ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Keyapi Tiktok Ecommerce

v1.0.0

Comprehensive TikTok Shop market intelligence — analyze products, shops, and categories with GMV, sales trends, reviews, creator attribution, and competitive...

0· 33·0 current·0 all-time
by@lycici
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (TikTok Shop market intelligence) match the implementation: a Node.js MCP tool runner that talks to the KeyAPI MCP server. Required binary (node) and required env (KEYAPI_TOKEN) are appropriate and expected for this client.
Instruction Scope
SKILL.md and scripts/run.js instruct the agent to run npm install and invoke scripts/run.js to call MCP tools. The runtime will read/write a .env file if the token is entered interactively and will create a .keyapi-cache directory for cached API responses; these filesystem actions are disclosed in the README. The instructions do not attempt to read unrelated system files or additional environment secrets.
Install Mechanism
There is no packaged install spec; the skill relies on npm install to fetch @modelcontextprotocol/sdk from the npm registry. This is a standard, expected mechanism (no obscure download URLs or archive extraction).
Credentials
Only KEYAPI_TOKEN (primary credential) is required, which is proportional to a service client. The code may persist the token to a .env file in the skill directory if entered interactively — this behavior is explicit in the code and docs.
Persistence & Privilege
The skill does not request elevated platform privileges and always:false. It will persist the API token to .env (if user enters it interactively) and create a .keyapi-cache directory and output files when asked; it does not modify other skills or system-wide agent settings.
Assessment
This skill appears to be what it claims: a Node-based client for KeyAPI's MCP server. Before installing, consider: (1) npm install will fetch dependencies from the public npm registry — inspect package.json and the dependency @modelcontextprotocol/sdk if you want extra assurance; (2) the script can persist your KEYAPI_TOKEN to a .env file in the skill directory and will create a .keyapi-cache directory for responses — if you prefer not to persist credentials, set KEYAPI_TOKEN in your environment instead of entering it interactively and remove any .env after use; (3) the tool makes network calls to the default server (https://mcp.keyapi.ai) — only provide tokens you trust to be used with that service; and (4) review the included scripts/run.js if you need to verify exactly what data is sent or cached.
scripts/run.js:52
Environment variable access combined with network send.
!
scripts/run.js:37
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e6tw4cwhxr1tqq057mgbw258446m3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛒 Clawdis
Binsnode
EnvKEYAPI_TOKEN
Primary envKEYAPI_TOKEN

Comments