Skillv1.0.0

ClawScan security

Keyapi Threads User Discovery · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 3, 2026, 2:25 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent with its stated purpose (Threads data retrieval via KeyAPI), requests only the expected KEYAPI_TOKEN and Node, and its runtime behavior is explainable and proportionate.
Guidance: This skill appears to do what it says: it calls KeyAPI's MCP endpoints for Threads and only needs your KEYAPI_TOKEN and Node. Before installing: 1) Understand the token will be read from/and may be saved to a .env file in the skill directory and API responses will be cached under .keyapi-cache. 2) The tool can write output to any path you provide (--output), so avoid writing to sensitive locations. 3) You must run npm install to fetch the @modelcontextprotocol/sdk dependency. 4) There's a minor help-text/default-platform mismatch (tiktok vs Threads) in the script — review the server URL (KEYAPI_SERVER_URL) and tool args to ensure you're targeting the intended platform. If you are uncomfortable storing the token on disk, set KEYAPI_TOKEN in the process environment when invoking the tool or use an isolated environment/container.

Review Dimensions

Purpose & Capability: noteThe skill targets the KeyAPI MCP Threads endpoints and only requires NODE and KEYAPI_TOKEN — which match the described functionality. Minor inconsistency: the CLI's default platform is 'tiktok' in run.js/help text while the SKILL.md and server path reference Threads; this appears to be a harmless default/templating oversight rather than malicious behavior.
Instruction Scope: noteSKILL.md instructs installing dependencies and running scripts/run.js to call KeyAPI MCP tools. The script reads a .env in the skill directory, may prompt for and persist KEYAPI_TOKEN to that .env, caches API responses in .keyapi-cache, and can write arbitrary output files via --output. Those actions are within the scope of a CLI tool for this purpose but are noteworthy because the skill will write files to the skill directory.
Install Mechanism: okNo install spec is embedded; the package uses a single npm dependency (@modelcontextprotocol/sdk). Installation is the normal 'npm install' flow — no external downloads, shorteners, or extraction from arbitrary URLs are used.
Credentials: okOnly KEYAPI_TOKEN is required (primary credential). An optional KEYAPI_SERVER_URL override exists. No unrelated secrets or broad credential access are requested.
Persistence & Privilege: noteThe skill does persist state: it loads and can write a .env file containing KEYAPI_TOKEN and stores cached responses under .keyapi-cache. always:false (not force-installed) and it doesn't modify other skills or system-wide configs.