Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Keyapi Instagram Content Discovery
v1.0.0Explore and discover Instagram content at scale — search posts, Reels, hashtags, music, locations, and Explore sections to surface trends, audience signals,...
⭐ 0· 29·0 current·0 all-time
by@lycici
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description describe Instagram content discovery and the skill requires a KEYAPI_TOKEN and Node.js and calls KeyAPI's MCP server — these requirements are appropriate and proportionate to the stated functionality.
Instruction Scope
SKILL.md instructs the agent to call the KeyAPI MCP server using the KEYAPI_TOKEN and to run the provided script. The script reads/writes a local .env and creates a .keyapi-cache directory to store API responses; while this is within the skill's domain, users should be aware that responses (including fetched content) and tokens may be saved to disk.
Install Mechanism
No external download/install spec; dependency installation is via npm (declared dependency @modelcontextprotocol/sdk). Requiring npm install and Node 18+ is expected for a Node-based tool.
Credentials
Only KEYAPI_TOKEN is required (declared as primaryEnv), which aligns with calling KeyAPI. The script can prompt for and persist the token into a .env file in the skill directory — this persistence is convenient but worth noting before installing.
Persistence & Privilege
always:false (no forced inclusion). The skill writes/reads a .env file and caches API responses under .keyapi-cache in the skill directory; it does not request system-wide credentials or modify other skills. Persisted files could contain fetched content and the token.
Scan Findings in Context
[no_findings] expected: The static scan reported no regex-based findings. Manual review of package.json, SKILL.md, and scripts/run.js shows expected network calls to the declared MCP server and local caching/token persistence behavior.
Assessment
This skill appears to do what it says: it calls KeyAPI's MCP to retrieve Instagram content and requires only a KEYAPI_TOKEN and Node.js. Before installing: 1) Confirm you trust keyapi.ai (the script sends your KEYAPI_TOKEN to that MCP server). 2) Be aware the script will read/write a .env file in the skill directory (it can prompt to save your token) and will create a .keyapi-cache folder that can store API responses (which may include scraped content). 3) npm will install the declared dependency (@modelcontextprotocol/sdk); inspect that package if you need to. 4) If you plan to reuse the same token for other services, consider using a scoped token or separate account. If any of these behaviors are unacceptable (automatic token persistence or local caching), review/modify scripts/run.js before use or run it in an isolated environment.scripts/run.js:52
Environment variable access combined with network send.
scripts/run.js:37
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk9723z8dxab3v784eeyg6x73qs842jha
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔎 Clawdis
Binsnode
EnvKEYAPI_TOKEN
Primary envKEYAPI_TOKEN