← Back to Skills Marketplace
Ryot
by
Federico Liva
· GitHub ↗
· v1.2.0
479
Downloads
0
Stars
2
Active Installs
7
Versions
Install in OpenClaw
/install ryot
Description
Complete Ryot media tracker with progress tracking, reviews, collections, analytics, calendar, and automated daily/weekly reports. Track TV shows, movies, bo...
Usage Guidance
This skill appears to do what it claims (talk to a self-hosted Ryot instance and manage media/tracking), but there are a few issues you should address before installing:
1) Metadata mismatch: The registry/package metadata does not declare the required config file or the dependency on the openclaw CLI, but SKILL.md and the scripts expect /home/node/clawd/config/ryot.json and use the openclaw command. Confirm the skill author corrects the manifest or document these requirements.
2) Sensitive config: The skill reads an API token from /home/node/clawd/config/ryot.json. Only create that config with a token you trust to be used for the stated Ryot operations. Restrict file permissions (e.g., 600) so only the intended user can read it.
3) Automation & external delivery: setup-automation.sh will create cron jobs that run periodically and (if you provide a WhatsApp number) send outputs to a WhatsApp channel via OpenClaw. If you do not want scheduled or external delivery of your viewing/activity data, do not run the setup script or skip entering a WhatsApp number. Review the cron job contents produced by openclaw cron list before confirming.
4) openclaw CLI dependency: The setup script invokes openclaw cron add. Ensure the openclaw binary on your system is the official, trusted CLI and that the account used to register cron jobs is the correct one.
5) Recommended checks: inspect the included Python scripts yourself (they are bundled and readable), run the scripts in dry-run/test mode against a non-production Ryot instance first, and run setup-automation.sh with --dry-run to verify what would be created. Ask the author to update the registry metadata to list the config path and required binaries so the requirements are explicit.
If you want, I can enumerate the exact lines where the setup script calls openclaw and where scripts read the config file so you can review them quickly.
Capability Analysis
Type: OpenClaw Skill
Name: ryot
Version: 1.2.0
The skill is classified as suspicious due to the `scripts/setup-automation.sh` script. This script creates persistent cron jobs using the `openclaw cron add` command, a high-privilege action. It also directly incorporates user-provided input (`WHATSAPP_NUMBER`) into the `--to` argument of this command. While the stated purpose of setting up automated reports is benign, the capability to create persistent scheduled tasks and the direct use of unsanitized user input in a command argument for a powerful internal command represents a potential vulnerability (e.g., command injection if `openclaw cron add` is not robustly sanitizing its arguments). This constitutes a risky capability without clear evidence of intentional malicious behavior.
Capability Assessment
Purpose & Capability
The SKILL.md and scripts clearly implement a Ryot GraphQL client and automation (search, mark progress, calendar, reports) which aligns with the name/description. However, the skill's runtime docs declare a required config file (/home/node/clawd/config/ryot.json) and use the openclaw CLI in setup-automation.sh, yet the package/registry metadata lists no required config paths, env vars, or required binaries — a mismatch that can hide required privileges or preconditions.
Instruction Scope
Runtime instructions and scripts read a local config containing an API token and perform GraphQL calls to the user-provided Ryot instance — expected for this functionality. The setup script, however, prompts for a WhatsApp number and uses openclaw cron add to create recurring jobs that run scripts and deliver their output to WhatsApp via an OpenClaw channel and a specified model. That establishes an external data delivery pathway (user activity, recent media, analytics) that will run autonomously once scheduled. The SKILL.md does describe the automation, but the creation of persistent jobs and external delivery is a material behavior users must explicitly understand.
Install Mechanism
There is no install spec (instruction-only install), and all code is included in the skill bundle (Python scripts + a shell setup script). No third-party downloads occur. This is lower risk than fetching arbitrary code, but the setup script depends on the openclaw CLI being present and usable — which is not declared in the registry metadata.
Credentials
The scripts require a single local config file with 'url' and 'api_token' for the user's Ryot instance — this is proportionate to the stated purpose. Concerns: (1) the registry metadata did not advertise this required credential/config path (inconsistency), and (2) the automation will forward user data (recent activity, analytics) to an external channel (WhatsApp) if configured, which elevates the sensitivity of the API token and the data being collected.
Persistence & Privilege
The skill itself is not 'always:true', but the provided setup-automation.sh creates cron jobs via openclaw cron add that persist and run autonomously on a schedule, sending output off-agent. That creates persistent, autonomous behavior (scheduled data export) that goes beyond one-off command execution and increases the blast radius if misconfigured or abused.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install ryot - After installation, invoke the skill by name or use
/ryot - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.2.0
Added bulk episode marking script for marking multiple episodes at once
v1.1.0
Major release: Added reviews, collections, analytics, calendar, and automated daily/weekly reports via setup-automation.sh. One-command cron job setup for daily upcoming episodes, weekly stats, and recent activity.
v1.0.4
Added progress command to check viewing/reading progress for TV shows. Shows current episode vs total episodes with percentage completion.
v1.0.3
Add setup instructions: user must configure Ryot instance URL and API token before use
v1.0.2
Remove personal instance URL from examples
v1.0.1
Fix: Declare required credentials in metadata (url + api_token in config/ryot.json)
v1.0.0
Initial release: Track TV shows, movies, books, anime, games via Ryot GraphQL API
Metadata
Frequently Asked Questions
What is Ryot?
Complete Ryot media tracker with progress tracking, reviews, collections, analytics, calendar, and automated daily/weekly reports. Track TV shows, movies, bo... It is an AI Agent Skill for Claude Code / OpenClaw, with 479 downloads so far.
How do I install Ryot?
Run "/install ryot" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Ryot free?
Yes, Ryot is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Ryot support?
Ryot is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Ryot?
It is built and maintained by Federico Liva (@f-liva); the current version is v1.2.0.
More Skills