ClawHub
Back to skill
v1.0.0

Youtube Search and Tracking API

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:26 AM.

Analysis

This appears to be a straightforward YouTube search client using a declared AIsa API key and external API, with no evidenced destructive, deceptive, or persistent behavior.

GuidanceBefore installing, confirm you trust the AIsa/OpenClaw provider, configure a dedicated AISA_API_KEY where possible, and avoid including confidential information in YouTube search queries.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceMediumStatusNote
metadata
Source: unknown

The registry metadata does not identify a source repository or stronger provenance for the skill.

User impactUsers have less provenance information to verify who maintains the skill or where updates originate.
RecommendationConfirm you trust the publisher and provider before configuring an API key.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/youtube_client.py
self.api_key = api_key or os.environ.get("AISA_API_KEY") ... "Authorization": f"Bearer {self.api_key}"

The script reads the AIsa API key from the environment and uses it as a bearer token for API calls.

User impactThe skill can use the configured AIsa account or API quota when the agent performs searches.
RecommendationUse a dedicated AIsa API key if possible, monitor usage, and revoke or rotate the key if you stop using the skill.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityInfoConfidenceHighStatusNote
scripts/youtube_client.py
BASE_URL = "https://api.aisa.one/apis/v1" ... params = {"engine": "youtube", "q": query}

User-provided search terms are sent to the external AIsa API endpoint.

User impactSearch queries, including competitor names or research topics, will be visible to the API provider.
RecommendationAvoid putting confidential or sensitive information into search queries unless you trust the provider’s handling of that data.