ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Apify HN Scraper

v1.0.0

Scrape Hacker News stories, comments, and discussions. Use when user asks to search HN, find Hacker News posts, monitor tech discussions, or extract HN data....

0· 264·1 current·1 all-time
byMarcin Dudek@marcindudekdev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (scraping Hacker News via an Apify Actor) match the required items: APIFY_TOKEN, curl, and jq. Nothing requested appears unrelated to scraping HN through Apify.
Instruction Scope
SKILL.md contains only Apify API calls and result handling, and prompts the user for scraping parameters — scope is appropriate. However, the provided curl examples include the token as a query parameter in the URL (token=$APIFY_TOKEN), which can expose the secret in process listings, logs, or shell history; recommend using an Authorization header (Bearer) or other safer approaches.
Install Mechanism
Instruction-only skill with no install spec and no code files — low risk from installation. It relies on curl/jq being present on PATH, which is reasonable.
Credentials
Only APIFY_TOKEN is required (declared as primaryEnv) which is proportionate to calling Apify. Reminder: APIFY_TOKEN is sensitive — the skill's examples risk exposing it if run as-is.
Persistence & Privilege
always:false and default invocation settings — the skill does not request permanent/system-wide presence or elevated privileges.
Assessment
This skill appears to do what it says: call a specific Apify Actor to scrape Hacker News and return results. Before installing or running it: 1) Verify the actor ID (0UDODOnpTkxY3Oc90) and its publisher on Apify so you trust the code being executed. 2) Treat APIFY_TOKEN as a secret — avoid putting it in commands that include the token in the URL (those can appear in process lists or logs). Instead use an Authorization header (e.g., -H "Authorization: Bearer $APIFY_TOKEN") or other secure call patterns. 3) Run commands only in a trusted environment (not on shared shells) and avoid copying token-bearing commands into shell history; rotate the token if you suspect exposure. 4) Limit the token's permissions if possible and review returned data before sharing. If you want, I can rewrite the SKILL.md curl examples to avoid exposing the token and add safer polling/error-handling snippets.

Like a lobster shell, security has layers — review code before you run it.

apifyvk97133m2t75ktwhkp853h7fz2s82f95vhackernewsvk97133m2t75ktwhkp853h7fz2s82f95vlatestvk97133m2t75ktwhkp853h7fz2s82f95vscrapingvk97133m2t75ktwhkp853h7fz2s82f95vtechvk97133m2t75ktwhkp853h7fz2s82f95vycombinatorvk97133m2t75ktwhkp853h7fz2s82f95v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🟧 Clawdis
Binscurl, jq
EnvAPIFY_TOKEN
Primary envAPIFY_TOKEN

Comments