Back to skill
Skillv1.0.0
ClawScan security
tiktok-scraper · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 12, 2026, 9:04 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions align with its stated purpose (calling CreatorCrawl's TikTok API) and there are no disproportionate or unexplained privileges requested.
- Guidance
- This instruction-only skill is coherent: it only needs curl and your CreatorCrawl API key to call creatorcrawl.com. Before installing, verify the CreatorCrawl service and obtain an API key from the official site, ensure you trust that provider with the queries you will run, and monitor API usage/credits. Treat the CREATORCRAWL_API_KEY as a secret (don’t paste it in public chat), and be prepared to rotate/revoke the key if you see unexpected activity. Note that the agent may call the skill autonomously (platform default); if you want manual control, keep the skill disabled when not needed.
Review Dimensions
- Purpose & Capability
- okName/description (TikTok data via CreatorCrawl) match the declared requirements: curl + CREATORCRAWL_API_KEY. The requested credential and binary are exactly what you'd expect for an API-wrapping skill.
- Instruction Scope
- okSKILL.md gives explicit curl-based examples using the CreatorCrawl base URL and the x-api-key header. Instructions do not reference other files, system paths, or unrelated environment variables, nor do they instruct exfiltration to third-party endpoints.
- Install Mechanism
- okNo install spec or code is included (instruction-only), so nothing is written to disk. This is the lowest-risk install pattern and appropriate for a curl-based wrapper.
- Credentials
- okOnly one environment variable (CREATORCRAWL_API_KEY) is required and is justified by the documented API authentication method. No unrelated credentials or sensitive paths are requested.
- Persistence & Privilege
- okalways is false and the skill does not request system-wide configuration changes or persistent privileges. Model invocation is enabled (the platform default) but that is appropriate for an API integration and not by itself concerning.