Cocreator Content Research
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user runs the installer, code fetched from astral.sh will execute locally to install uv.
The skill discloses a remote shell installer for uv. This is purpose-aligned with running the Python scripts through uv, but it requires trusting the remote installer source.
"script": "curl -LsSf https://astral.sh/uv/install.sh | sh"
Install uv from a trusted official source, or inspect the installer before running it.
The skill can make API calls using the configured ScrapeCreators account/key, which may expose requested search terms or handles to ScrapeCreators and may consume quota.
The scripts read the ScrapeCreators API key and send it as the x-api-key header to the provider. This is expected for the declared ScrapeCreators integration.
return os.environ.get("SCRAPE_CREATORS_API_KEY") ... headers = {"x-api-key": api_key}Use a dedicated or least-privileged API key where possible, keep it in the environment rather than passing it on the command line, and monitor provider usage.