Skillv1.0.0

ClawScan security

Keyapi Tiktok Ecommerce · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 3, 2026, 2:26 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, runtime instructions, and requested environment variable (KEYAPI_TOKEN) are consistent with a KeyAPI client for TikTok Shop analytics; nothing requested appears unrelated to the stated purpose.
Guidance: This skill appears to be what it claims: a Node-based client for KeyAPI's MCP server. Before installing, consider: (1) npm install will fetch dependencies from the public npm registry — inspect package.json and the dependency @modelcontextprotocol/sdk if you want extra assurance; (2) the script can persist your KEYAPI_TOKEN to a .env file in the skill directory and will create a .keyapi-cache directory for responses — if you prefer not to persist credentials, set KEYAPI_TOKEN in your environment instead of entering it interactively and remove any .env after use; (3) the tool makes network calls to the default server (https://mcp.keyapi.ai) — only provide tokens you trust to be used with that service; and (4) review the included scripts/run.js if you need to verify exactly what data is sent or cached.

Review Dimensions

Purpose & Capability: okName/description (TikTok Shop market intelligence) match the implementation: a Node.js MCP tool runner that talks to the KeyAPI MCP server. Required binary (node) and required env (KEYAPI_TOKEN) are appropriate and expected for this client.
Instruction Scope: noteSKILL.md and scripts/run.js instruct the agent to run npm install and invoke scripts/run.js to call MCP tools. The runtime will read/write a .env file if the token is entered interactively and will create a .keyapi-cache directory for cached API responses; these filesystem actions are disclosed in the README. The instructions do not attempt to read unrelated system files or additional environment secrets.
Install Mechanism: okThere is no packaged install spec; the skill relies on npm install to fetch @modelcontextprotocol/sdk from the npm registry. This is a standard, expected mechanism (no obscure download URLs or archive extraction).
Credentials: okOnly KEYAPI_TOKEN (primary credential) is required, which is proportional to a service client. The code may persist the token to a .env file in the skill directory if entered interactively — this behavior is explicit in the code and docs.
Persistence & Privilege: noteThe skill does not request elevated platform privileges and always:false. It will persist the API token to .env (if user enters it interactively) and create a .keyapi-cache directory and output files when asked; it does not modify other skills or system-wide agent settings.