Skillv1.0.0

ClawScan security

Data Intelligence · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 8, 2026, 3:32 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's functionality (Apify + PinchTab data collection and analysis) is coherent, but the package metadata omits that it requires an Apify token and the runtime docs/shell scripts instruct downloading and executing external installers (curl | bash) — an inconsistency and an install-risk that you should review before installing.
Guidance: This skill appears to do what it says (Apify scraping + PinchTab automation + analysis templates) but there are two practical risks you should address before installing: - Credentials: The scripts and SKILL.md require an APIFY_TOKEN (read from .env or env) but the registry metadata does not declare this. Treat the token as sensitive — prefer a least-privilege or ephemeral token and do not reuse a high-privilege key. - Installer commands: The README suggests running `curl https://pinchtab.com/install.sh | bash` and global npm installs. Download-and-execute flows should be inspected manually — review the install script contents on pinchtab.com, verify the domain is legitimate, and consider installing via a package manager or by inspecting code first. - Operational hygiene: Review the shell scripts (they are simple) and any referenced but missing artifacts (e.g., analyze-competitor.js is referenced but not included). Run the tools in an isolated environment (container or VM) if you plan to test. Ensure your scraping use complies with target platforms' terms of service and applicable laws. If you want to proceed safely, ask the publisher to update the registry metadata to declare APIFY_TOKEN as a required credential, provide provenance for PinchTab (release URL or checksum), and include any missing helper scripts referenced by the README.

Review Dimensions

Purpose & Capability: noteThe name/description (Apify + PinchTab + content analysis) align with the included scripts and templates: the shell scripts call Apify actors and the docs reference PinchTab. Functionality requested by the SKILL.md matches the declared purpose.
Instruction Scope: concernRuntime instructions and included scripts instruct the agent/user to read a .env file and export APIFY_TOKEN, run mcpc against mcp.apify.com, invoke pinchtab commands, run npm global installs and curl|bash installers, and write output to local files. These actions are within the skill's stated purpose but involve network calls, local file creation, and executing downloaded installers — all of which expand the runtime scope and require explicit user review.
Install Mechanism: concernThere is no formal install spec in the registry (instruction-only), but the README and SKILL.md recommend `npm install -g @apify/mcpc` and executing `curl -fsSL https://pinchtab.com/install.sh | bash`. Download-and-execute from an external domain and global npm installs are higher-risk operations and should be verified before running.
Credentials: concernRegistry metadata lists no required environment variables, yet the SKILL.md and both scripts explicitly require an APIFY_TOKEN (read from .env or env). This mismatch is concerning: a credential is necessary for operation but not declared. No unrelated secrets are requested, but the omission reduces transparency about credential use.
Persistence & Privilege: okThe skill does not request always:true, does not claim to modify other skills, and only writes data to local files/directories it creates. Autonomous invocation is allowed (platform default) but not combined with other excessive privileges.