Complete Ryot media tracker with progress tracking, reviews, collections, analytics, calendar, and automated daily/weekly reports. Track TV shows, movies, bo...
Security Analysis
medium confidenceThe skill's code and instructions largely match a Ryot media-tracking purpose, but there are inconsistencies and a few operational behaviors (cron creation via the openclaw CLI and automatic WhatsApp delivery) that are not declared in the registry metadata and that increase risk.
The SKILL.md and scripts clearly implement a Ryot GraphQL client and automation (search, mark progress, calendar, reports) which aligns with the name/description. However, the skill's runtime docs declare a required config file (/home/node/clawd/config/ryot.json) and use the openclaw CLI in setup-automation.sh, yet the package/registry metadata lists no required config paths, env vars, or required binaries — a mismatch that can hide required privileges or preconditions.
Runtime instructions and scripts read a local config containing an API token and perform GraphQL calls to the user-provided Ryot instance — expected for this functionality. The setup script, however, prompts for a WhatsApp number and uses openclaw cron add to create recurring jobs that run scripts and deliver their output to WhatsApp via an OpenClaw channel and a specified model. That establishes an external data delivery pathway (user activity, recent media, analytics) that will run autonomously once scheduled. The SKILL.md does describe the automation, but the creation of persistent jobs and external delivery is a material behavior users must explicitly understand.
There is no install spec (instruction-only install), and all code is included in the skill bundle (Python scripts + a shell setup script). No third-party downloads occur. This is lower risk than fetching arbitrary code, but the setup script depends on the openclaw CLI being present and usable — which is not declared in the registry metadata.
The scripts require a single local config file with 'url' and 'api_token' for the user's Ryot instance — this is proportionate to the stated purpose. Concerns: (1) the registry metadata did not advertise this required credential/config path (inconsistency), and (2) the automation will forward user data (recent activity, analytics) to an external channel (WhatsApp) if configured, which elevates the sensitivity of the API token and the data being collected.
The skill itself is not 'always:true', but the provided setup-automation.sh creates cron jobs via openclaw cron add that persist and run autonomously on a schedule, sending output off-agent. That creates persistent, autonomous behavior (scheduled data export) that goes beyond one-off command execution and increases the blast radius if misconfigured or abused.
Guidance
This skill appears to do what it claims (talk to a self-hosted Ryot instance and manage media/tracking), but there are a few issues you should address before installing: 1) Metadata mismatch: The registry/package metadata does not declare the required config file or the dependency on the openclaw CLI, but SKILL.md and the scripts expect /home/node/clawd/config/ryot.json and use the openclaw command. Confirm the skill author corrects the manifest or document these requirements. 2) Sensitive config: The skill reads an API token from /home/node/clawd/config/ryot.json. Only create that config with a token you trust to be used for the stated Ryot operations. Restrict file permissions (e.g., 600) so only the intended user can read it. 3) Automation & external delivery: setup-automation.sh will create cron jobs that run periodically and (if you provide a WhatsApp number) send outputs to a WhatsApp channel via OpenClaw. If you do not want scheduled or external delivery of your viewing/activity data, do not run the setup script or skip entering a WhatsApp number. Review the cron job contents produced by openclaw cron list before confirming. 4) openclaw CLI dependency: The setup script invokes openclaw cron add. Ensure the openclaw binary on your system is the official, trusted CLI and that the account used to register cron jobs is the correct one. 5) Recommended checks: inspect the included Python scripts yourself (they are bundled and readable), run the scripts in dry-run/test mode against a non-production Ryot instance first, and run setup-automation.sh with --dry-run to verify what would be created. Ask the author to update the registry metadata to list the config path and required binaries so the requirements are explicit. If you want, I can enumerate the exact lines where the setup script calls openclaw and where scripts read the config file so you can review them quickly.
Latest Release
v1.2.0
Added bulk episode marking script for marking multiple episodes at once
Popular Skills
Published by @f-liva on ClawHub
