Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Skool All-in-One API
v1.0.0Full read AND write access to Skool communities. Use when user asks to manage Skool members (approve, reject, list pending), read or create posts, reply to c...
⭐ 0· 60·0 current·0 all-time
by@ctala
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose — full read/write Skool management via Apify — matches the instructions that call an Apify actor. Requiring an APIFY_TOKEN is appropriate. However the skill also declares node + mcpc as required binaries while the provided curl-based examples never invoke mcpc; that mismatch is unexpected but not necessarily malicious.
Instruction Scope
SKILL.md tells the agent to run a remote Apify actor and (optionally) supply the user's Skool email+password to that actor (the actor performs Playwright login and returns cookies). That means sensitive Skool credentials (or session cookies) will be transmitted to and handled by a third‑party actor on apify.com. The instructions also direct storing and reusing cookies and do not describe access controls for those cookies.
Install Mechanism
Install spec uses npm to install @apify/mcpc which is a registry package — a normal, low-risk mechanism. The concern is procedural: SKILL.md examples use curl to call Apify API rather than mcpc, so installing mcpc may be unnecessary for the documented flows.
Credentials
The only required env var is APIFY_TOKEN, which is appropriate for running Apify actors. However the runtime requires user Skool credentials (email/password) in some flows — these are not listed as required env vars and will be transmitted in actor run payloads. APIFY_TOKEN grants the ability to start runs under your Apify account; if compromised or over‑privileged this could be abused. Declared binaries (node/mcpc) increase local surface despite the curl examples not using them.
Persistence & Privilege
always is false and the skill does not request permanent platform presence or system-wide config changes. Autonomous invocation is enabled by default but that is normal; the skill does not request elevated platform privileges.
What to consider before installing
This skill runs an external Apify actor (cristiantala~skool-all-in-one-api) to manage Skool on your behalf. Consequences to consider before installing:
- APIFY_TOKEN: This token lets the skill start actors under your Apify account. Use a dedicated, limited token and revoke it if you stop using the skill.
- Skool credentials: The documented login flow sends your Skool email/password to the remote actor (or stores cookies returned by that actor). Only provide these if you trust the actor owner and Apify; prefer giving cookies you control or avoid supplying your password when possible.
- Third‑party code: The actor runs on apify.com under someone else's account. Inspect the actor's source on Apify (if available) or contact the actor author to confirm behavior. Treat this like granting a remote service browser access to your Skool session.
- Binaries mismatch: The skill declares node + mcpc but examples use curl. You may not need to install mcpc for the curl-based flows; verify what your chosen workflow actually requires.
If you proceed, limit risk by creating a scoped APIFY token, avoid reusing your primary Skool password, and test with a non-critical Skool account or group first. If you need help verifying the actor code or alternative approaches that avoid sending passwords to a third party, ask for that review.Like a lobster shell, security has layers — review code before you run it.
latestvk978a7agjmrh8km210neex2h3183p19q
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎓 Clawdis
Binsnode, mcpc
EnvAPIFY_TOKEN
Primary envAPIFY_TOKEN
Install
Install mcpc CLI (npm)
Bins: mcpc
npm i -g @apify/mcpc