Skillv1.0.3

ClawScan security

Creativault Creator Scraper · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 8:17 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill generally matches a creator-data collection client but contains several mismatches and a concerning default (plaintext HTTP API endpoint) that you should understand before installing.
Guidance: This skill appears to be a client for a third‑party Creativault API (searching and exporting influencer data) and mostly behaves as advertised, but there are important issues to check before using it: - The SKILL.md and scripts require CV_API_KEY and CV_USER_IDENTITY and Node.js 20.6+, but the registry metadata lists none — ask the publisher why required env vars and Node are not declared. - The code defaults API_BASE to http://api.creativault.vip. That will send your API key and operator identity over plaintext HTTP by default. Either set CV_API_BASE_URL to a verified HTTPS base (for example https://api.creativault.vip if provided by the vendor) or confirm with the publisher that the canonical endpoint uses HTTPS. - Verify the provenance and trustworthiness of creativault.vip before supplying an API key. Confirm the expected API key scopes (collection, export, file:download) and limit the key's permissions to only what you need. - Review privacy and legal requirements for collecting social media data (you may be handling personal data). Ensure use of the API complies with platform terms and local law. - If you want to proceed: require the publisher to update registry metadata to declare required env vars and required Node binary, and prefer to set CV_API_BASE_URL explicitly to an https:// endpoint. If you cannot verify the HTTPS endpoint or the publisher identity, treat this skill as higher risk and avoid installing or inputting sensitive API keys.

Review Dimensions

Purpose & Capability: concernName/description, scripts, and API endpoints all align with a 'creator scraper' that talks to a Creativault Open API — requiring an API key and operator identity is coherent. However the registry metadata claims no required environment variables or binaries, while SKILL.md and the code require CV_API_KEY, CV_USER_IDENTITY and Node.js (Node.js 20.6+). That metadata omission is an incoherence and reduces transparency.
Instruction Scope: noteRuntime instructions and scripts confine actions to calling the Creativault API, submitting tasks, polling, and exporting results. The agent is instructed to always request CV_API_KEY and CV_USER_IDENTITY and to 'ALWAYS call export_task_data.mjs' after a collection. There is no code that reads arbitrary system files or unrelated environment variables. Note: SKILL.md requires interactive prompting for service level and instructs how to format outputs; those are within scope.
Install Mechanism: concernThere is no install spec (instruction-only style) so files are not downloaded at install time, which is low-risk. However the package includes Node.js scripts and declares Node.js 20.6+ compatibility — the registry did not declare Node as a required binary. The presence of many shipped .mjs files means the agent/environment must run Node to use the skill; this mismatch should be fixed or documented.
Credentials: concernThe code requires two environment variables (CV_API_KEY and CV_USER_IDENTITY) which are appropriate for an API client. But the registry metadata omitted them. Importantly, the default API_BASE in code is 'http://api.creativault.vip' (HTTP), meaning the API key and identity would be sent in plaintext by default. The references/docs assert HTTPS is expected; this mismatch risks credential exposure unless CV_API_BASE_URL is explicitly set to a secure HTTPS endpoint.
Persistence & Privilege: okThe skill is not marked always:true and doesn't request system-wide privileges or modify other skills. It requires no elevated or persistent platform privileges beyond being user-invocable and able to run Node scripts (normal for skills).