← 返回 Skills 市场

letterboxd-companion

Name: letterboxd-companion
Author: tamil-9421

作者 tamil-9421 · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

661

总下载

当前安装

版本数

在 OpenClaw 中安装

/install letterboxd-tracker

功能描述

Your personal movie assistant. Track what you watch, check your lists, and get movie info from Letterboxd instantly.

使用说明 (SKILL.md)

Letterboxd Skill

This skill allows the agent to retrieve information about movies or user activity from Letterboxd.

Setup

pip install letterboxdpy

Usage

Use this when the user asks about:

Their Letterboxd profile stats
Movies they've watched recently
Their watchlist
Specific movie details

Commands

`lb_user`

command: python lb_tool.py user "{{username}}"
description: Gets user profile stats (watched count, reviews, lists, favorites)
parameters:
- username: The Letterboxd username

`lb_diary`

command: python lb_tool.py diary "{{username}}" [limit]
description: Gets recently watched movies from user's diary
parameters:
- username: The Letterboxd username
- limit: Optional, default 10

`lb_watchlist`

command: python lb_tool.py watchlist "{{username}}" [limit]
description: Gets movies in user's watchlist
parameters:
- username: The Letterboxd username
- limit: Optional, default 10

`lb_movie`

command: python lb_tool.py movie "{{slug}}"
description: Gets movie details (title, year, rating, directors, description)
parameters:
- slug: Movie URL slug (e.g., vikram-2022, the-batman)

Examples

User: "How many movies have I watched on Letterboxd?" Agent: (Calls lb_user with username="tamilventhan")

User: "What movies did I watch recently?" Agent: (Calls lb_diary with username="tamilventhan")

User: "Show my watchlist" Agent: (Calls lb_watchlist with username="tamilventhan")

User: "Tell me about the movie Vikram" Agent: (Calls lb_movie with slug="vikram-2022")

安全使用建议

This skill appears to do exactly what it says: scrape public Letterboxd data using the letterboxdpy library. Before installing, consider whether you trust the letterboxdpy package (review its PyPI/homepage/repo if possible) because pip installing third-party packages is a supply-chain risk. Note the skill does not request any credentials — it only accesses public profiles — so it cannot read private Letterboxd data unless you explicitly provide private session info (which the skill does not ask for). Also be aware of minor bugs (e.g., the diary code hardcodes a 2026- prefix for dates) but these are functional issues rather than security problems.

功能分析

Type: OpenClaw Skill Name: letterboxd-tracker Version: 1.0.0 The skill is classified as suspicious due to a potential shell injection vulnerability identified in `SKILL.md`. The command definitions, such as `python lb_tool.py user "{{username}}"`, directly embed user-controlled parameters into a shell command string. If the OpenClaw agent does not properly sanitize or escape the `{{username}}` (or `{{slug}}`, `[limit]`) input before execution, an attacker could inject arbitrary shell commands, leading to potential Remote Code Execution (RCE). The Python script `lb_tool.py` itself appears benign and performs its stated purpose.

能力评估

✓ Purpose & Capability

Name/description promise (fetch user stats, diaries, watchlists, movie details) matches the included code and SKILL.md. The package only needs a Letterboxd-scraping client (letterboxdpy) and does not request unrelated credentials or binaries.

✓ Instruction Scope

Runtime instructions are narrowly scoped: run lb_tool.py with a username/slug and return JSON about public Letterboxd data. The SKILL.md does not instruct reading arbitrary files, other env vars, or posting data to unexpected endpoints.

ℹ Install Mechanism

No explicit install spec for the platform, but SKILL.md and requirements.txt require pip installing letterboxdpy from PyPI. Installing third-party packages is expected for this skill, but it does introduce the usual supply-chain considerations (trustworthiness of the letterboxdpy package).

✓ Credentials

The skill declares no required environment variables, credentials, or config paths. The code does not read environment variables or other secrets, so requested access is proportional to its purpose.

✓ Persistence & Privilege

Skill is not marked always:true and does not modify other skills or request persistent platform privileges. It runs as an on-demand helper invoking the included Python script.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install letterboxd-tracker
安装完成后，直接呼叫该 Skill 的名称或使用 /letterboxd-tracker 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Your personal movie assistant. Track what you watch, check your lists, and get movie info from Letterboxd instantly.

元数据

Slug letterboxd-tracker

版本 1.0.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题