Back to skill
Skillv1.0.0
ClawScan security
Apify Bluesky Scraper · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 7, 2026, 8:46 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and runtime instructions match its stated purpose (running an Apify actor to scrape Bluesky) and the single required secret (APIFY_TOKEN) is appropriate for that purpose.
- Guidance
- This skill appears internally consistent, but before installing consider: (1) APIFY_TOKEN grants operations on your Apify account—use a least-privilege or expendable token if possible and rotate it after testing; (2) the actor runs on Apify infrastructure and can execute arbitrary scraping code—verify the actor ID/owner and review the actor's source or documentation on apify.com to confirm trustworthiness; (3) datasets produced by the actor may be stored on Apify and could be visible depending on actor settings—check privacy/billing implications; (4) test with a small maxResults and a throwaway account/token first. If you cannot confirm the actor's provenance, treat the token as sensitive and avoid giving production-scoped credentials.
Review Dimensions
- Purpose & Capability
- okName/description match the instructions: the SKILL.md calls the Apify REST API to run a specific Apify Actor ID (WAJfBnZBYR9mJrk5d). Required binaries (curl, jq) and APIFY_TOKEN are exactly what you would expect to call Apify's API and parse JSON results.
- Instruction Scope
- okInstructions are narrowly scoped: they show how to prompt for search parameters, POST to Apify endpoints (sync or async), poll run status, fetch dataset items, and summarize results. They do not instruct reading unrelated files, scanning local system state, or sending data to third-party endpoints outside api.apify.com.
- Install Mechanism
- okThis is an instruction-only skill with no install spec and no code files, so nothing is written to disk by the skill itself.
- Credentials
- okOnly APIFY_TOKEN is required and declared as the primary credential. That is proportional: Apify API requests require an API token. No other secrets or unrelated env vars are requested.
- Persistence & Privilege
- okThe skill is user-invocable, not always-enabled, and does not request persistent system privileges or modify other skills. Autonomous invocation is allowed (platform default) but is not combined with other high-risk properties.