Skillv1.0.1

ClawScan security

Social Media Spy · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 18, 2026, 8:15 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions are broadly consistent with a social-media scraping utility (it uses Apify actors), but its metadata omits a required credential (APIFY_TOKEN) and it references external services (Claude, Notion/Airtable/Sheets) without declaring how or what credentials are needed — this inconsistency deserves caution.
Guidance: This skill appears to be a wrapper around Apify actors for scraping public social media and is plausible for the described use, but there are mismatches you should resolve before installing: 1) SKILL.md requires an APIFY_TOKEN but the skill metadata does not declare any required env vars — ask the publisher to add APIFY_TOKEN to the declared requirements. 2) The README mentions Claude AI and integrations with Notion/Airtable/Sheets but gives no details on credentials or where data is sent — ask how those integrations are implemented and whether any third-party endpoints receive your data. 3) Scraping public social media at scale can incur costs and may violate platform terms; create a dedicated Apify account/token with limited scope and monitor usage and billing. 4) Because this is instruction-only, nothing will be installed automatically, but running the example code will execute network calls — review and run it in a sandbox or isolated environment first. If you don’t trust the publisher or cannot get the missing metadata/clarifications, treat this skill as higher-risk and avoid supplying real credentials.

Review Dimensions

Purpose & Capability: noteThe name/description claim to extract and analyze public social media data; the SKILL.md shows concrete Apify actor calls and npm dependencies (apify-client, axios) that match that purpose. However the doc also mentions "Powered by Claude AI" and outputs to Notion/Airtable/Google Sheets without showing or requiring the corresponding credentials or integration steps, which is a mismatch between claims and what is actually specified.
Instruction Scope: noteRuntime instructions in SKILL.md are explicit: create an Apify account, export APIFY_TOKEN, npm install apify-client and axios, and call specific Apify actors to scrape platforms. The instructions stay within the scraping/analysis scope and do not instruct reading unrelated system files. They do not, however, document rate limiting, respect for platform TOS/robots, or where scraped data is ultimately transmitted (beyond saving/printing datasets), which is operationally important.
Install Mechanism: okThis is an instruction-only skill with no install spec or code files in the bundle, so nothing is automatically downloaded or written by the skill itself. Risk from install mechanism is low.
Credentials: concernSKILL.md explicitly requires APIFY_TOKEN (it shows export APIFY_TOKEN and uses process.env.APIFY_TOKEN), but the registry metadata lists no required environment variables or primary credential. That discrepancy is significant. The doc also references other external services (Claude AI, Notion/Airtable/Google Sheets) but does not declare any required API keys for them. Requiring a single Apify token is reasonable for the stated purpose, but the metadata should declare it and any other needed credentials.
Persistence & Privilege: okThe skill does not request 'always: true' or any elevated persistence. It is user-invocable and allows autonomous invocation (platform default). There is no evidence the skill modifies other skills or system-wide settings.