ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Brickset

v1.1.0

Human-friendly Brickset API v3 access for LEGO set lookup and Brickset automation. Use when you need to search LEGO sets, browse themes, years, or subthemes,...

0· 37·0 current·0 all-time
byStanislav Stankovic@stanestane
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md and the bundled script clearly require a BRICKSET_API_KEY to call Brickset APIs, but the registry metadata lists no required environment variables or primary credential. That mismatch is incoherent (the skill does need an API key even though metadata doesn't declare it). Otherwise the requested functionality (searching sets, usage, instructions, raw calls) aligns with Brickset API usage.
Instruction Scope
The runtime instructions and CLI subcommands in SKILL.md map directly to calls to Brickset API methods (checkKey, getSets, getInstructions2, getAdditionalImages, etc.). The SKILL.md does not instruct the agent to read unrelated system files or send data to unexpected endpoints; it explicitly targets brickset.com API endpoints.
Install Mechanism
No install spec is provided (instruction-only with a bundled script). There is no remote download or archive extraction. The script is included in the skill bundle so nothing is fetched at install time.
!
Credentials
The script requires BRICKSET_API_KEY (via --api-key, environment, or workspace .env), but the registry metadata does not declare this. The code also scans for a .env file in the current directory and parent directories, which may read unrelated workspace secrets — although the script uses the .env only to obtain BRICKSET_API_KEY, the behavior broadens the surface that could accidentally pick up credentials stored in a parent .env.
Persistence & Privilege
The skill does not request always: true and does not modify other skills or system-wide configurations. It runs as a normal user-space CLI calling Brickset endpoints.
What to consider before installing
This skill mostly looks like a straightforward Brickset API CLI, but note two issues before installing: (1) the skill requires BRICKSET_API_KEY (per SKILL.md and the script) even though the registry metadata doesn't declare any required env vars — confirm you are comfortable providing your Brickset API key. (2) The bundled script searches for a .env file in the current directory and parent directories to find BRICKSET_API_KEY; if you keep other secrets in a parent .env, they won't be used by the script but the script will read that file — consider keeping your API key in a dedicated .env or pass it explicitly with --api-key. If you want higher assurance, review the full scripts/brickset.py content locally or run the script in an isolated environment before providing credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fbee4wbvjk1v7v6b4gh810x84vtw8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments