Back to skill
Skillv1.0.0
ClawScan security
AIsa Youtube Search · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 11, 2026, 8:59 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements, runtime instructions, and included Python client are consistent with a YouTube SERP search wrapper that calls the AIsa API; nothing requests unrelated credentials or performs unexplained actions.
- Guidance
- This skill is internally consistent: it will use the AISA_API_KEY you provide to call https://api.aisa.one for YouTube SERP data. Only install it if you trust the AIsa service and are comfortable giving that API key to code that will send requests to api.aisa.one. Review the included scripts/youtube_client.py (it performs only HTTP calls to the AIsa endpoint) before use, and consider using an API key with limited scope or monitoring its usage. If you need higher assurance, contact the AIsa maintainers or verify the package source and release provenance before providing your key.
Review Dimensions
- Purpose & Capability
- okName/description (YouTube SERP Scout) match the declared requirements: curl/python3 and a single AISA_API_KEY used to call api.aisa.one. The primaryEnv is the API key the skill actually uses.
- Instruction Scope
- okSKILL.md instructs only using curl examples and the included python client to query the AIsa YouTube endpoint. It does not ask to read unrelated files, other env vars, or exfiltrate data to unexpected endpoints.
- Install Mechanism
- okNo install spec (instruction-only) and included Python client; nothing downloads arbitrary archives or runs third-party installers. Requires existing curl/python3 which is reasonable for the usage shown.
- Credentials
- okOnly AISA_API_KEY is required, which aligns with the skill's function of calling the AIsa API. No additional secrets, unrelated credential names, or config paths are requested.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system changes or modify other skills' configuration. Normal autonomous invocation is allowed (platform default).