Back to skill
Skillv1.0.0
ClawScan security
Keyapi Tiktok Intelligence · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 3, 2026, 2:26 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and required environment variable (KEYAPI_TOKEN) are consistent with a KeyAPI MCP-based TikTok intelligence tool; nothing requests unrelated credentials or installs arbitrary third-party binaries.
- Guidance
- This skill appears coherent with its stated purpose. Before installing: 1) Verify you trust the KeyAPI service (mcp.keyapi.ai) and that KEYAPI_TOKEN is issued by a legitimate source; treat that token like a password. 2) Note the tool will write cached responses to a .keyapi-cache directory and may write a .env file when you enter a token interactively — review or clean these files if they contain sensitive data. 3) The code includes logic to convert/proxy certain image URLs via an EchoSell CDN host (echosell-images...), so expect some media URLs to be rewritten/proxied; confirm you’re comfortable with that behavior. 4) Inspect the dependency @modelcontextprotocol/sdk (version) before npm install, and run the skill in an isolated environment if you want to limit blast radius. If you need further assurance, request verification of the upstream repository/release (signatures or official docs) or a full content review of the complete script (the file shown is truncated).
Review Dimensions
- Purpose & Capability
- okName/description (TikTok trend intelligence) align with required artifacts: node, KEYAPI_TOKEN, an MCP client SDK, and scripts/run.js which calls the KeyAPI MCP server. There are no unrelated credentials or binaries requested.
- Instruction Scope
- okSKILL.md instructs the agent to call the KeyAPI MCP server, inspect tool schemas, and cache responses locally. The instructions reference only the declared env var (KEYAPI_TOKEN), a local cache directory, and .env for convenience — no broad or unrelated system reads/writes are requested.
- Install Mechanism
- okThere is no download-from-URL install; the package uses npm (package.json) to install a named SDK (@modelcontextprotocol/sdk). This is a standard registry-based dependency install with no opaque archive downloads.
- Credentials
- okOnly KEYAPI_TOKEN (and optional KEYAPI_SERVER_URL) are required. That single API token is proportional to a remote MCP API client. No unrelated secrets or many environment variables are requested.
- Persistence & Privilege
- okThe skill persists API responses to a local cache (.keyapi-cache) and can persist the provided token to a .env file when entered interactively. It does not request 'always: true' or alter other skills' configuration.