ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

clawdible -audiobooks

v1.0.1

Search, browse, and manage Audible audiobooks. Use when the user wants to search for audiobooks on Audible, view their library, get book details, purchase a...

2· 82·0 current·0 all-time
byRyan@ryandeathridge
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the delivered artifacts: scripts implement searching, library queries, info, wishlist and purchase via the unofficial 'audible' Python library. No unrelated env vars, binaries, or config paths are requested.
Instruction Scope
SKILL.md instructs generation/completion of an Audible OAuth flow, running the included scripts, and storing auth at ~/.config/audible/auth.json. The instructions do not ask the agent to read unrelated system files or exfiltrate data to unexpected endpoints; external network activity is limited to Audible/Amazon and PyPI (for dependency installs).
Install Mechanism
There is no registry install spec; both scripts auto-install dependencies at first run using pip (audible, httpx) without pinned versions. This is coherent with the skill but carries the normal supply-chain risk of runtime pip installs from PyPI.
Credentials
No environment variables or external credentials are requested. The skill legitimately reads/writes auth files under ~/.config/audible (auth.json, auth_state.json) to store Audible tokens — this is expected for the stated purpose. The use of chmod 600 is appropriate. No other credentials or unrelated config paths are accessed.
Persistence & Privilege
Skill is not always-enabled and does not request elevated platform privileges or modify other skills' configurations. It stores its own auth under the user's home config directory only.
Assessment
This skill appears to do what it claims: it uses the unofficial 'audible' Python library to manage an Audible account and stores tokens under ~/.config/audible/auth.json. Before installing, consider: 1) The scripts will pip-install dependencies at first run without pinned versions — that can fetch arbitrary code from PyPI, so review/verify the 'audible' package and consider running in an isolated environment (virtualenv). 2) The auth flow requires pasting an Amazon redirect URL and will store credentials locally; review the auth file if you have concerns and ensure its permissions remain private. 3) Purchases require an explicit --confirm flag in the CLI, but avoid granting the agent autonomous privilege to execute purchase commands on your behalf. If you want extra safety, inspect the included Python files yourself or run them manually rather than letting an agent invoke them automatically.

Like a lobster shell, security has layers — review code before you run it.

latestvk977hv0yd8pceh0c903ayya8c183ff05

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments