Anytype
ReviewAudited by ClawScan on May 10, 2026.
Overview
This Anytype skill is mostly coherent, but it ships private-looking workspace and invite details and can make destructive Anytype changes, so it should be reviewed before use.
Before installing, remove or replace the bundled SETUP.md values, use a limited dedicated Anytype bot account, verify the anytype CLI source, and require confirmation before any delete/recreate or space-management action.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent may target or expose the wrong Anytype space, and the published identifiers may reveal private workspace structure or invite-related details.
A public skill artifact contains private-looking Anytype workspace, invite, hash, collection, tag, and project configuration despite saying it is not for publishing.
This file holds instance-specific config for the Anytype skill. Not for publishing. ... **Primary space ID:** ... **Invite ID:** ... **Hash:** ...
Remove SETUP.md from the published skill, rotate or invalidate any sensitive invite/link values, and require each user to provide their own local space/tag configuration.
Anyone or any agent with access to that key may be able to read or modify Anytype spaces available to the bot account.
The skill needs an Anytype API key and stores/loads it from the workspace environment, which is expected for this integration but grants account-level API access.
Auth: `Authorization: Bearer <ANYTYPE_API_KEY>` (key stored in `.env` as `ANYTYPE_API_KEY`)
Use a dedicated bot account with access only to intended spaces, protect the .env file, and revoke the key if it is no longer needed.
Content updates may delete existing objects, change object IDs, and require references to be manually repaired.
The documented normal update path can delete and recreate Anytype objects, which is purpose-related and warned about, but can break references or lose data if used incorrectly.
**The only reliable way to update an object's content is: DELETE + recreate.** ... **This is destructive.** Always save the old content before deleting
Require explicit user confirmation before delete/recreate operations, back up the existing object body and metadata, and limit changes to specific user-approved object IDs.
A local service may remain active and accessible to authorized local clients after the initial setup.
The setup starts a persistent local Anytype service. This is disclosed and appears necessary for the localhost API, but it keeps running beyond a single task.
# 2. Install and start as a user service anytype service install anytype service start
Install the service only if you need ongoing Anytype API access, and know how to stop or uninstall it when no longer needed.
Users must trust that the separately installed anytype CLI is authentic and compatible.
The skill depends on an external CLI installed outside the provided artifacts, with no pinned version or install spec in the review package.
Binary: `anytype` (install via https://github.com/anyproto/anytype-cli)
Install the CLI from the official project, verify the release/version, and avoid running unreviewed install scripts.