YouTube Analytics
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the raw key helper is called or printed, the user's API key could be exposed to the agent transcript and potentially used against the user's quota.
The skill uses the configured YouTube API key as expected for the provider, and also exposes a getApiKey helper that can return the raw key to callers.
clientInstance = google.youtube({ version: 'v3', auth: settings.apiKey }); ... return settings.apiKey;Use a restricted YouTube Data API key, avoid printing or sharing it, and consider removing or not exporting getApiKey unless needed for debugging.
Installing the skill pulls third-party Node packages into the local environment.
The skill requires a user-directed npm install even though the registry says there is no install spec. The dependencies are purpose-aligned, and a package-lock is present.
Install dependencies: ```bash cd scripts && npm install ```
Review package.json/package-lock before installing, run installation in a trusted project environment, and prefer lockfile-based installs such as npm ci when possible.
If misused, these helpers could read local JSON files or write JSON files outside the intended results subfolders.
The result helpers accept caller-supplied category/filepath values and do not explicitly confine them to the results directory, though documented use is for saved YouTube result files.
const categoryDir = join(settings.resultsDir, category); ... const content = readFileSync(filepath, 'utf-8');
Use loadResult only with paths returned by listResults, avoid passing untrusted paths/categories, and consider adding path normalization checks that enforce the results directory boundary.
Search terms, channel/video analyses, and public YouTube metadata may remain in local files after the task is complete.
The skill persistently stores retrieved YouTube data and user search/query-derived results on disk by default.
All results automatically save as JSON files to `results/{category}/`.Keep the results directory private, delete old results when no longer needed, and avoid using sensitive search terms if local persistence is a concern.