Beeminder
PassAudited by ClawScan on May 10, 2026.
Overview
This is a straightforward Beeminder API skill, but it needs your Beeminder token and includes commands that can change or delete datapoints.
Install only if you are comfortable giving the agent access to your Beeminder API token. Use it mainly for checking goals, and require explicit confirmation before adding, updating, or deleting datapoints.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A wrong goal slug, value, comment, or datapoint ID could change the user's Beeminder tracking and commitment status.
These examples can add, update, or delete Beeminder datapoints. That is purpose-aligned for this skill, but it changes account data and should be performed only with clear user intent.
### Add datapoint ... curl -s -X POST ... ### Update datapoint ... curl -s -X PUT ... ### Delete datapoint ... curl -s -X DELETE
Before any POST, PUT, or DELETE request, confirm the target goal, datapoint, value, and comment with the user; use the documented requestid option for idempotent adds.
Anyone or any agent process with access to the token can call Beeminder APIs as the user within the token's permissions.
The skill needs a personal Beeminder auth token, which is expected for this API integration, but the registry metadata does not declare required env vars or a primary credential.
Set two env vars: - `BEEMINDER_USERNAME` ... - `BEEMINDER_AUTH_TOKEN` - personal auth token
Store the token only in a trusted environment or secret manager, avoid exposing it in logs or chat, and rotate it if it is accidentally shared; the skill metadata should declare this credential requirement.