clawbus-youtube-unified-api
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This is a disclosed YouTube API proxy skill, but it gives agents broad ability to publish, update, delete, and moderate YouTube account content through a third-party proxy key without clear approval or scope limits.
Review this skill carefully before installing. It is not shown to be malicious, but you should only provide the API key if you trust the proxy provider, and you should require explicit confirmation before allowing uploads, deletions, updates, moderation actions, or other write operations on your YouTube account.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent with the API key could delete videos, upload/publish content, update resources, or perform moderation actions if it chooses the wrong endpoint or misinterprets a request.
The reference docs expose destructive and public-content-changing YouTube operations. The skill does not document confirmation gates, endpoint allowlists, or rollback guidance for these high-impact actions.
DELETE /youtube_api/youtube/v3/videos ... Deletes a resource ... POST /youtube_api/upload/youtube/v3/videos ... [Media upload] Inserts a new resource.
Only use this with explicit user confirmation for every write/delete/moderation action, and prefer read-only or narrowly scoped credentials where possible.
Sharing the key may allow the proxy-backed workflow to access or change YouTube account data beyond a single read-only request.
The user-provided key delegates YouTube OAuth-backed account access to the hosted proxy. The artifacts do not clearly state OAuth scopes, revocation expectations, or boundaries for private/account-mutating operations.
Every request **must** include the `X-API-KEY` header with your **Mybrandmetrics API-KEY**... The proxy exchanges this key for a YouTube OAuth token internally.
Verify the proxy provider, understand the key’s scopes and revocation process, and avoid granting write-capable access unless needed.
Private channel data, analytics, reporting results, and account actions may be visible to or mediated by the proxy service.
All YouTube API calls, credentials, request parameters, and returned data pass through the hosted proxy. This is disclosed and purpose-aligned, but it is a sensitive data boundary users should understand.
Call hosted routes: `https://mcp.imagineapp.co/youtube_api/...` - Required header: `X-API-KEY` - Do not provide your own YouTube bearer token; proxy handles token exchange.
Use the skill only if you trust the hosted proxy and are comfortable routing YouTube account data through it.