ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

KOLens TikTok KOL Search

v1.0.1

Search and analyze TikTok KOL (Key Opinion Leaders) using the KOLens API. Use when: (1) User asks to search KOL/influencers for a specific keyword/niche. (2)...

0· 60·0 current·0 all-time
byPatronum@maweis1981
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description and runtime instructions are coherent: the SKILL.md describes submitting scrape jobs, polling results, and querying KOL profiles/contact info via a KOLens API, which is exactly what a TikTok KOL search tool would do.
Instruction Scope
Instructions stay within the stated purpose (submit scrape job, poll job status, query KOLs/profile). They explicitly support fetching contact info (emails/websites/Instagram), which is privacy-sensitive and may implicate legal/TOS concerns, but it's consistent with the skill's description. The instructions do not ask to read unrelated files or credentials.
Install Mechanism
This is instruction-only with no install spec or code to write to disk, which minimizes install risk.
!
Credentials
SKILL.md declares two required environment variables (KOLENS_API_KEY, KOLENS_API_URL) and a required executable (curl). The registry metadata at the top of the package claimed no required env vars or binaries — that mismatch is concerning. The two env vars themselves are appropriate for an API-based skill, but the package metadata omission could be a packaging error or indicate incomplete/incorrect metadata.
Persistence & Privilege
Skill is not always-enabled and does not request persistent system privileges. It requires network access to the configured KOLens API URL (normal for an API skill).
What to consider before installing
Before installing or using this skill: (1) Verify the KOLens service and the API URL you will point it at — only set KOLENS_API_KEY for services you trust. (2) Confirm why the registry metadata omitted required env vars/executables — ask the publisher to correct the package metadata. (3) Be aware the skill can return contact information (emails, websites) scraped from TikTok; check legal and platform terms (GDPR/CCPA and TikTok's TOS) before using scraped contact data. (4) Prefer testing with a limited/dummy API key or in an isolated environment until you confirm the service is legitimate.

Like a lobster shell, security has layers — review code before you run it.

latestvk9728yh9becqt1hx3bv59qxxgs84q13z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments