WoW Lookup
PassAudited by ClawScan on May 10, 2026.
Overview
This skill appears to be a purpose-aligned World of Warcraft lookup helper, but users should notice that it references an external/local CLI and optional API secrets that are not backed by reviewed code in the provided artifacts.
This looks safe to use as documentation for WoW lookups, but the actual `wow` CLI code was not provided for review. Only run or install a `wow` executable you trust, and protect any Blizzard or Warcraft Logs client secrets you place in environment variables or config files.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may run the local `wow` command to answer WoW lookup questions; the safety of that command depends on the installed CLI outside this artifact set.
The skill instructs the agent to run local CLI commands and pipe output to `jq`. This is expected for a CLI-based lookup skill, but users should be aware that the reviewed artifact does not include the `wow` executable itself.
When the user asks about a WoW character: ```bash wow lookup charactername-realmname ... wow lookup charactername-realmname --raw | jq '.mythic_plus_scores_by_season[0].scores.all' ```
Install or use the `wow` CLI only from a source you trust, and review what it does before using optional credentials.
If configured, the skill or CLI may use your Blizzard or Warcraft Logs API client credentials to fetch additional game data.
The skill supports optional OAuth client credentials for Blizzard and Warcraft Logs integrations. These credentials are relevant to the stated purpose and are disclosed, with no artifact evidence of misuse.
Requires `BLIZZARD_CLIENT_ID` and `BLIZZARD_CLIENT_SECRET` ... Requires `WCL_CLIENT_ID` and `WCL_CLIENT_SECRET`
Use dedicated, least-privilege API clients where possible and avoid placing secrets in shared or world-readable config files.
If this install step is used, it may create or replace a global `wow` command with a target that was not included in the reviewed artifacts.
SKILL.md includes a shell install command that creates a global symlink to `$(pwd)/wow`, but the provided file manifest contains only SKILL.md and no `wow` executable. This creates a provenance/incomplete-review note.
install:
- id: symlink
kind: shell
command: "ln -sf $(pwd)/wow /usr/local/bin/wow"Before running the install step, confirm the `wow` executable exists, is from the expected source, and that you are comfortable writing to `/usr/local/bin`.