Back to skill
Skillv1.1.0
ClawScan security
Creator Screening · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 6, 2026, 7:29 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions mostly match its stated purpose (creator screening via Memories.ai), but there's important packaging and runtime mismatches you should understand before installing.
- Guidance
- Before installing or running this skill: (1) Expect it to call external services — Memories.ai (required) and optionally Apify — and you must provide MEMORIES_API_KEY (and optionally APIFY_API_KEY). The registry metadata omitted those env vars, so double-check you have the keys and understand the cost/usage. (2) The MAI analysis is asynchronous and documented to deliver results via webhook, but the included scripts do not implement webhook handling or polling — you may need to add a webhook endpoint or change the workflow to poll results or use transcript mode. (3) Review and test the scripts in an isolated environment; keys are sent to third-party endpoints, so use keys with limited scope and rotate them if you stop using the skill. (4) Verify the privacy and legal implications of programmatically scraping creator content for your use case and confirm you trust Memories.ai/Apify and are comfortable with their data handling and costs.
Review Dimensions
- Purpose & Capability
- noteThe name/description, SKILL.md, and included scripts all implement influencer screening via Memories.ai (with an Apify fallback). That capability aligns with requests for MEMORIES_API_KEY and optional APIFY_API_KEY. However, registry metadata declares no required environment variables or primary credential while the runtime instructions and scripts clearly require MEMORIES_API_KEY (and optionally APIFY_API_KEY). This metadata omission is an incoherence that can mislead installers or automated installers/tools.
- Instruction Scope
- concernSKILL.md instructs using Memories.ai MAI which is async and delivers results via webhook; the provided scripts (analyze_videos.py, scrape_profiles.py, score_creator.py) submit jobs and return task IDs but do not implement webhook handling, polling, or result collection. That means the documented workflow (wait for async MAI results via webhook and fall back if not received) is not fully implemented in the shipped code. Apart from contacting Memories.ai and Apify, the instructions do not attempt to read unrelated local files or other secrets. External network calls are required and expected for this purpose.
- Install Mechanism
- okThere is no install spec (instruction-only skill) — the repo includes scripts but no automated installer. This is low-risk from an automatic-install perspective because nothing will be downloaded or executed automatically beyond the included scripts. The user will run Python scripts manually, so standard local review is possible.
- Credentials
- noteThe skill requires an API key for Memories.ai (MEMORIES_API_KEY) and optionally APIFY_API_KEY for a fallback — both are proportional to the stated function (fetching metadata and transcripts). The inconsistency is that the registry metadata does not declare these required environment variables; that mismatch is a packaging/manifest issue and can cause surprises (e.g., user not prompted to provide a key).
- Persistence & Privilege
- okThe skill does not request persistent or elevated platform privileges (always:false). It does not modify other skills or system settings. It only issues outbound API requests to Memories.ai and Apify, which is expected for this functionality.