Bricklink
PassAudited by ClawScan on May 10, 2026.
Overview
This is a transparent BrickLink API CLI, but it can use your OAuth credentials to read and immediately change store orders, inventory, payments, and feedback when invoked.
Install only if you want an agent-accessible BrickLink store CLI. Keep the OAuth credentials private, prefer read-only commands unless you are certain, and require explicit confirmation before changing orders, inventory, payment status, sending Drive Thru email, or posting feedback.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent or user invokes the wrong mutating command, it could change order fields or statuses, create/update/delete inventory, send order email, or post/reply to feedback.
The skill intentionally exposes account-changing BrickLink operations, and the documentation discloses that they run without an extra confirmation step once invoked.
**Write operations** (update-order, create-inventory, etc.) execute immediately — double-check parameters before running
Use read-only commands by default and require explicit user confirmation before any update, delete, feedback, or email-sending command.
Anyone or any agent process with access to these credentials can read store/order information and perform allowed store API actions.
BrickLink OAuth credentials are necessary for the advertised API integration, but they allow the skill to act through the user's BrickLink account.
You need OAuth 1.0 credentials from BrickLink: Consumer Key, Consumer Secret, Token Value, Token Secret
Store credentials securely, avoid sharing the config file or environment, and revoke or rotate the BrickLink token if it is no longer needed.