ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Brickset

v1.1.0

Human-friendly Brickset API v3 access for LEGO set lookup and Brickset automation. Use when you need to search LEGO sets, browse themes, years, or subthemes,...

0· 69·0 current·0 all-time
byStanislav Stankovic@stanestane

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for stanestane/brickset.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Brickset" (stanestane/brickset) from ClawHub.
Skill page: https://clawhub.ai/stanestane/brickset
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install brickset

ClawHub CLI

Package manager switcher

npx clawhub@latest install brickset
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md and the bundled script clearly require a BRICKSET_API_KEY to call Brickset APIs, but the registry metadata lists no required environment variables or primary credential. That mismatch is incoherent (the skill does need an API key even though metadata doesn't declare it). Otherwise the requested functionality (searching sets, usage, instructions, raw calls) aligns with Brickset API usage.
Instruction Scope
The runtime instructions and CLI subcommands in SKILL.md map directly to calls to Brickset API methods (checkKey, getSets, getInstructions2, getAdditionalImages, etc.). The SKILL.md does not instruct the agent to read unrelated system files or send data to unexpected endpoints; it explicitly targets brickset.com API endpoints.
Install Mechanism
No install spec is provided (instruction-only with a bundled script). There is no remote download or archive extraction. The script is included in the skill bundle so nothing is fetched at install time.
!
Credentials
The script requires BRICKSET_API_KEY (via --api-key, environment, or workspace .env), but the registry metadata does not declare this. The code also scans for a .env file in the current directory and parent directories, which may read unrelated workspace secrets — although the script uses the .env only to obtain BRICKSET_API_KEY, the behavior broadens the surface that could accidentally pick up credentials stored in a parent .env.
Persistence & Privilege
The skill does not request always: true and does not modify other skills or system-wide configurations. It runs as a normal user-space CLI calling Brickset endpoints.
What to consider before installing
This skill mostly looks like a straightforward Brickset API CLI, but note two issues before installing: (1) the skill requires BRICKSET_API_KEY (per SKILL.md and the script) even though the registry metadata doesn't declare any required env vars — confirm you are comfortable providing your Brickset API key. (2) The bundled script searches for a .env file in the current directory and parent directories to find BRICKSET_API_KEY; if you keep other secrets in a parent .env, they won't be used by the script but the script will read that file — consider keeping your API key in a dedicated .env or pass it explicitly with --api-key. If you want higher assurance, review the full scripts/brickset.py content locally or run the script in an isolated environment before providing credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fbee4wbvjk1v7v6b4gh810x84vtw8
69downloads
0stars
2versions
Updated 2w ago
v1.1.0
MIT-0
Stanislav Stankovic@stanestane
latest
Download

Brickset

Use this skill for real Brickset API v3 operations with either raw JSON output or readable text summaries.

Requirements

  • BRICKSET_API_KEY must be set in the environment or workspace .env, or passed with --api-key
  • Python 3.10+

What works well

  • check-key — validate the API key
  • usage-stats — inspect 30-day API usage
  • themes — list Brickset themes
  • subthemes — list subthemes for a theme
  • years — list release years, globally or per theme
  • search — simple wrapper around getSets
  • get-sets — raw getSets access with JSON params
  • instructions2 — fetch instructions by set number
  • additional-images — fetch extra image URLs by Brickset setID
  • raw — call any Brickset method directly when the built-in subcommands are not enough

Output modes

  • Default: JSON for scripting and automation
  • --format text: readable summaries for humans

Commands

# Validate key
python {{baseDir}}/scripts/brickset.py --format text check-key

# Usage stats
python {{baseDir}}/scripts/brickset.py --format text usage-stats

# Browse catalog metadata
python {{baseDir}}/scripts/brickset.py --format text themes
python {{baseDir}}/scripts/brickset.py --format text subthemes Technic
python {{baseDir}}/scripts/brickset.py --format text years
python {{baseDir}}/scripts/brickset.py --format text years --theme Space

# Search sets
python {{baseDir}}/scripts/brickset.py --format text search "Galaxy Explorer" --page-size 5
python {{baseDir}}/scripts/brickset.py --format text search Blacktron --theme Space --page-size 10 --order-by YearFromDESC
python {{baseDir}}/scripts/brickset.py get-sets --params '{"setNumber":"6990-1","extendedData":1}'

# Instructions and images
python {{baseDir}}/scripts/brickset.py --format text instructions2 10497-1
python {{baseDir}}/scripts/brickset.py --format text additional-images 1700

# Direct/raw API access
python {{baseDir}}/scripts/brickset.py raw getReviews --param setID=1700
python {{baseDir}}/scripts/brickset.py --format text raw getCollection --param userHash=<hash>

Notes

  • getSets consumes Brickset API quota.
  • Brickset's getSets endpoint is happier when userHash is present, so the CLI sends an empty one automatically for anonymous searches.
  • Use raw for methods like login, checkUserHash, getReviews, getCollection, or collection-management calls that are not wrapped yet.

Reference

  • Read references/api.md when you need the compact parameter guide for getSets or a reminder of which methods are available.

Script

  • scripts/brickset.py — main CLI entrypoint

Comments

Loading comments...