Skillv1.0.1

ClawScan security

Apify Competitor Intelligence · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 11, 2026, 3:42 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally coherent: it legitimately needs an APIFY_TOKEN, Node, and the mcpc CLI to run Apify actors and the included code only talks to api.apify.com and writes local outputs.
Guidance: This skill appears to do what it claims: it uses your APIFY_TOKEN to start Apify actors and download their datasets from api.apify.com. Before installing: (1) ensure you trust the npm package @apify/mcpc or review it beforehand; (2) provide an APIFY_TOKEN scoped appropriately — the token can trigger runs and incur billing, so use a least-privilege token or monitoring; (3) be aware that running third-party Apify actors causes those actors to scrape external sites (review target sites' terms of service and privacy rules, and ensure you are allowed to scrape them); (4) the SKILL.md examples use jq but jq is not declared as a required binary — you may need jq in your environment or adapt the command; (5) outputs may include PII depending on what an actor scrapes, so handle files accordingly. Overall the skill is coherent with its described purpose.

Review Dimensions

Purpose & Capability: okThe name/description (running Apify actors to gather competitor data) aligns with the requested artifacts: APIFY_TOKEN, Node, and the mcpc CLI. The included run_actor.js implements actor start, polling, and dataset download via api.apify.com — these are expected for this purpose.
Instruction Scope: noteSKILL.md instructs the agent to fetch actor schemas with mcpc and to run the provided run_actor.js; the JS enforces input validation (actor ID format, JSON input, output path) and limits network access to api.apify.com. Two minor issues: (1) SKILL.md examples pipe mcpc output to jq but jq is not declared in required binaries (could cause runtime failure), and (2) running arbitrary Apify actors runs third-party scraping code — the agent will execute remote actor logic (via Apify) which may scrape external sites and could have legal/TO S implications. The instructions include explicit sanitization rules, which improves safety if enforced.
Install Mechanism: noteInstall is a Node package (@apify/mcpc) that provides the mcpc binary. Installing an npm package is expected for a CLI dependency; this is moderate-risk relative to instruction-only skills but proportionate to the function. The install uses the npm registry (no opaque download URLs or archive extraction), and the package produces the expected mcpc binary.
Credentials: okOnly APIFY_TOKEN is required and declared as the primary credential. That is proportional: the skill must authenticate to apify.com to start actor runs and download datasets. Note: an APIFY_TOKEN grants ability to run actors and access datasets (and may incur billing), so users should supply a token with appropriate scope and monitor account usage.
Persistence & Privilege: okThe skill is not always-enabled and does not request system-wide persistence or elevated privileges. It does not modify other skills or global agent configuration. It will install an npm-provided mcpc binary (per install spec) which is normal for this functionality.