Book Fetch
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A downloaded file could be uploaded into a MEGA account/session the user did not expect, changing cloud storage contents.
The code uses any configured MegaCMD session before falling back to rclone. SKILL.md setup emphasizes rclone, so the actual MEGA account used may be an ambient MegaCMD login not clearly declared to the user.
if not _cmd_exists("mega-put"):
print("⚠️ megacmd not found. Trying rclone...")
return upload_via_rclone(filepath, mega_folder)
...
subprocess.run(["mega-put", str(filepath), f"{mega_folder}/"], ...)Declare the exact credential sources and account selection behavior, prefer the documented rclone remote, and ask for confirmation before uploading.
The wrong ebook may be downloaded and uploaded automatically, especially for ambiguous titles.
Unless dry-run or interactive picking is used, the script selects the first result, downloads it, and uploads it. This is purpose-aligned but can exceed a search-only intent.
parser.add_argument("--dry-run", action="store_true", help="Search only, do not download")
parser.add_argument("--pick", type=int, default=0, help="Pick result index (0=first, -1=interactive)")
...
filepath = download_file(dl_url, DOWNLOAD_DIR, filename)
...
upload_to_mega(filepath)Use --dry-run for search-only requests and --pick -1 or an explicit --pick value before downloading or uploading.
The skill may behave differently depending on local system configuration, installed packages, and DNS/hosts setup.
The skill assumes a preexisting system-level hosts override and prebuilt Python environment rather than declaring or pinning the setup in an install spec.
Anna's Archive is DNS-blocked on the VPS. The `/etc/hosts` override is already in place: ``` 186.2.165.77 annas-archive.li ``` ... - venv: `~/clawd/.venv-books/` (requests, beautifulsoup4, lxml)
Verify the hosts entry, Python environment, and package sources before use; prefer a declared, pinned install process.