ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Keyapi Instagram User Analysis

v1.0.0

Discover, profile, and deeply analyze Instagram users — explore follower and following networks, posts, Reels, Stories, Highlights, tagged content, reposts,...

0· 29·0 current·0 all-time
by@lycici
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, description, and runtime pieces line up: the skill calls a KeyAPI MCP server to fetch Instagram user data and only requires node and a KEYAPI_TOKEN. The package.json dependency (@modelcontextprotocol/sdk) is appropriate for an MCP client.
Instruction Scope
SKILL.md instructs the agent to call MCP endpoints, inspect schemas, and cache results; the bundled scripts implement those behaviors. The instructions do not ask for unrelated system data. Note: the runner may prompt for KEYAPI_TOKEN and will persist it to a local .env file if entered interactively; it also writes cache files under .keyapi-cache and can write arbitrary output paths specified by the user.
Install Mechanism
This is an instruction-only skill with a small node script and a normal npm dependency. There is no remote binary download or opaque installer. Installing requires running npm install (standard) which will pull the declared npm dependency.
Credentials
Only KEYAPI_TOKEN (and an optional KEYAPI_SERVER_URL override) are required. That is proportionate for a service that authenticates to a third-party API. Be aware the script can persist the token in plaintext to a .env file in the skill directory.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It will create a .keyapi-cache directory for API responses and may write a .env file containing the token if you enter it interactively. These are local, expected side effects but you should review or clean those files if you don't want persisted tokens or cached data.
Assessment
This skill appears to do what it claims: it calls KeyAPI's MCP server to retrieve Instagram data. Before installing: (1) Confirm you trust keyapi.ai (the code will use your KEYAPI_TOKEN to authenticate and can write it in plaintext to ./ .env). (2) Audit the dependency @modelcontextprotocol/sdk (npm install will fetch it). (3) Be aware the runner creates a .keyapi-cache directory and can save output files—clear them if they contain sensitive data. (4) Do not set KEYAPI_SERVER_URL to an untrusted host (that would redirect calls and could exfiltrate data). (5) If you prefer not to persist your token, set KEYAPI_TOKEN in your environment and avoid entering it interactively so the script won't write it to .env.
scripts/run.js:52
Environment variable access combined with network send.
!
scripts/run.js:37
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk973d40k3keb2gk5yf89aswkjx8432rf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

👤 Clawdis
Binsnode
EnvKEYAPI_TOKEN
Primary envKEYAPI_TOKEN

Comments