Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Keyapi Tiktok Content Analysis
v1.0.0Analyze TikTok content at scale — extract insights from videos, hashtags, music tracks, and live streams including engagement trends, comment sentiment, capt...
⭐ 0· 31·0 current·0 all-time
by@lycici
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (TikTok content analysis via KeyAPI MCP) match the required binary (node), the required env var (KEYAPI_TOKEN), the documented MCP server (mcp.keyapi.ai), and the provided runner script which calls MCP tools. No unrelated credentials or unusual binaries are requested.
Instruction Scope
SKILL.md instructs running scripts/run.js and npm install; the script loads a .env file, can prompt for and persist KEYAPI_TOKEN to a .env in the skill directory, writes cache files (.keyapi-cache) and can save output files. It defaults to contacting https://mcp.keyapi.ai and allows overriding via KEYAPI_SERVER_URL (documented in SKILL.md). These behaviors are expected for an API client but the persistence of the token and local caching are noteworthy.
Install Mechanism
There is no automatic install spec (instruction-only install). The package.json depends on @modelcontextprotocol/sdk (npm). The user must run npm install manually. This is a common, low-to-moderate-risk pattern; no arbitrary remote archive downloads or exotic installers are present.
Credentials
Only KEYAPI_TOKEN is required (declared as primaryEnv). The script also recognizes an optional KEYAPI_SERVER_URL (documented) but this optional env var is not listed as required in the registry metadata — not a red flag, just an omission. The runner will persist a provided token to a local .env file in the skill directory, so sensitive tokens will be stored on disk in plaintext unless the user avoids the interactive prompt and sets the env in a different place.
Persistence & Privilege
The skill is not force-included (always: false). It does not request elevated system-wide privileges or modify other skills. It will create local files (a .env file if prompted, a .keyapi-cache directory, and any output files the user requests) in the skill directory — normal behavior for a CLI tool but worth noting.
Assessment
This skill appears to do what it says: a Node-based client for KeyAPI's MCP. Before installing: 1) Verify you trust keyapi.ai and the npm dependency @modelcontextprotocol/sdk; 2) Prefer setting KEYAPI_TOKEN in your environment rather than using the interactive prompt, since the runner will save a plaintext .env file in the skill directory if you enter the token interactively; 3) Be aware the tool will create a .keyapi-cache and may write output files in the skill folder; review those files for sensitive data before sharing; 4) If you need to restrict network targets, note the default server is https://mcp.keyapi.ai but can be overridden with KEYAPI_SERVER_URL. If any of these behaviors are unacceptable, inspect the scripts locally before running or avoid persisting tokens to disk.scripts/run.js:52
Environment variable access combined with network send.
scripts/run.js:37
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97f65k5cpftz7j07ydtqchwhn844ydj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📊 Clawdis
Binsnode
EnvKEYAPI_TOKEN
Primary envKEYAPI_TOKEN