ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skool All-in-One API

v1.0.0

Full read AND write access to Skool communities. Use when user asks to manage Skool members (approve, reject, list pending), read or create posts, reply to c...

0· 82·0 current·0 all-time
by@ctala

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for ctala/skool-all-in-one-api.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Skool All-in-One API" (ctala/skool-all-in-one-api) from ClawHub.
Skill page: https://clawhub.ai/ctala/skool-all-in-one-api
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: APIFY_TOKEN
Required binaries: node, mcpc
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install skool-all-in-one-api

ClawHub CLI

Package manager switcher

npx clawhub@latest install skool-all-in-one-api
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose — full read/write Skool management via Apify — matches the instructions that call an Apify actor. Requiring an APIFY_TOKEN is appropriate. However the skill also declares node + mcpc as required binaries while the provided curl-based examples never invoke mcpc; that mismatch is unexpected but not necessarily malicious.
!
Instruction Scope
SKILL.md tells the agent to run a remote Apify actor and (optionally) supply the user's Skool email+password to that actor (the actor performs Playwright login and returns cookies). That means sensitive Skool credentials (or session cookies) will be transmitted to and handled by a third‑party actor on apify.com. The instructions also direct storing and reusing cookies and do not describe access controls for those cookies.
Install Mechanism
Install spec uses npm to install @apify/mcpc which is a registry package — a normal, low-risk mechanism. The concern is procedural: SKILL.md examples use curl to call Apify API rather than mcpc, so installing mcpc may be unnecessary for the documented flows.
!
Credentials
The only required env var is APIFY_TOKEN, which is appropriate for running Apify actors. However the runtime requires user Skool credentials (email/password) in some flows — these are not listed as required env vars and will be transmitted in actor run payloads. APIFY_TOKEN grants the ability to start runs under your Apify account; if compromised or over‑privileged this could be abused. Declared binaries (node/mcpc) increase local surface despite the curl examples not using them.
Persistence & Privilege
always is false and the skill does not request permanent platform presence or system-wide config changes. Autonomous invocation is enabled by default but that is normal; the skill does not request elevated platform privileges.
What to consider before installing
This skill runs an external Apify actor (cristiantala~skool-all-in-one-api) to manage Skool on your behalf. Consequences to consider before installing: - APIFY_TOKEN: This token lets the skill start actors under your Apify account. Use a dedicated, limited token and revoke it if you stop using the skill. - Skool credentials: The documented login flow sends your Skool email/password to the remote actor (or stores cookies returned by that actor). Only provide these if you trust the actor owner and Apify; prefer giving cookies you control or avoid supplying your password when possible. - Third‑party code: The actor runs on apify.com under someone else's account. Inspect the actor's source on Apify (if available) or contact the actor author to confirm behavior. Treat this like granting a remote service browser access to your Skool session. - Binaries mismatch: The skill declares node + mcpc but examples use curl. You may not need to install mcpc for the curl-based flows; verify what your chosen workflow actually requires. If you proceed, limit risk by creating a scoped APIFY token, avoid reusing your primary Skool password, and test with a non-critical Skool account or group first. If you need help verifying the actor code or alternative approaches that avoid sending passwords to a third party, ask for that review.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🎓 Clawdis
Binsnode, mcpc
EnvAPIFY_TOKEN
Primary envAPIFY_TOKEN

Install

Install mcpc CLI (npm)
Bins: mcpc
npm i -g @apify/mcpc
latestvk978a7agjmrh8km210neex2h3183p19q
82downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@ctala
latest
Download

Skool All-in-One API

Full read AND write access to Skool communities via Apify.

Prerequisites

  • .env file with APIFY_TOKEN
  • Node.js 20.6+
  • mcpc CLI tool

CRITICAL: Skool Data Model

Posts and comments are the SAME object in Skool.

  • To read comments: use posts:getComments — NOT comments:list
  • To create a comment: use posts:createComment — NOT comments:create
  • There is NO comments: namespace. Everything is posts:.

Content is PLAIN TEXT, not HTML.

  • CORRECT: Hello world
  • WRONG: <p>Hello world</p>

User mentions: [@Display Name](obj://user/{userId})

Workflow

Copy this checklist and track progress:

Task Progress:
- [ ] Step 1: Determine action needed
- [ ] Step 2: Login (auth:login) or use existing cookies
- [ ] Step 3: Execute the action
- [ ] Step 4: Present results

Step 1: Determine Action

Select the action based on user needs:

User NeedActionParams
Authentication
Login to Skoolauth:loginemail, password, groupSlug
Posts
List postsposts:listpage?, sortType?
Filter posts (date, unanswered)posts:filtersince?, until?, notAnsweredBy?, maxPosts?
Get single postposts:getpostId
Create postposts:createtitle, content (plain text), labelId?
Edit post or commentposts:updatepostId, title?, content?
Delete post or commentposts:deletepostId
Pin/unpin postposts:pin / posts:unpinpostId
Like/unlikeposts:votepostId, vote ("up" or "")
Comments
Get comments (nested tree)posts:getCommentspostId
Reply to postposts:createCommentcontent, rootId=postId, parentId=postId
Reply to comment (nested)posts:createCommentcontent, rootId=postId, parentId=commentId
Members
List membersmembers:listpage?
List pending applicationsmembers:pending(none)
Approve membermembers:approvememberId (use member.memberId, NOT member.id)
Reject membermembers:rejectmemberId
Ban membermembers:banmemberId
Events
List calendar eventsevents:list(none)
List upcoming eventsevents:upcoming(none)

Step 2: Authentication

Recommended flow (fast):

  1. Run auth:login once to get cookies
  2. Use cookies in all subsequent calls (~2s each instead of ~10s)
  3. Cookies expire every ~3.5 days — re-login when you get auth errors
# Login and get cookies
export $(grep APIFY_TOKEN .env | xargs)
RESULT=$(curl -s -X POST "https://api.apify.com/v2/acts/cristiantala~skool-all-in-one-api/runs?token=$APIFY_TOKEN&waitForFinish=120" \
  -H "Content-Type: application/json" \
  -d '{
    "action": "auth:login",
    "email": "USER_EMAIL",
    "password": "USER_PASSWORD",
    "groupSlug": "GROUP_SLUG"
  }')

RUN_ID=$(echo $RESULT | jq -r '.data.id')
COOKIES=$(curl -s "https://api.apify.com/v2/actor-runs/$RUN_ID/dataset/items?token=$APIFY_TOKEN" | jq -r '.[0].cookies')
echo "Cookies saved. Valid for ~3.5 days."

Step 3: Execute Action

With cookies (fast, ~2s):

export $(grep APIFY_TOKEN .env | xargs)
curl -s -X POST "https://api.apify.com/v2/acts/cristiantala~skool-all-in-one-api/runs?token=$APIFY_TOKEN&waitForFinish=120" \
  -H "Content-Type: application/json" \
  -d '{
    "action": "ACTION_NAME",
    "cookies": "COOKIES_FROM_LOGIN",
    "groupSlug": "GROUP_SLUG",
    "params": { PARAMS_HERE }
  }'

With email+password (slower, ~10s, uses Playwright):

export $(grep APIFY_TOKEN .env | xargs)
curl -s -X POST "https://api.apify.com/v2/acts/cristiantala~skool-all-in-one-api/runs?token=$APIFY_TOKEN&waitForFinish=120" \
  -H "Content-Type: application/json" \
  -d '{
    "action": "ACTION_NAME",
    "email": "USER_EMAIL",
    "password": "USER_PASSWORD",
    "groupSlug": "GROUP_SLUG",
    "params": { PARAMS_HERE }
  }'

Get results from dataset:

RUN_ID=$(echo $RESULT | jq -r '.data.id')
curl -s "https://api.apify.com/v2/actor-runs/$RUN_ID/dataset/items?token=$APIFY_TOKEN" | jq .

Step 4: Present Results

Format results based on the action:

  • posts:list — Show title, author, likes, commentCount, url
  • posts:getComments — Show nested comment tree with replies
  • members:pending — Show name, bio, location, application answers, source
  • members:list — Show name, level, points, bio, social links

Common Workflows

Get unanswered posts from last 7 days

To find which posts the user hasn't replied to, you need their Skool user ID.

1. auth:login → save cookies
2. members:list → find the user by name/email → get their "id" field (this is the user ID, NOT memberId)
3. posts:filter with params:
   {
     "since": "2026-03-20T00:00:00Z",
     "notAnsweredBy": "USER_ID_FROM_STEP_2",
     "maxPosts": 50
   }
4. Show the filtered posts — these are posts the user has NOT replied to

How to get USER_ID: Run members:list and find the user by firstName/lastName. The id field (NOT memberId) is what you pass to notAnsweredBy.

Alternative — just get posts with 0 comments:

1. auth:login → save cookies
2. posts:list with params: { "page": 1 }
3. Filter results where commentCount === 0

Approve pending members

1. auth:login → save cookies
2. members:pending → get list with application answers
3. For each member to approve: members:approve with params: { "memberId": member.memberId }
IMPORTANT: Use member.memberId (membership ID), NOT member.id (user ID)

Reply to a post with user mention

1. auth:login → save cookies
2. posts:createComment with params:
   - content: "Great point [@Name](obj://user/{userId})! I agree with your analysis."
   - rootId: "post-id"
   - parentId: "post-id" (same as rootId for top-level comment)

Reply to a specific comment (nested)

1. posts:getComments → find the comment ID
2. posts:createComment with params:
   - content: "Thanks for sharing!"
   - rootId: "original-post-id" (ALWAYS the root post, never a comment)
   - parentId: "comment-id" (the comment you're replying to)

Important Notes

  1. memberId vs id: For approve/reject/ban, use memberId field (membership ID), NOT id (user account ID). They are different.
  2. Content format: Posts and comments use PLAIN TEXT. Never send HTML tags.
  3. Mentions: Use [@Name](obj://user/{userId}) format. Get userId from members:list.
  4. Rate limits: Skool limits writes to ~20-30/min. Reads are ~60/min.
  5. Cookie expiry: Cookies last ~3.5 days. Re-login when you get 403 errors.
  6. Comment nesting: rootId is ALWAYS the original post ID. parentId is the post (for top-level) or comment (for nested reply).

Actor Details

Comments

Loading comments...