Back to skill
Skillv1.0.0
ClawScan security
Keyapi Tiktok Influencer Discovery · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 2, 2026, 7:37 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, dependencies, and runtime instructions are coherent with its stated purpose (calling KeyAPI's MCP for TikTok influencer analytics) and only require a single service token and Node.js.
- Guidance
- This skill appears to do what it claims: it calls the KeyAPI MCP service and needs a KEYAPI_TOKEN and Node.js. Before installing: (1) be aware the runner will read/write a .env file in the skill directory and create a .keyapi-cache — if you prefer not to store the token on disk, set KEYAPI_TOKEN in your environment instead of letting the tool persist it; (2) npm install will fetch packages from the public registry — review dependencies if you have strong supply-chain concerns; (3) the tool communicates with https://mcp.keyapi.ai (and may convert image URLs served via an EchoSell CDN host) — only provide a token scoped to the minimum privileges you need and avoid reusing highly privileged tokens. If you want extra assurance, inspect scripts/run.js locally (already included) and create a KeyAPI token with restricted scope for this skill.
Review Dimensions
- Purpose & Capability
- okName/description match the observed behavior: the skill calls KeyAPI's MCP server, lists/inspects tools and invokes tool endpoints. Requested artifacts (node, KEYAPI_TOKEN) are appropriate and proportional.
- Instruction Scope
- noteSKILL.md instructs running npm install and node scripts/run.js to call MCP tools. The runtime reads/writes a local .env and a cache directory (.keyapi-cache) and can save outputs to files; these filesystem actions are limited to the skill directory and are consistent with the tool runner's functionality. Note: the tool will prompt for and persist KEYAPI_TOKEN to a .env file if not set, which is expected but worth knowing.
- Install Mechanism
- okNo arbitrary download/install is used. Dependencies come from npm (package.json lists @modelcontextprotocol/sdk) and the SKILL.md advises running npm install. This is a common, expected install mechanism.
- Credentials
- okOnly KEYAPI_TOKEN (primaryEnv) is required. No unrelated credentials or system secrets are requested. The code optionally accepts KEYAPI_SERVER_URL for server override — reasonable for testing/debugging.
- Persistence & Privilege
- okalways is false and the skill does not attempt to modify other skills or global agent settings. It persists the token and cache in the skill directory only, which is within its expected scope.