ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Apify TikTok Comment Scraper

v0.1.0

This skill should be used when the user asks to "scrape TikTok comments", "get TikTok post comments", "extract comments from a TikTok video", "get TikTok rep...

0· 16·0 current·0 all-time
byFuturize Rush@futurizerush
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description (TikTok comment scraping) match the SKILL.md content which documents calling an Apify actor (futurizerush/tiktok-comment-scraper). Requiring an Apify API token is consistent with calling Apify actors, so the capability aligns with the purpose. However, the registry metadata does not declare the APIFY_API_TOKEN requirement, which is an incoherence.
Instruction Scope
SKILL.md gives concrete, narrow instructions: start an Apify actor run, poll its status, and fetch dataset items from Apify. The instructions do not ask to read arbitrary local files or other credentials. Minor contradiction: the doc header says "No login required" (likely referring to TikTok), but the Prerequisites section explicitly requires APIFY_API_TOKEN — this should be clarified.
Install Mechanism
This is instruction-only with no install spec and no code files, so nothing is written to disk and no external packages are installed by the skill itself.
!
Credentials
The instructions require the APIFY_API_TOKEN (sensitive credential) to call Apify, which is reasonable for this integration. The problem is that the skill's declared requirements list does not include this env var — the manifest claims "Required env vars: none" but the runtime docs and examples rely on APIFY_API_TOKEN. That mismatch is a concrete coherence issue and a potential user-surprise / privilege concern.
Persistence & Privilege
The skill is not marked always:true and is user-invocable only. It does not request persistent system privileges or modify other skills. Autonomous invocation is allowed by platform default, which is expected — no additional persistence privileges are requested.
What to consider before installing
This skill appears to be what it says (it uses an Apify actor to scrape TikTok comments), but the SKILL.md requires an APIFY_API_TOKEN while the registry metadata incorrectly lists no required env vars. Before installing: (1) be prepared to provide an APIFY_API_TOKEN; (2) verify the Apify actor owner and review the actor's page and terms (futurizerush/futurizerush~tiktok-comment-scraper) to understand data retention, billing, and what exactly is scraped; (3) consider using a token scoped/limited to your needs and avoid providing other credentials; (4) test with non-sensitive public videos first; and (5) confirm legal/privacy implications of scraping TikTok content in your jurisdiction. The main issue here is metadata inaccuracy (missing credential declaration) rather than obviously malicious behavior.

Like a lobster shell, security has layers — review code before you run it.

ai-agentvk972xpm026phswcpx6dy1a5j8n84mvgkapifyvk972xpm026phswcpx6dy1a5j8n84mvgkcommentsvk972xpm026phswcpx6dy1a5j8n84mvgkengagementvk972xpm026phswcpx6dy1a5j8n84mvgklatestvk972xpm026phswcpx6dy1a5j8n84mvgkmarketingvk972xpm026phswcpx6dy1a5j8n84mvgkscrapingvk972xpm026phswcpx6dy1a5j8n84mvgksocial-mediavk972xpm026phswcpx6dy1a5j8n84mvgktiktokvk972xpm026phswcpx6dy1a5j8n84mvgk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments