Back to plugin
Pluginv1.8.1
ClawScan security
Trakt · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 18, 2026, 1:25 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The plugin is a coherent wrapper around a local trakt-cli binary and only asks for the configuration and actions expected for a Trakt.tv integration — vet the external CLI binary before installing.
- Guidance
- This skill is a thin wrapper around a local trakt-cli binary — the plugin code is coherent with that purpose. Before installing or running it: 1) review and trust the trakt-cli Go project (the SKILL.md instructs `go install github.com/omarshahine/trakt-plugin@latest`), because the binary will perform network calls and can act on your account; 2) be aware the plugin can mark items watched/remove items on your Trakt account — avoid running destructive tools (history remove, watchlist remove) unless you intend those changes; 3) supply clientId/clientSecret only if you trust how OAuth tokens will be handled, and consider using a test account if you want to verify behavior; 4) if you prefer, build or point to a vetted trakt-cli binary with TRAKT_CLI_PATH or cliPath config to avoid installing an unreviewed binary.
Review Dimensions
- Purpose & Capability
- okThe name/description, SKILL.md, and the TypeScript code all consistently implement a wrapper that shells out to a trakt-cli binary to search, view history/watchlist/progress, and mark items. Declared config (cliPath, clientId, clientSecret) matches the behavior (auth and CLI path resolution).
- Instruction Scope
- okSKILL.md only instructs installing and invoking the trakt-cli tool and documents that auth is stored in ~/.trakt.yaml. The runtime code only checks existence of that file, resolves a CLI path, builds argument arrays, and runs the binary via execFile/execFileSync (no arbitrary shell evaluation). The plugin will invoke the external CLI with user-supplied parameters (titles, flags) which is expected for this purpose.
- Install Mechanism
- noteThe skill itself has no automated install spec (instruction-only), which is low-risk. However the README/SKILL.md asks users to run `go install github.com/omarshahine/trakt-plugin@latest` to obtain the trakt-cli binary; that pulls code from GitHub (a normal/expected source) and the security of the setup depends on that external binary. You should review or trust the trakt-cli project before installing.
- Credentials
- okThe plugin does not require unrelated environment variables. It optionally respects TRAKT_CLI_PATH (used to point to the CLI) and supports clientId/clientSecret in plugin config for OAuth — these are proportionate to the described functionality. It does check for ~/.trakt.yaml existence to detect configured auth (expected for OAuth device flow).
- Persistence & Privilege
- okThe plugin is not always-enabled and does not request elevated platform privileges or attempt to modify other skills. It only registers tools and invokes an external CLI at runtime.