Back to skill
Skillv0.1.3
ClawScan security
Scrapping · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 5, 2026, 4:19 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only wrapper for the ScrapeCreators REST scraping API and its declared requirements (curl, jq, SCRAPECREATORS_API_KEY) match the documented usage.
- Guidance
- This skill appears coherent, but consider these practical points before installing: 1) The skill will make network calls to scrapecreators.com — only install if you trust that third party. 2) Keep your SCRAPECREATORS_API_KEY secret (store it in environment variables, do not paste into chats or version control). 3) Be aware of credit costs and pagination behaviour (each page/request may consume credits). 4) Scraping public data can still run afoul of platform terms of service or legal/regulatory rules — ensure your use case complies with platform policies and privacy laws. 5) If you do not want the agent to call this skill autonomously, restrict its invocation in your agent settings.
Review Dimensions
- Purpose & Capability
- okThe name/description say 'scrape public social media data' and the SKILL.md exclusively documents calling https://api.scrapecreators.com endpoints. The single required env var (SCRAPECREATORS_API_KEY) and required binaries (curl and jq) are appropriate and expected for that purpose.
- Instruction Scope
- okRuntime instructions show simple curl GET requests to the ScrapeCreators API with an x-api-key header and use of --data-urlencode and jq. The SKILL.md does not instruct reading unrelated local files, other credentials, or sending data to external endpoints outside scrapecreators.com.
- Install Mechanism
- okThere is no install spec and no code files — this is instruction-only, so nothing is downloaded or written to disk by the skill itself (lowest install risk).
- Credentials
- okOnly one credential (SCRAPECREATORS_API_KEY) is required and it is used directly as the x-api-key for the documented API calls. No unrelated secrets or config paths are requested.
- Persistence & Privilege
- okalways:false and user-invocable:true (default). The skill does not request permanent system presence or to modify other skills' configs. Autonomous invocation is allowed by platform default but that is not unusual here.