Readeck Save
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: readeck-save Version: 1.0.0 The skill is classified as benign. It transparently uses `curl` to make a POST request to a user-configured Readeck instance, authenticating with a user-provided API token. The script `scripts/save.sh` explicitly requires and uses `READECK_URL` and `READECK_API_TOKEN` environment variables, which are clearly documented in `SKILL.md`. All actions are directly aligned with the stated purpose of saving articles to a self-hosted read-it-later app, with no evidence of malicious intent, unauthorized data access, or prompt injection attempts against the agent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can add bookmarks to the Readeck account associated with the configured token.
The skill requires a Readeck API token and instance URL so it can authenticate API requests. This is expected for saving bookmarks, but it gives the skill delegated access to the configured Readeck account.
export READECK_URL="https://your-readeck-instance.com" export READECK_API_TOKEN="your-api-token"
Use the least-privileged Readeck API token available, store it only in the intended environment, and revoke or rotate it if it is exposed.
Saving a URL creates a bookmark and may cause the Readeck server to fetch that page.
The helper uses curl to post the provided URL to the configured Readeck API. This matches the skill purpose, but it is still an external API write using user- or agent-supplied input.
curl -s -X POST "${READECK_URL}/api/bookmarks" \
-H "Authorization: Bearer ${READECK_API_TOKEN}" \
-H "Content-Type: application/json" \
-d "{\"url\": \"$URL\"}"Use it only for URLs you actually want saved, and review unusual or internal/private URLs before submitting them.
There is limited external information to verify the publisher or project origin before configuring an API token.
The published artifacts provide limited provenance information and no install specification. The included script is small and consistent with SKILL.md, so this is a transparency note rather than a concern.
Source: unknown Homepage: none No install spec — this is an instruction-only skill.
Review the included script and confirm you trust the skill source before setting READECK_API_TOKEN.