ClawHub

Mastodon Scout

v2.0.1

Read-only Mastodon skill. Outputs human-readable timeline summaries or raw JSON.

5· 2k·2 current·2 all-time
byHiren Patel@patelhiren
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The code and SKILL.md implement a read-only Mastodon client that fetches timelines, mentions, user posts, and search results — this matches the name and description. However, the registry metadata lists no required environment variables while the SKILL.md (and the script) require MASTODON_TOKEN (required) and optionally MASTODON_INSTANCE. That metadata mismatch should be corrected but does not indicate malicious behavior.
Instruction Scope
SKILL.md limits runtime actions to invoking the bundled Python script and (optionally) helping the user create a read-only token. The instructions do not request reading unrelated files, scanning the host, or sending data to unexpected endpoints. The script only contacts the Mastodon instance provided by the user or the default instance.
Install Mechanism
No install spec; the skill is instruction-only with a bundled Python script that uses the Python standard library. Nothing is downloaded or written to disk beyond the existing script, so install risk is low.
Credentials
The script requires a single OAuth bearer token (MASTODON_TOKEN) and optionally uses MASTODON_INSTANCE and an environment LIMIT fallback. These are proportionate to a Mastodon read-only client. Small issues: registry metadata omitted these env vars while SKILL.md declares them (and metadata inside SKILL.md also lists them). Also LIMIT is read from env but not declared in the registry metadata. These are metadata inconsistencies rather than overbroad credential requests.
Persistence & Privilege
The skill does not request persistent/always-on inclusion (always: false), does not modify other skills or system config, and does not write credentials to disk. It behaves as a normal user-invoked skill.
Assessment
This skill appears to do exactly what it claims: a read-only Mastodon timeline/search helper implemented in a small Python script. Before installing: (1) confirm the registry metadata is updated to declare MASTODON_TOKEN (and optionally MASTODON_INSTANCE/LIMIT) so you know what will be required; (2) create a Mastodon application token with only the read scope (the SKILL.md explicitly recommends this) and keep the token secret — do not paste it into public logs or version control; (3) verify the Mastodon instance URL you provide is correct (the script will call whatever instance you pass); and (4) if you allow autonomous invocation of skills, remember this one can run with your token when invoked, so avoid granting it overly broad tokens. If you want extra assurance, inspect the included scripts/mastodon_scout.py locally before running it — it uses only stdlib network calls and only performs GET requests to standard Mastodon API endpoints.

Like a lobster shell, security has layers — review code before you run it.

1.0.2vk976p7p6m5mzvh1q02f35gvs7x80bpbalatestvk9784yak35e1r9pxcnm5x58ngn8275wg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Environment variables
MASTODON_TOKENrequired
MASTODON_INSTANCEoptional

Comments