Brickset
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could potentially make Brickset account or collection changes if it has the needed user hash or credentials, not just perform LEGO set lookups.
This exposes an unrestricted Brickset API escape hatch, including account and collection-management operations, without documented confirmation, read-only limits, or reversibility guidance.
`raw` — call any Brickset method directly when the built-in subcommands are not enough ... Use `raw` for methods like `login`, `checkUserHash`, `getReviews`, `getCollection`, or collection-management calls that are not wrapped yet.
Use the wrapped read-only commands when possible, and require explicit user approval before any raw method involving login, userHash, collection access, or collection changes.
Providing an API key or user hash may let the skill access Brickset account-specific data and potentially perform authenticated account operations through raw methods.
The skill requires an API key and also documents account-scoped userHash use for collection access, while the registry metadata declares no primary credential or required env vars.
`BRICKSET_API_KEY` must be set in the environment or workspace `.env`, or passed with `--api-key` ... `python {{baseDir}}/scripts/brickset.py --format text raw getCollection --param userHash=<hash>`Provide only the minimum credential needed, avoid sharing userHash or login credentials unless the requested action truly needs them, and verify raw calls before execution.