ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Apify Threads Replies

v0.1.1

This skill should be used when the user asks to "scrape Threads replies", "get Threads comments", "extract replies from a Threads post", "get comments on a T...

0· 0·0 current·0 all-time
byFuturize Rush@futurizerush
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The skill name and description (scraping Threads replies) match the instructions, which call an Apify actor (futurizerush/threads-replies-scraper). Requiring an Apify API token is reasonable for this purpose. However, the published registry metadata lists no required environment variables or primary credential while SKILL.md explicitly instructs the user to set APIFY_API_TOKEN — this mismatch is unexpected.
Instruction Scope
SKILL.md provides concrete, narrow runtime steps: POST to start an Apify actor run, poll run status, and GET dataset items. Endpoints are limited to api.apify.com and examples reference Threads URLs. The instructions do not ask the agent to read unrelated files, system config, or other credentials.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is written to disk and there is no package download. This is the lowest-risk install model.
!
Credentials
The runtime examples require APIFY_API_TOKEN (sourced from environment) to authenticate to Apify. Registry metadata, however, lists no required env vars or primary credential. That omission is a mismatch and could cause confusion or hide that a secret is needed; it should have declared APIFY_API_TOKEN explicitly. No other unrelated secrets are requested in the instructions.
Persistence & Privilege
always is false and there is no install or persistent agent modification. The skill does not request elevated persistence or modify other skills or system-wide settings.
What to consider before installing
This skill appears to do what it says (use an Apify actor to scrape public Threads replies), but SKILL.md requires an APIFY_API_TOKEN while the registry metadata does not declare it — that mismatch is a red flag. Before installing: (1) confirm the skill metadata is updated to list APIFY_API_TOKEN as a required credential, (2) verify the Apify actor owner (futurizerush) and inspect the actor's code/README on Apify to ensure it behaves as advertised, (3) use a limited-scope Apify token (rotate/revokeable) rather than a long-lived account token, and (4) test on non-sensitive posts first. If the publisher cannot explain the missing env declaration, treat the skill with caution.

Like a lobster shell, security has layers — review code before you run it.

ai-agentvk97c19g24ca74y50smte5qajz584ndjkapifyvk97c19g24ca74y50smte5qajz584ndjkcommentsvk97c19g24ca74y50smte5qajz584ndjkengagementvk97c19g24ca74y50smte5qajz584ndjklatestvk97c19g24ca74y50smte5qajz584ndjkscrapingvk97c19g24ca74y50smte5qajz584ndjksocial-mediavk97c19g24ca74y50smte5qajz584ndjkthreadsvk97c19g24ca74y50smte5qajz584ndjk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments