Bricklink
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent or user invokes the wrong mutating command, it could change order fields or statuses, create/update/delete inventory, send order email, or post/reply to feedback.
The skill intentionally exposes account-changing BrickLink operations, and the documentation discloses that they run without an extra confirmation step once invoked.
**Write operations** (update-order, create-inventory, etc.) execute immediately — double-check parameters before running
Use read-only commands by default and require explicit user confirmation before any update, delete, feedback, or email-sending command.
Anyone or any agent process with access to these credentials can read store/order information and perform allowed store API actions.
BrickLink OAuth credentials are necessary for the advertised API integration, but they allow the skill to act through the user's BrickLink account.
You need OAuth 1.0 credentials from BrickLink: Consumer Key, Consumer Secret, Token Value, Token Secret
Store credentials securely, avoid sharing the config file or environment, and revoke or rotate the BrickLink token if it is no longer needed.