Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Yt Assemblyai Monitor
v1.0.1YouTube channel monitor and video transcription using AssemblyAI cloud API. Pure Python + requests only — no ffmpeg, no Whisper, no extra tools needed. Monit...
⭐ 0· 53·0 current·0 all-time
by大佬的鼠DonRat@azazlf09
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose is YouTube monitoring + AssemblyAI transcription, which matches the code's behavior. However, the registry metadata declares no required environment variables or primary credential, while the SKILL.md and monitor.py require an ASSEMBLYAI_API_KEY (or data/config.json). That mismatch is incoherent and should have been declared in the skill metadata.
Instruction Scope
Instructions and code confine activity to fetching YouTube pages, extracting audio URLs via the innertube API, and submitting those URLs to AssemblyAI. The skill reads/writes files inside its own data/ directory (channels.json, processed.json, summaries, config.json). It does not attempt to read other system files or unrelated environment variables. It does, however, offer storing the API key in plaintext at data/config.json which raises disclosure risk if the host environment is shared.
Install Mechanism
There is no install spec — the skill is instruction/code-only and uses only the requests library. Nothing is downloaded or executed from external, arbitrary URLs during install.
Credentials
The skill requires an AssemblyAI API key to function (documented in SKILL.md and enforced in code) but the registry metadata does not declare this required credential. Requesting an API key for the service being used is reasonable, but storing it in a local plaintext config file is risky. Additionally, the code contains a hard-coded INNERTUBE_API_KEY fallback (a Google API key string) — using or exposing a fallback API key is unusual and may be inappropriate.
Persistence & Privilege
The skill is not always-enabled and does not request special platform privileges. It writes only to its own data/ directory and does not modify other skills or system-wide settings.
What to consider before installing
This skill appears to perform the advertised YouTube→AssemblyAI workflow, but there are two issues to consider before installing: (1) the registry metadata does NOT list the AssemblyAI API key requirement despite the SKILL.md and code requiring ASSEMBLYAI_API_KEY — provide the key only if you trust and understand the billing/usage implications; (2) the code includes a hard-coded innertube API key fallback (a Google API key string) and suggests storing your AssemblyAI key in data/config.json (plaintext) — prefer using the ASSEMBLYAI_API_KEY environment variable rather than a config file to reduce accidental exposure. Also note the provided scripts/monitor.py in the package snapshot is truncated, so the audit is incomplete; you should inspect the full source before running. Recommended actions: review the full monitor.py, run the script in a sandbox or isolated environment, avoid committing config.json to version control, and monitor your AssemblyAI account for unexpected usage after enabling the skill.Like a lobster shell, security has layers — review code before you run it.
assemblyaivk97ahe4c3acnh2v98bjn0g836d83jjjdlatestvk97bb698zd5jxv0nmxp2teswxn83j04wmonitorvk97ahe4c3acnh2v98bjn0g836d83jjjdtranscriptionvk97ahe4c3acnh2v98bjn0g836d83jjjdvideovk97ahe4c3acnh2v98bjn0g836d83jjjdyoutubevk97ahe4c3acnh2v98bjn0g836d83jjjd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.