Back to skill
Skillv1.0.0
ClawScan security
AIsa Youtube Serp Scout · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 21, 2026, 6:45 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it needs python3 and a single AISA_API_KEY to call AIsa's YouTube SERP API and the code/instructions match that purpose — but the packaged Python file listing is truncated in the manifest, so verify the full source before trust.
- Guidance
- This package appears to do what it claims: run a local Python client that calls the AIsa YouTube SERP API using your AISA_API_KEY. Before installing or providing credentials: 1) Inspect the complete scripts/youtube_client.py file in the package (the manifest listing you were shown is truncated) to ensure there are no hidden behaviors. 2) Confirm you trust the external host (api.aisa.one) — your queries and the Bearer token will be sent there. 3) Use a least-privilege API key (read-only, scoped if possible), and rotate/revoke it if you stop using the skill. 4) Run the script in a sandboxed environment if you have any doubt. If you want, paste the full youtube_client.py contents and I can review the rest for anything suspicious.
Review Dimensions
- Purpose & Capability
- okName/description, required binary (python3), and primary environment variable (AISA_API_KEY) align with the included script and the stated purpose of querying an AIsa YouTube SERP API. No unrelated credentials or binaries are requested.
- Instruction Scope
- okSKILL.md instructs running the repo-local Python script and only requires the AISA_API_KEY. The script issues HTTP requests to https://api.aisa.one/apis/v1 (expected for an AIsa-backed service) and does not reference other files, system config paths, or unrelated environment variables. Guardrails in SKILL.md limit invention of results.
- Install Mechanism
- okNo install spec is present (instruction-only skill with shipped script). No remote downloads, package installs, or archive extraction are declared; executing the script requires only an existing python3 runtime.
- Credentials
- okOnly a single environment variable (AISA_API_KEY) is required and that is justified by the script which sets an Authorization header for calls to the AIsa API. No unrelated secrets or config paths are requested.
- Persistence & Privilege
- okThe skill is not declared always:true and does not request persistent system-level privileges. It does network calls to the expected external API but does not modify other skills or system-wide configuration in the provided materials.