Talebook
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a legitimate Talebook API helper, but it can act with your Talebook credentials to edit, bulk-update, and email books when invoked.
Before installing, make sure you trust the Talebook server URL you configure and use a limited account if possible. Review any metadata edit, email/send, upload, or bulk autofill action before approving it, especially operations that target `all` books.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can act as the configured Talebook user, including admin-level actions if admin credentials are provided.
The helper logs in to the configured Talebook server using the supplied username and password, then uses session cookies for subsequent API calls.
url = f"{self.host}/api/user/sign_in" ... data = f"username={self.username}&password={self.password}" ... self.session_cookies.update(resp.cookies.get_dict())Use a least-privileged Talebook account when possible, avoid shared/global credential files, and prefer localhost or HTTPS for non-local servers.
A wrong invocation could overwrite titles, tags, categories, descriptions, or other metadata in the Talebook library.
The skill exposes a write endpoint that can change book metadata supplied in tool arguments.
return self._call_with_auto_relogin("POST", f"/api/book/{book_id}/edit", json=body)Review the exact book ID and fields before approving edits, fetch current metadata before replacing array fields like tags, and keep backups for important libraries.
If used accidentally, online metadata filling could propagate unwanted metadata changes across many books and may be difficult to stop mid-task.
A single autofill request can start an asynchronous job that affects the entire library.
`idlist` | array 或 `"all"` ... `"all"` 表示全库处理 ... 任务在后台异步执行
Test autofill on a small list of book IDs first, avoid `all` unless explicitly intended, and back up the Talebook database before large batch operations.
Book files or library content could be sent outside the Talebook server if the wrong recipient is used.
The skill can send a selected book to an email address through the Talebook API.
def mailto(self, args: Dict[str, Any]) ... "Send book to email as attachment" ... json={"email": email}Confirm the destination email address and book ID before using mail/send features.