ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Keyapi Facebook Analysis

v1.0.0

Explore and analyze public Facebook data — profile details, posts, photos, Reels, group activity, group events, and identifier resolution for profiles and gr...

0· 31·0 current·0 all-time
by@lycici
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is a Node-based tool that calls KeyAPI's MCP to fetch public Facebook data. Requiring node and KEYAPI_TOKEN matches the described functionality.
Instruction Scope
SKILL.md and scripts/run.js stick to calling the KeyAPI MCP server and local caching. Be aware the runtime will load a .env in the skill directory (if present) and can prompt to save your KEYAPI_TOKEN into a local .env file. It also writes cache files and any --output path you provide.
Install Mechanism
There is no bundled installer; the README instructs running npm install to fetch @modelcontextprotocol/sdk. This is a standard npm dependency (moderate trust surface). No downloads from arbitrary URLs or archive extraction were observed.
Credentials
Only one credential is requested (KEYAPI_TOKEN) and it is the declared primaryEnv, which fits the skill. Caution: the tool can persist the token to a .env file in the skill directory and will transmit it to the configured MCP server (default https://mcp.keyapi.ai).
Persistence & Privilege
The skill does persist state to the skill directory (.env and .keyapi-cache) and can write an output file if requested. It does not request always:true or system-wide privileges and does not modify other skills' configs.
Assessment
This skill appears to do what it says: it calls KeyAPI's MCP to fetch public Facebook data and needs a KEYAPI_TOKEN. Before installing: (1) Verify you trust keyapi.ai and the skill author/repository; (2) be aware the script will load and may create a .env file in the skill directory (which will store your token in plaintext) and will write cache files (.keyapi-cache) and any output paths you specify; (3) run npm install to fetch the @modelcontextprotocol/sdk dependency from npm (review before running); (4) consider using a scoped or disposable API token if you have concerns about token exposure; (5) review the full scripts/run.js if you want reassurance it only communicates with the declared MCP server and does not add unexpected network endpoints.
scripts/run.js:52
Environment variable access combined with network send.
!
scripts/run.js:37
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk973582qx0sz4c8e5p4f7j04n58422z4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

👥 Clawdis
Binsnode
EnvKEYAPI_TOKEN
Primary envKEYAPI_TOKEN

Comments