Skillv1.0.3

ClawScan security

Twitter/X scraper with Apify actors · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 28, 2026, 6:52 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requested environment variable are consistent with its stated purpose (running Apify actors to collect Twitter/X followers and optionally enrich emails), but you should review the third‑party Apify actor IDs and be mindful of privacy, costs, and the sensitivity of your APIFY_TOKEN before use.
Guidance: This skill appears coherent and does what it says: it uses your APIFY_TOKEN to call Apify and run follower/email actors, returning normalized rows. Before installing or running it: 1) Treat APIFY_TOKEN as sensitive—use a token scoped/minimized for this purpose or a throwaway/test token for initial tests; 2) Review the default actor IDs (bIYXeMcKISYGnHhBG and mSaHt2tt3Z7Fcwf0o) on Apify—those are third‑party actors and will run their code on Apify's platform when you invoke them; if you don't control those actors, inspect their source/behavior or replace them with actors you trust; 3) Test with small limits and with --include-emails disabled to verify behavior and cost; 4) Consider legal and privacy constraints (scraping/processing personal data and email enrichment may violate service terms or laws in some jurisdictions); 5) Note minor repo issues (duplicated frontmatter keys in SKILL.md and a small potential code bug around dt.UTC that could raise an exception) — these are not security red flags but you may want to run a quick smoke test locally. If you need to proceed but are unsure about the third‑party actors, ask the skill publisher for the actor source or use your own Apify actors instead.

Review Dimensions

Purpose & Capability: okName/description match what the files request and do: the skill runs Apify follower/email actors, accepts an APIFY_TOKEN, and includes a Python CLI that calls api.apify.com. The default actor IDs are documented and configurable. Nothing in the repo asks for unrelated cloud credentials or unrelated binaries.
Instruction Scope: noteSKILL.md and the script only instruct calling Apify endpoints and running the included Python CLI. The script posts payloads to https://api.apify.com/v2/acts and returns normalized JSON. This is in-scope for the stated purpose. Important note: running the skill executes remote Apify actors (third‑party code identified by actor IDs); those actors run on Apify and can process or forward collected data—review those actors on Apify if you don't control them.
Install Mechanism: okNo install spec; it's instruction-only plus a small Python script and a single dependency (requests). That is proportionate and low-risk from an install perspective.
Credentials: noteOnly APIFY_TOKEN is required, which is appropriate. However APIFY_TOKEN is a sensitive credential granting access to your Apify account (start runs, access datasets, potentially incur costs). Ensure you understand the token's privileges and avoid using a token with broader permissions than necessary.
Persistence & Privilege: okSkill does not request permanent presence or special agent-wide privileges (always:false). It does not modify other skills or system settings and has no config path requirements.