Cocreator Content Research
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: cocreator-content-research Version: 1.0.2 The skill bundle is designed for social media intelligence gathering on TikTok and Instagram using the ScrapeCreators API. The Python scripts (competitor-research.py, keyword-search.py, and profile-lookup.py) perform legitimate GET requests to api.scrapecreators.com and process the resulting JSON data as described. No evidence of data exfiltration, credential theft, or malicious prompt injection was found. The installation step in SKILL.md uses a standard, albeit common security anti-pattern (curl | sh), to install the 'uv' package manager from a legitimate source (astral.sh).
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user runs the installer, code fetched from astral.sh will execute locally to install uv.
The skill discloses a remote shell installer for uv. This is purpose-aligned with running the Python scripts through uv, but it requires trusting the remote installer source.
"script": "curl -LsSf https://astral.sh/uv/install.sh | sh"
Install uv from a trusted official source, or inspect the installer before running it.
The skill can make API calls using the configured ScrapeCreators account/key, which may expose requested search terms or handles to ScrapeCreators and may consume quota.
The scripts read the ScrapeCreators API key and send it as the x-api-key header to the provider. This is expected for the declared ScrapeCreators integration.
return os.environ.get("SCRAPE_CREATORS_API_KEY") ... headers = {"x-api-key": api_key}Use a dedicated or least-privileged API key where possible, keep it in the environment rather than passing it on the command line, and monitor provider usage.