YouTube Analytics
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: youtube-analytics Version: 1.0.0 The OpenClaw skill bundle is a YouTube analytics toolkit that interacts with the YouTube Data API v3. All code and documentation align with its stated purpose. The `SKILL.md` file provides clear, benign instructions for setup and usage, without any evidence of prompt injection attempts against the AI agent. The TypeScript code (`scripts/src/**/*.ts`) uses standard libraries (`googleapis`, `dotenv`) to fetch data and saves results as JSON files exclusively within a dedicated `results/` directory, preventing arbitrary file system access or data exfiltration. Dependencies listed in `scripts/package.json` are legitimate, and there are no signs of malicious execution, persistence mechanisms, or obfuscation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the raw key helper is called or printed, the user's API key could be exposed to the agent transcript and potentially used against the user's quota.
The skill uses the configured YouTube API key as expected for the provider, and also exposes a getApiKey helper that can return the raw key to callers.
clientInstance = google.youtube({ version: 'v3', auth: settings.apiKey }); ... return settings.apiKey;Use a restricted YouTube Data API key, avoid printing or sharing it, and consider removing or not exporting getApiKey unless needed for debugging.
Installing the skill pulls third-party Node packages into the local environment.
The skill requires a user-directed npm install even though the registry says there is no install spec. The dependencies are purpose-aligned, and a package-lock is present.
Install dependencies: ```bash cd scripts && npm install ```
Review package.json/package-lock before installing, run installation in a trusted project environment, and prefer lockfile-based installs such as npm ci when possible.
If misused, these helpers could read local JSON files or write JSON files outside the intended results subfolders.
The result helpers accept caller-supplied category/filepath values and do not explicitly confine them to the results directory, though documented use is for saved YouTube result files.
const categoryDir = join(settings.resultsDir, category); ... const content = readFileSync(filepath, 'utf-8');
Use loadResult only with paths returned by listResults, avoid passing untrusted paths/categories, and consider adding path normalization checks that enforce the results directory boundary.
Search terms, channel/video analyses, and public YouTube metadata may remain in local files after the task is complete.
The skill persistently stores retrieved YouTube data and user search/query-derived results on disk by default.
All results automatically save as JSON files to `results/{category}/`.Keep the results directory private, delete old results when no longer needed, and avoid using sensitive search terms if local persistence is a concern.