📦 Calibre Metadata Apply — 元数据批量写入

v1.0.4

在 Calibre 内容服务器运行期间，批量修改电子书元数据的写操作技能，支持标题、作者、标签、封面等字段的增删改。

0· 868·2 当前·2 累计

by @nextaltair (Altair)

文件处理自动化

下载技能包

最后更新

2026/4/22

安全扫描

VirusTotal

无害

查看报告

OpenClaw

可疑

medium confidence

NULL

评估建议

This skill is functionally coherent for editing Calibre metadata, but review and limit sensitive behaviors before use: - Avoid storing credentials in plaintext. Do not use `--save-plain-password`. Prefer exporting CALIBRE_PASSWORD in the environment and pass via `--password-env CALIBRE_PASSWORD` rather than inline `--password` on the command line. - Be aware the scripts automatically load .env files from the current directory and ~/.openclaw/.env. Remove unrelated secrets from those files (e.g....

详细分析 ▾

✓ 用途与能力

Name/description align with required binaries and behavior: it legitimately requires `calibredb` and Node, and the main declared credential is CALIBRE_PASSWORD. The included scripts implement metadata lookups, dry-run/apply flow, and run-state management consistent with an edit/apply skill.

⚠ 指令范围

SKILL.md and scripts stick to metadata-edit workflows, but the skill explicitly supports using a subagent for heavy analysis and notes that 'text/metadata sent to subagent can reach model endpoints configured by runtime profile.' That means metadata (and possibly other text) can be forwarded to external model endpoints unless the caller disables subagent processing. The scripts also read local dotfiles (.env in cwd and ~/.openclaw/.env) automatically to hydrate env vars, which may pull unrelated secrets into the process if present. The README/policy allow saving auth and even saving plain passwords if the user requests it—this broadens the data surface beyond the simple 'apply metadata' claim.

✓ 安装机制

No external installer or remote download is declared; this is instruction+scripts only. That keeps install risk low because nothing is fetched from arbitrary URLs during install.

⚠ 凭证需求

The registry lists only CALIBRE_PASSWORD as required, which is appropriate, but the code automatically hydrates .env files (process.cwd()/.env and ~/.openclaw/.env) and will set any variables found there. That can unexpectedly import unrelated secrets into the skill's environment. The script also can accept/insert a plaintext password onto calibredb command lines (it builds commands with `--password <value>` if `auth.password` is present) and the README documents optional saving of auth (including a --save-plain-password option). These behaviors increase the chance credentials are exposed (process lists, logs, or config files).

⚠ 持久化与权限

The skill writes local state at skills/.../state/runs.json (declared) and documents an auth cache at ~/.config/calibre-metadata-apply/auth.json; README explicitly allows saving auth and even plain passwords via `--save-plain-password`. 'always' is false, and the skill does not request system-wide privileges, but the optional persistent storage of credentials (including plaintext) and retained run state are notable persistence/privacy concerns.

⚠ scripts/calibredb_apply.mjs:97

Shell command execution detected (child_process).

⚠ scripts/handle_completion.mjs:35

Shell command execution detected (child_process).

安全有层次，运行前请审查代码。

运行时依赖

无特殊依赖

版本

latestv1.0.42026/2/12

NULL

● 无害

安装命令

点击复制

官方npx clawhub@latest install calibre-metadata-apply

镜像加速npx clawhub@latest install calibre-metadata-apply --registry https://cn.longxiaskill.com

数据来源：ClawHub ↗ · 中文优化：龙虾技能库