Ryot

Complete Ryot media tracker with progress tracking, reviews, collections, analytics, calendar, and automated daily/weekly reports. Track TV shows, movies, bo...

This skill appears to do what it claims (talk to a self-hosted Ryot instance and manage media/tracking), but there are a few issues you should address before installing: 1) Metadata mismatch: The registry/package metadata does not declare the required config file or the dependency on the openclaw CLI, but SKILL.md and the scripts expect /home/node/clawd/config/ryot.json and use the openclaw command. Confirm the skill author corrects the manifest or document these requirements. 2) Sensitive config: The skill reads an API token from /home/node/clawd/config/ryot.json. Only create that config with a token you trust to be used for the stated Ryot operations. Restrict file permissions (e.g., 600) so only the intended user can read it. 3) Automation & external delivery: setup-automation.sh will create cron jobs that run periodically and (if you provide a WhatsApp number) send outputs to a WhatsApp channel via OpenClaw. If you do not want scheduled or external delivery of your viewing/activity data, do not run the setup script or skip entering a WhatsApp number. Review the cron job contents produced by openclaw cron list before confirming. 4) openclaw CLI dependency: The setup script invokes openclaw cron add. Ensure the openclaw binary on your system is the official, trusted CLI and that the account used to register cron jobs is the correct one. 5) Recommended checks: inspect the included Python scripts yourself (they are bundled and readable), run the scripts in dry-run/test mode against a non-production Ryot instance first, and run setup-automation.sh with --dry-run to verify what would be created. Ask the author to update the registry metadata to list the config path and required binaries so the requirements are explicit. If you want, I can enumerate the exact lines where the setup script calls openclaw and where scripts read the config file so you can review them quickly.

Type: OpenClaw Skill Name: ryot Version: 1.2.0 The skill is classified as suspicious due to the `scripts/setup-automation.sh` script. This script creates persistent cron jobs using the `openclaw cron add` command, a high-privilege action. It also directly incorporates user-provided input (`WHATSAPP_NUMBER`) into the `--to` argument of this command. While the stated purpose of setting up automated reports is benign, the capability to create persistent scheduled tasks and the direct use of unsanitized user input in a command argument for a powerful internal command represents a potential vulnerability (e.g., command injection if `openclaw cron add` is not robustly sanitizing its arguments). This constitutes a risky capability without clear evidence of intentional malicious behavior.