ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Cocreator Content Research

v1.0.2

Pure intelligence gathering for social media platforms (TikTok & Instagram). Use when an agent needs to discover trending hooks, analyze a competitor's strat...

0· 466·1 current·1 all-time
byMiracle Ayodele@iammiracle
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, required env var (SCRAPE_CREATORS_API_KEY), and the three Python scripts all point to social-media research via the ScrapeCreators API; network calls target api.scrapecreators.com endpoints as expected.
Instruction Scope
SKILL.md instructs the agent to run the included scripts (keyword search, competitor research, profile lookup) and to brainstorm queries; it does not instruct reading unrelated local files or exfiltrating environment data beyond the declared API key.
!
Install Mechanism
The SKILL.md includes an install step that runs a remote shell script (curl -LsSf https://astral.sh/uv/install.sh | sh). Piping an external script to sh is a high-risk install pattern. Also, requiring 'uv' to run simple Python scripts appears disproportionate and unnecessary, increasing attack surface.
Credentials
Only one credential is required (SCRAPE_CREATORS_API_KEY) and it is used consistently by the scripts to authenticate to ScrapeCreators. No unrelated secrets or system credentials are requested.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide configuration changes. It only runs network calls and the provided scripts; the only persistence risk is the optional installer which executes a remote script.
Scan Findings in Context
[remote-install-curl-pipe-sh] unexpected: SKILL.md contains an install entry that pipes a remote script from https://astral.sh into sh. Installing a runner via curl | sh is not required to call the ScrapeCreators API and is a higher-risk action.
What to consider before installing
The skill mostly does what it says: three Python scripts call the ScrapeCreators API using SCRAPE_CREATORS_API_KEY. Before installing or running it, verify you trust the ScrapeCreators service and the skill author. Specifically: (1) avoid running the suggested curl | sh installer unless you trust https://astral.sh — prefer installing 'uv' from a vetted package source or invoke the Python scripts directly; (2) limit the SCRAPE_CREATORS_API_KEY scope and rotate it after testing; (3) run the skill in a sandbox or isolated environment first to observe network traffic and behavior; (4) confirm any costs or rate limits for the ScrapeCreators API and ensure handling of any scraped PII complies with your policies. If you want a lower-risk option, run the included Python scripts directly with Python (they already use requests) and do not execute the remote installer.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🔍 Clawdis
Binsuv
EnvSCRAPE_CREATORS_API_KEY
Primary envSCRAPE_CREATORS_API_KEY
latestvk970h60nqxr6bpgamgkw699wx582jsn8
466downloads
0stars
3versions
Updated 23h ago
v1.0.2
MIT-0
Miracle Ayodele@iammiracle
latest
Download

Content Research Skill

This skill provides agents with the ability to gather raw intelligence on social media performance (TikTok and Instagram) using the ScrapeCreators API. It does not generate content or interact with posting APIs.

Prerequisites

  • uv installed
  • SCRAPE_CREATORS_API_KEY set in the environment

Capabilities

1. Broad Content Discovery (Keywords & Hashtags)

Use this to find top-performing content. Agent Instructions for Keyword Search:

  • DO NOT use the same hardcoded keyword (like "affirmations") every time.
  • ALWAYS brainstorm 3-5 diverse keywords based on the user's app (e.g., if it's an affirmation app, try searching "mindset shift", "daily routine", "self healing", "morning motivation").
  • Use time frames (--date-posted) to find recent trends, and test different sorting methods.
  • Use the --format filter (video, slideshow, or both) if the user specifically requests only one type of content.
  • CRITICAL: The script returns an is_slideshow boolean and a video_url. Use this to distinguish between video trends and slideshow trends.
uv run {baseDir}/scripts/keyword-search.py --platform tiktok --type keyword --query "morning routine" --date-posted this-month --sort-by most-liked --format slideshow
uv run {baseDir}/scripts/keyword-search.py --platform instagram --type keyword --query "morning routine" --format video

2. Competitor Hook Research

Use this to analyze specific competitor handles. Agent Instructions for Competitor Research:

  • ALWAYS ask the user if they have specific competitors or creator profiles they want you to check before you assume.
  • If they don't know, brainstorm potential top creators in their niche using the keyword search first, extract their handles, and then run competitor research on them.
uv run {baseDir}/scripts/competitor-research.py --platform tiktok --handles user1 user2 user3
uv run {baseDir}/scripts/competitor-research.py --platform instagram --handles user1 user2

3. Profile Lookup

Use this to get raw metric data (followers, following, bio) for a specific creator.

uv run {baseDir}/scripts/profile-lookup.py --platform tiktok --handle <handle>
uv run {baseDir}/scripts/profile-lookup.py --platform instagram --handle <handle>

Comments

Loading comments...