Manage Readwise highlights, books, daily review, and Reader documents (save-for-later / read-it-later). Use when the user wants to save articles or URLs to Reader, browse their reading list, search saved documents, review highlights, create or manage highlights and notes, check their daily review, list books/sources, or interact with Readwise/Reader in any way.
Security Analysis
high confidenceThe skill's behavior matches its Readwise/Reader purpose, but the declared metadata omits required credentials and binaries (READWISE_TOKEN, curl, jq), which is an incoherence you should resolve before installing.
Name/description match the included code: the bundled script talks only to Readwise (api.readwise.io) and Reader endpoints and implements document/highlight/book/review operations. However, the skill registry metadata claims no required environment variables or binaries while the SKILL.md and the included script clearly require READWISE_TOKEN and the presence of curl and jq. That mismatch is unexpected and should be corrected.
SKILL.md instructs use of the bundled CLI script and explicitly requires READWISE_TOKEN. The runtime instructions and examples only reference Readwise/Reader API endpoints and local CLI usage; they do not ask the agent to read unrelated files, system configuration, or send data to unknown endpoints. The script itself sets Authorization: Token ${READWISE_TOKEN} and makes calls only to readwise.io endpoints.
There is no external install specification; the skill is instruction-only plus a bundled shell script. No remote downloads or extract steps are present in the manifest, so nothing arbitrary is fetched during install.
The script and SKILL.md require a READWISE_TOKEN (used as Authorization header) and the binaries curl and jq, but the registry metadata lists none of these as required (primaryEnv is none). This is a material inconsistency: a token is necessary for the described functionality and should be declared as the primary credential. The script does not request other secrets, though.
The skill is not always:true and does not request persistent system-wide privileges. It does not modify other skills or system configs. Autonomous invocation is allowed (platform default) but not combined with other high-risk flags.
Guidance
This skill appears to do exactly what it says (managing Readwise/Reader items) and the bundled script only talks to readwise.io. However, the registry metadata omitted required items: the SKILL.md and scripts require a READWISE_TOKEN and the binaries curl and jq. Before installing, verify the source/trustworthiness of the skill author; confirm you are comfortable providing a READWISE_TOKEN (treat it as a secret) and consider generating a token with minimal scope. Inspect scripts/readwise.sh yourself to confirm no unexpected network calls beyond readwise.io, and ensure your environment has curl and jq available. Ask the publisher to update the registry metadata to declare READWISE_TOKEN as the primary credential and list required binaries; absent that, treat the mismatch as a warning and prefer a skill whose metadata matches its runtime requirements.
Latest Release
v1.0.0
Initial release of the Readwise skill, providing CLI integration for managing Readwise highlights and Reader documents. - Save, list, search, update, and delete documents in Readwise Reader. - Create, update, delete, and review highlights; manage books and daily reviews from your Readwise library. - Tag articles, filter reading lists, and search both highlights and documents. - All commands support JSON output, with optional pretty-printing. - Includes API rate limits and supported categories/locations overview.
More by @gchapim
Published by @gchapim on ClawHub
