ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Keyapi Tiktok Intelligence

v1.0.0

Real-time TikTok trend intelligence — monitor trending hashtags, viral music, breakout videos, top-performing ads, and high-growth products to identify emerg...

0· 32·0 current·0 all-time
by@lycici
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (TikTok trend intelligence) align with required artifacts: node, KEYAPI_TOKEN, an MCP client SDK, and scripts/run.js which calls the KeyAPI MCP server. There are no unrelated credentials or binaries requested.
Instruction Scope
SKILL.md instructs the agent to call the KeyAPI MCP server, inspect tool schemas, and cache responses locally. The instructions reference only the declared env var (KEYAPI_TOKEN), a local cache directory, and .env for convenience — no broad or unrelated system reads/writes are requested.
Install Mechanism
There is no download-from-URL install; the package uses npm (package.json) to install a named SDK (@modelcontextprotocol/sdk). This is a standard registry-based dependency install with no opaque archive downloads.
Credentials
Only KEYAPI_TOKEN (and optional KEYAPI_SERVER_URL) are required. That single API token is proportional to a remote MCP API client. No unrelated secrets or many environment variables are requested.
Persistence & Privilege
The skill persists API responses to a local cache (.keyapi-cache) and can persist the provided token to a .env file when entered interactively. It does not request 'always: true' or alter other skills' configuration.
Assessment
This skill appears coherent with its stated purpose. Before installing: 1) Verify you trust the KeyAPI service (mcp.keyapi.ai) and that KEYAPI_TOKEN is issued by a legitimate source; treat that token like a password. 2) Note the tool will write cached responses to a .keyapi-cache directory and may write a .env file when you enter a token interactively — review or clean these files if they contain sensitive data. 3) The code includes logic to convert/proxy certain image URLs via an EchoSell CDN host (echosell-images...), so expect some media URLs to be rewritten/proxied; confirm you’re comfortable with that behavior. 4) Inspect the dependency @modelcontextprotocol/sdk (version) before npm install, and run the skill in an isolated environment if you want to limit blast radius. If you need further assurance, request verification of the upstream repository/release (signatures or official docs) or a full content review of the complete script (the file shown is truncated).
scripts/run.js:52
Environment variable access combined with network send.
!
scripts/run.js:37
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f6x6gxcj40gxmqpkqm89mq9845s49

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📈 Clawdis
Binsnode
EnvKEYAPI_TOKEN
Primary envKEYAPI_TOKEN

Comments