakeep (self-hosted bookmark manager). Use when the user wants to save a URL, bookmark a link, or add something to their reading list.

1· 1.5k·0 current·0 all-time
by@nickian
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's name and description match the included script: it POSTs a bookmark to a Karakeep instance. However, the registry metadata declares no required environment variables or binaries, while the SKILL.md and scripts/save.sh clearly require KARAKEEP_URL and KARAKEEP_API_KEY and use external tools (curl and jq). This mismatch between declared requirements and actual runtime needs is a coherence problem.
Instruction Scope
SKILL.md instructs the agent to call scripts/save.sh with a URL and optional note and to set two environment variables. The instructions are narrowly scoped to saving bookmarks and do not request reading unrelated files or other credentials. The script only sends the bookmark data (url, note) to the configured Karakeep API.
Install Mechanism
There is no install spec (instruction-only), which minimizes install-time risk. However, the runtime script depends on common CLI tools (curl and jq) that are not declared in the metadata; the skill does not install them or verify their presence beyond failing if they're absent. This omission should be corrected or documented.
!
Credentials
The environment variables the skill needs (KARAKEEP_URL and KARAKEEP_API_KEY) are appropriate and proportionate for a bookmark-saving skill. The concern is that the metadata lists no required env vars, so a user or automated installer may not realize these secrets are needed or where they'll be used. The script will send the API key as a Bearer token to the configured URL (expected for the stated purpose).
Persistence & Privilege
The skill does not request persistent/global privileges: always is false, and it does not modify other skills or system-wide configuration. It performs a single network request to the user-supplied Karakeep instance when invoked.
What to consider before installing
This skill appears to do what it says (POST a bookmark to your Karakeep server) but the package metadata omits important runtime requirements. Before installing: 1) Inspect scripts/save.sh yourself — it will send the URL and optional note to KARAKEEP_URL using KARAKEEP_API_KEY. 2) Ensure you have curl and jq installed (the script depends on them). 3) Store KARAKEEP_API_KEY securely (environment or secret store) and confirm KARAKEEP_URL is the correct HTTPS endpoint. 4) Because the owner and homepage are unknown, prefer running the script in a sandbox or local review first; ask the publisher to update metadata to declare required env vars and binaries so automated checks and users are not misled.

Like a lobster shell, security has layers — review code before you run it.

latestvk977fkccgey5haaa78c4sv9qrx802723

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments