Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Social Media Extract
v1.0.0Extract and analyze public social media data from Instagram, TikTok, Reddit, YouTube, and Twitter to identify trends, top creators, and engagement insights.
⭐ 0· 43·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes exactly the capability (scraping + analysis across Instagram, TikTok, Reddit, YouTube, Twitter) and provides concrete Apify actor calls to achieve it, so the capability matches the description. However, the skill metadata claims no required environment variables or credentials, while the instructions explicitly require an APIFY_TOKEN. That mismatch is an incoherence between what the skill says it needs and what it actually needs at runtime.
Instruction Scope
The instructions stay within the stated task: they explain signing up for Apify, exporting APIFY_TOKEN, installing apify-client and axios, and calling Apify actors to fetch platform data and normalize it. The doc does not direct the agent to read unrelated host files or system credentials. It does reference integrations (Notion, Airtable, Google Sheets, Claude AI) but does not embed instructions to exfiltrate unrelated system data.
Install Mechanism
This is an instruction-only skill (no install spec). The SKILL.md suggests running 'npm install apify-client axios' which is a standard, low-risk developer step. No downloads from arbitrary URLs or archive extraction are specified.
Credentials
The runtime instructions require an APIFY_TOKEN (personal API token) and imply use of Apify account resources and billing, but the registry metadata lists no required env vars or primary credential. The skill also mentions 'Claude AI' without describing any credential requirements. The omission of APIFY_TOKEN from the declared required env vars is a proportionality and disclosure problem: the skill requires privileged credentials (control of your Apify actor runs and possible billing) but does not declare them.
Persistence & Privilege
The skill does not request always:true and is not force-included. There is no install spec that writes persistent binaries or modifies other skills' configs. Autonomous invocation is allowed (platform default) but is not combined with any other high-privilege flags.
What to consider before installing
Before you install or use this skill: 1) Treat your APIFY_TOKEN like a secret — it authorizes runs and may incur charges; do not paste it into chat. Ask the author to update the registry metadata to list APIFY_TOKEN (and any other needed creds) explicitly. 2) Review which Apify actors will run and, if possible, inspect their code/behavior on Apify to understand what data they collect and where results are stored or forwarded. 3) Clarify the 'Claude AI' mention: does the skill require a Claude API key or external LLM access? If so, that should be declared. 4) Consider legal/ToS implications of scraping each platform and whether you need elevated access or rate-limited approaches. 5) If you plan to run this in production, create a dedicated Apify account with limited billing/payment exposure and rotate tokens; monitor usage and billing. Given the metadata/instruction mismatch, ask the publisher for corrected manifest information before trusting secrets or granting long-term access.Like a lobster shell, security has layers — review code before you run it.
Instagramvk97cy5mqrzbjdmm4dzj75sq1x183x00zRedditvk97cy5mqrzbjdmm4dzj75sq1x183x00zTikTokvk97cy5mqrzbjdmm4dzj75sq1x183x00zYouTubevk97cy5mqrzbjdmm4dzj75sq1x183x00zlatestvk97cy5mqrzbjdmm4dzj75sq1x183x00z
License
MIT-0
Free to use, modify, and redistribute. No attribution required.