ClawHub
Back to skill
v1.0.0

TopYappers - Creators & Viral Content Skills

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:09 AM.

Analysis

This is a coherent TopYappers MCP integration that discloses its external API, API-key setup, and credit costs, with no artifact evidence of hidden code, exfiltration, or destructive behavior.

GuidanceThis skill appears safe to install if you intend to use TopYappers. Before installing, make sure you trust the TopYappers MCP endpoint, understand that an API key will be configured, and set expectations for when the agent may spend credits or retrieve creator contact/profile data.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
`get_creator_profiles` | Full profiles — followers, engagement, email, bio, niches | 1 credit/creator

Several documented MCP tools consume account credits and can return creator contact/profile data; this is disclosed and aligned with the skill purpose, but users should be aware of cost and data-use implications.

User impactThe agent may spend TopYappers credits when using paid tools and may retrieve creator emails or demographic profile fields.
RecommendationSet clear instructions for when the agent may use paid tools, limit result counts, and review outputs before using creator contact data.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
**Auth:** Bearer token in the `Authorization` header

Get an API key at [topyappers.com/profile](https://www.topyappers.com/profile).

The skill requires a TopYappers API key to authorize the MCP connection, giving the agent access to the user's TopYappers account and credits.

User impactIf installed, the agent can use the configured TopYappers account credentials for searches and paid API calls.
RecommendationUse a dedicated or limited TopYappers API key if available, monitor credit usage, and remove the MCP configuration when no longer needed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
**MCP Endpoint:** `https://mcp.topyappers.com`
**Transport:** HTTP

The skill connects the agent to an external MCP provider, so user prompts, search terms, and API credentials are used with that remote service.

User impactQueries about creators, campaigns, competitors, or trends may be sent to TopYappers as part of normal tool use.
RecommendationAvoid sending confidential strategy, personal data, or sensitive business information unless you are comfortable sharing it with TopYappers under its terms.