Back to skill
Skillv1.0.0
ClawScan security
Youtube Serp · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 24, 2026, 4:53 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required credential (AISA_API_KEY) are consistent with a YouTube SERP/analytics client that calls the AIsa API; nothing in the package appears disproportionate or unrelated to its stated purpose.
- Guidance
- This package appears coherent: the included Python script contacts the AIsa API (https://api.aisa.one) and uses AISA_API_KEY as a Bearer token — which is expected for this service. Before installing/using: (1) ensure you trust the external service (aisa.one) because your API key and query data are sent there; (2) review the included scripts locally (they're present in scripts/youtube_client.py) and run them in an isolated environment if you have concerns; (3) do not provide unrelated credentials; and (4) if you ever suspect the key was misused, rotate/revoke the AISA_API_KEY. If you want higher assurance, ask the publisher for a provenance/source URL or official homepage before using the key in production.
Review Dimensions
- Purpose & Capability
- okName/description ask for YouTube SERP and trend research and the package contains a Python client that calls an external AIsa YouTube API. Required binary (python3) and required env var (AISA_API_KEY) align with that purpose.
- Instruction Scope
- okSKILL.md instructs usage of the included scripts/ CLI and requires only AISA_API_KEY. The runtime instructions do not request unrelated files, system state, or other secrets and include reasonable guardrails about not inventing results.
- Install Mechanism
- okNo install spec (instruction-only runtime with an included script). This is low-risk: nothing is downloaded or extracted from third-party URLs during install.
- Credentials
- okOnly AISA_API_KEY is required and is declared as the primary credential. That key is used as a Bearer token to call https://api.aisa.one — this is proportionate to the skill's described behavior, but the key will be transmitted to that service.
- Persistence & Privilege
- okalways:false and no code that modifies other skills or system configs. The skill does not request permanent agent presence or elevated privileges.