ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Apify Threads Scraper

v0.2.1

This skill should be used when the user asks to "scrape Threads posts", "get Threads data", "extract Threads content", "search Threads", "monitor Threads has...

0· 19·0 current·0 all-time
byFuturize Rush@futurizerush
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The declared purpose (scrape Meta Threads via an Apify actor) matches the SKILL.md instructions which call the Apify REST API and an actor (futurizerush/meta-threads-scraper). However the registry metadata states no required environment variables or primary credential, while the SKILL.md explicitly requires APIFY_API_TOKEN — an important mismatch that weakens trust in the packaging.
Instruction Scope
The SKILL.md instructions are focused and limited to calling Apify endpoints (starting a run, polling status, fetching dataset items). They do not instruct reading unrelated files, scanning the system, or exfiltrating data to unexpected endpoints. One problematic statement: the doc says "No login required" while also requiring an APIFY_API_TOKEN, which is contradictory and confusing for users.
Install Mechanism
There is no install spec and no code files — this is instruction-only, so nothing is written to disk by the skill bundle itself. That reduces installation risk.
!
Credentials
The runtime requires APIFY_API_TOKEN (documented in SKILL.md) which is proportionate to calling Apify. However the skill registry metadata omits this requirement (lists no required env vars/primary credential). Because an Apify token grants the ability to run actors and access datasets in the user's Apify account, the missing declaration in metadata is a meaningful omission that should be resolved before trusting the skill.
Persistence & Privilege
The skill does not request always:true and has no install-time hooks or config changes. It does not demand persistent system privileges or modify other skills' settings.
What to consider before installing
Do not provide your APIFY_API_TOKEN without verifying the skill. The SKILL.md requires APIFY_API_TOKEN to start Apify actor runs and fetch datasets; the registry metadata incorrectly lists no credentials and the description incorrectly says "No login required." Before installing: 1) Confirm the actor owner (futurizerush) and inspect the actor's code on Apify.org if possible; 2) Create a limited-scope Apify token (or rotate it afterward) rather than using a full-permission account token; 3) Test with a token that has minimal privileges and small quotas; 4) Verify what data the actor will store in datasets and whether those outputs could contain sensitive info; 5) Ask the skill author/registry maintainer to correct the metadata to declare APIFY_API_TOKEN as a required credential and to clarify the "No login required" statement. The mismatch may be an innocent packaging error, but because an Apify token can run arbitrary actors and access your account data, treat this as a security-sensitive decision.

Like a lobster shell, security has layers — review code before you run it.

ai-agentvk97629w5jwgnd5ry1sjqkd021d84nzryapifyvk97629w5jwgnd5ry1sjqkd021d84nzrylatestvk97629w5jwgnd5ry1sjqkd021d84nzrylead-generationvk97629w5jwgnd5ry1sjqkd021d84nzrymarketingvk97629w5jwgnd5ry1sjqkd021d84nzryscrapingvk97629w5jwgnd5ry1sjqkd021d84nzrysocial-mediavk97629w5jwgnd5ry1sjqkd021d84nzrythreadsvk97629w5jwgnd5ry1sjqkd021d84nzry

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments