ClawHub

Apify Substack Scraper

v1.0.0

Scrape Substack newsletters and articles. Use when user asks to search Substack, find newsletter posts, extract Substack content, or monitor Substack publica...

0· 210·1 current·1 all-time
byMarcin Dudek@marcindudekdev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description require scraping Substack via Apify and the skill declares APIFY_TOKEN plus curl and jq. Those requirements logically match the described behavior (invoking an Apify actor via REST).
Instruction Scope
Instructions are narrowly focused on calling Apify REST endpoints and presenting dataset items. They do not ask the agent to read local files or other credentials. Two operational notes: (1) examples place the APIFY_TOKEN in the query string which can expose the token in shell history, process lists, and logs — using an Authorization header would be preferable; (2) the instructions do not validate or restrict user-supplied URLs (they accept arbitrary URLs), so users could accidentally ask the actor to fetch non-Substack or internal endpoints — this is a behavioral/usage risk rather than an incoherence.
Install Mechanism
Instruction-only skill with no install spec or external downloads. This is the lowest-risk install model and matches the declared metadata.
Credentials
Only APIFY_TOKEN is required and it is declared as the primary credential; that is proportionate given the skill invokes Apify's API. As noted above, embedding the token in the URL is less safe than using an Authorization header and you should ensure the token has limited scope and is rotated if compromised.
Persistence & Privilege
always is false and the skill does not request persistent or elevated privileges, nor does it modify other skills or system config. Autonomous invocation is permitted (platform default) but not combined with other concerning privileges.
Assessment
This skill appears coherent for invoking an Apify actor to scrape Substack, but consider the following before installing: 1) APIFY_TOKEN is required—treat it like a secret, ensure it has minimal permissions, and rotate if you suspect exposure. 2) The examples put the token in the URL query string which can leak to shell history or logs; prefer sending the token in an Authorization header if you run similar commands locally. 3) The skill will submit user-provided URLs to a third-party actor (actor ID shown). Verify you trust the actor/owner on Apify or inspect the actor's source on Apify before sending sensitive or internal URLs. 4) Be mindful of legal/terms-of-service and privacy considerations when scraping content. If you want stronger guarantees, ask the skill author for an option to use Authorization headers and to restrict/validate input URLs to Substack domains.

Like a lobster shell, security has layers — review code before you run it.

apifyvk974h6mj4xsndkzctrt9yjw2h982eznhlatestvk974h6mj4xsndkzctrt9yjw2h982eznhnewslettervk974h6mj4xsndkzctrt9yjw2h982eznhscrapingvk974h6mj4xsndkzctrt9yjw2h982eznhsubstackvk974h6mj4xsndkzctrt9yjw2h982eznh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📰 Clawdis
Binscurl, jq
EnvAPIFY_TOKEN
Primary envAPIFY_TOKEN

Comments