ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Keyapi Threads User Discovery

v1.0.0

Discover and analyze Threads users and content — retrieve user profiles, posts, reposts, replies, post details, comments, and perform keyword-based search ac...

0· 32·0 current·0 all-time
by@lycici
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill targets the KeyAPI MCP Threads endpoints and only requires NODE and KEYAPI_TOKEN — which match the described functionality. Minor inconsistency: the CLI's default platform is 'tiktok' in run.js/help text while the SKILL.md and server path reference Threads; this appears to be a harmless default/templating oversight rather than malicious behavior.
Instruction Scope
SKILL.md instructs installing dependencies and running scripts/run.js to call KeyAPI MCP tools. The script reads a .env in the skill directory, may prompt for and persist KEYAPI_TOKEN to that .env, caches API responses in .keyapi-cache, and can write arbitrary output files via --output. Those actions are within the scope of a CLI tool for this purpose but are noteworthy because the skill will write files to the skill directory.
Install Mechanism
No install spec is embedded; the package uses a single npm dependency (@modelcontextprotocol/sdk). Installation is the normal 'npm install' flow — no external downloads, shorteners, or extraction from arbitrary URLs are used.
Credentials
Only KEYAPI_TOKEN is required (primary credential). An optional KEYAPI_SERVER_URL override exists. No unrelated secrets or broad credential access are requested.
Persistence & Privilege
The skill does persist state: it loads and can write a .env file containing KEYAPI_TOKEN and stores cached responses under .keyapi-cache. always:false (not force-installed) and it doesn't modify other skills or system-wide configs.
Assessment
This skill appears to do what it says: it calls KeyAPI's MCP endpoints for Threads and only needs your KEYAPI_TOKEN and Node. Before installing: 1) Understand the token will be read from/and may be saved to a .env file in the skill directory and API responses will be cached under .keyapi-cache. 2) The tool can write output to any path you provide (--output), so avoid writing to sensitive locations. 3) You must run npm install to fetch the @modelcontextprotocol/sdk dependency. 4) There's a minor help-text/default-platform mismatch (tiktok vs Threads) in the script — review the server URL (KEYAPI_SERVER_URL) and tool args to ensure you're targeting the intended platform. If you are uncomfortable storing the token on disk, set KEYAPI_TOKEN in the process environment when invoking the tool or use an isolated environment/container.
scripts/run.js:52
Environment variable access combined with network send.
!
scripts/run.js:37
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk976tdnxykqkt7bvbc0xnq077h845szq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧵 Clawdis
Binsnode
EnvKEYAPI_TOKEN
Primary envKEYAPI_TOKEN

Comments