ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

letterboxd-companion

v1.0.0

Your personal movie assistant. Track what you watch, check your lists, and get movie info from Letterboxd instantly.

1· 575·0 current·0 all-time
by@tamil-9421
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description promise (fetch user stats, diaries, watchlists, movie details) matches the included code and SKILL.md. The package only needs a Letterboxd-scraping client (letterboxdpy) and does not request unrelated credentials or binaries.
Instruction Scope
Runtime instructions are narrowly scoped: run lb_tool.py with a username/slug and return JSON about public Letterboxd data. The SKILL.md does not instruct reading arbitrary files, other env vars, or posting data to unexpected endpoints.
Install Mechanism
No explicit install spec for the platform, but SKILL.md and requirements.txt require pip installing letterboxdpy from PyPI. Installing third-party packages is expected for this skill, but it does introduce the usual supply-chain considerations (trustworthiness of the letterboxdpy package).
Credentials
The skill declares no required environment variables, credentials, or config paths. The code does not read environment variables or other secrets, so requested access is proportional to its purpose.
Persistence & Privilege
Skill is not marked always:true and does not modify other skills or request persistent platform privileges. It runs as an on-demand helper invoking the included Python script.
Assessment
This skill appears to do exactly what it says: scrape public Letterboxd data using the letterboxdpy library. Before installing, consider whether you trust the letterboxdpy package (review its PyPI/homepage/repo if possible) because pip installing third-party packages is a supply-chain risk. Note the skill does not request any credentials — it only accesses public profiles — so it cannot read private Letterboxd data unless you explicitly provide private session info (which the skill does not ask for). Also be aware of minor bugs (e.g., the diary code hardcodes a 2026- prefix for dates) but these are functional issues rather than security problems.

Like a lobster shell, security has layers — review code before you run it.

latestvk97br0zqn2s2varrbnwmvsxk1181c4z8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments