ClawHub

Readeck Save

v1.0.0

Save articles to Readeck (self-hosted read-it-later app). Use when the user wants to save an article for later reading, add something to their reading list, or send a page to Readeck.

1· 1.5k·0 current·0 all-time
by@nickian
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose (save articles to a self-hosted Readeck) matches the code and instructions: the script POSTs to READECK_URL/api/bookmarks using a bearer token. However, the registry metadata declares no required environment variables or binaries while the SKILL.md and scripts require READECK_URL and READECK_API_TOKEN and depend on curl and jq. That mismatch (undisclosed credentials and binaries) is disproportionate to the stated purpose and reduces transparency.
Instruction Scope
SKILL.md and scripts stay within the advertised scope: they instruct the agent/user to set two environment variables and run scripts/save.sh with a URL, then POST that URL to the configured Readeck API. The instructions do not ask the agent to read unrelated files, system credentials, or send data to endpoints other than the configured READECK_URL.
Install Mechanism
There is no install spec (instruction-only skill plus a small shell script), which is low-risk. However, the script invokes external tools (curl and jq) but the skill metadata does not declare them as required binaries; the absence of an install step means those dependencies must already be present on the host, which should be made explicit by the publisher.
!
Credentials
The SKILL.md requires READECK_URL and READECK_API_TOKEN (appropriate for a Readeck integration), but the registry lists no required env vars or primary credential. This lack of declaration is an integrity/information problem: users won't see at install time that the skill needs an API token, and the skill will transmit that token as a bearer auth to whatever READECK_URL is configured.
Persistence & Privilege
The skill does not request persistent or elevated platform privileges (always:false). It does not modify other skills or system-wide settings. It behaves as a normal, on-demand helper script.
What to consider before installing
The skill's behavior (POSTing a URL to a Readeck instance using a bearer token) is consistent and not inherently malicious, but the package metadata omits things the script actually needs. Before installing or using it: 1) Verify the publisher/source — there is no homepage and the owner is unknown. 2) Expect to set READECK_URL and READECK_API_TOKEN locally; the token will be sent to that URL, so only point it at a trusted Readeck instance. 3) Ensure curl and jq are installed on the host (the script uses them). 4) If you want better transparency, ask the publisher to update registry metadata to declare the required env vars and required binaries or provide an explicit install step. 5) Review the small script (scripts/save.sh) yourself — it is short and easy to audit — and consider running it in a restricted environment if you are unsure.

Like a lobster shell, security has layers — review code before you run it.

latestvk979bk0qzesf063ewgzrt1gcn5802fye

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments