Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Keyapi Tiktok Influencer Discovery
v1.0.0Discover, profile, and deeply analyze TikTok influencers — from keyword-based search to multi-dimensional performance intelligence covering follower trends,...
⭐ 1· 32·0 current·0 all-time
by@lycici
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the observed behavior: the skill calls KeyAPI's MCP server, lists/inspects tools and invokes tool endpoints. Requested artifacts (node, KEYAPI_TOKEN) are appropriate and proportional.
Instruction Scope
SKILL.md instructs running npm install and node scripts/run.js to call MCP tools. The runtime reads/writes a local .env and a cache directory (.keyapi-cache) and can save outputs to files; these filesystem actions are limited to the skill directory and are consistent with the tool runner's functionality. Note: the tool will prompt for and persist KEYAPI_TOKEN to a .env file if not set, which is expected but worth knowing.
Install Mechanism
No arbitrary download/install is used. Dependencies come from npm (package.json lists @modelcontextprotocol/sdk) and the SKILL.md advises running npm install. This is a common, expected install mechanism.
Credentials
Only KEYAPI_TOKEN (primaryEnv) is required. No unrelated credentials or system secrets are requested. The code optionally accepts KEYAPI_SERVER_URL for server override — reasonable for testing/debugging.
Persistence & Privilege
always is false and the skill does not attempt to modify other skills or global agent settings. It persists the token and cache in the skill directory only, which is within its expected scope.
Assessment
This skill appears to do what it claims: it calls the KeyAPI MCP service and needs a KEYAPI_TOKEN and Node.js. Before installing: (1) be aware the runner will read/write a .env file in the skill directory and create a .keyapi-cache — if you prefer not to store the token on disk, set KEYAPI_TOKEN in your environment instead of letting the tool persist it; (2) npm install will fetch packages from the public registry — review dependencies if you have strong supply-chain concerns; (3) the tool communicates with https://mcp.keyapi.ai (and may convert image URLs served via an EchoSell CDN host) — only provide a token scoped to the minimum privileges you need and avoid reusing highly privileged tokens. If you want extra assurance, inspect scripts/run.js locally (already included) and create a KeyAPI token with restricted scope for this skill.scripts/run.js:52
Environment variable access combined with network send.
scripts/run.js:37
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk9745x5z89qf97y4stff8prrj9843phg
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔍 Clawdis
Binsnode
EnvKEYAPI_TOKEN
Primary envKEYAPI_TOKEN