clawbus-youtube-unified-api
PassAudited by VirusTotal on May 8, 2026.
Overview
Type: OpenClaw Skill Name: clawbus-youtube-unified-api Version: 1.0.0 The skill bundle provides a legitimate and well-documented interface for an agent to interact with YouTube Data, Analytics, and Reporting APIs via a hosted proxy at mcp.imagineapp.co. The included Python script (scripts/sync_discovery.py) is a maintenance utility that fetches official Google Discovery documents to regenerate reference artifacts and does not exhibit any malicious behavior or suspicious dependencies. The instructions in SKILL.md correctly guide the agent to request a necessary API key from the user for authentication without attempting to exfiltrate unrelated sensitive data.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent with the API key could delete videos, upload/publish content, update resources, or perform moderation actions if it chooses the wrong endpoint or misinterprets a request.
The reference docs expose destructive and public-content-changing YouTube operations. The skill does not document confirmation gates, endpoint allowlists, or rollback guidance for these high-impact actions.
DELETE /youtube_api/youtube/v3/videos ... Deletes a resource ... POST /youtube_api/upload/youtube/v3/videos ... [Media upload] Inserts a new resource.
Only use this with explicit user confirmation for every write/delete/moderation action, and prefer read-only or narrowly scoped credentials where possible.
Sharing the key may allow the proxy-backed workflow to access or change YouTube account data beyond a single read-only request.
The user-provided key delegates YouTube OAuth-backed account access to the hosted proxy. The artifacts do not clearly state OAuth scopes, revocation expectations, or boundaries for private/account-mutating operations.
Every request **must** include the `X-API-KEY` header with your **Mybrandmetrics API-KEY**... The proxy exchanges this key for a YouTube OAuth token internally.
Verify the proxy provider, understand the key’s scopes and revocation process, and avoid granting write-capable access unless needed.
Private channel data, analytics, reporting results, and account actions may be visible to or mediated by the proxy service.
All YouTube API calls, credentials, request parameters, and returned data pass through the hosted proxy. This is disclosed and purpose-aligned, but it is a sensitive data boundary users should understand.
Call hosted routes: `https://mcp.imagineapp.co/youtube_api/...` - Required header: `X-API-KEY` - Do not provide your own YouTube bearer token; proxy handles token exchange.
Use the skill only if you trust the hosted proxy and are comfortable routing YouTube account data through it.