Back to skill
Skillv1.0.1
ClawScan security
YouTube SERP Scout · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 19, 2026, 9:57 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions are consistent with a YouTube SERP/search helper that calls a third‑party AIsa API; it requests only an API key and standard binaries and contains no hidden or unrelated behavior.
- Guidance
- This skill appears coherent: it simply calls the AIsa YouTube search API and needs one API key plus curl/python. Before installing, verify you trust the AIsa service (api.aisa.one) because your AISA_API_KEY and the queries/results will transit through that provider. Limit the API key permissions if possible, monitor its usage, and rotate the key if you suspect misuse. If you require on‑premises-only tools or want to avoid third‑party logging, do not install/use this skill.
Review Dimensions
- Purpose & Capability
- okName/description (YouTube SERP Scout) align with the code and SKILL.md: both call https://api.aisa.one/apis/v1/youtube/search and provide search, country/lang filters, pagination, and simple client helpers. Requested binaries (curl, python3) and the AISA_API_KEY are appropriate for this purpose.
- Instruction Scope
- okSKILL.md and the included python client direct only YouTube search requests to the AIsa API and require the AISA_API_KEY; they do not instruct reading arbitrary files, other environment variables, or sending data to unexpected endpoints. The instructions are specific and scoped to search/analysis tasks.
- Install Mechanism
- okThere is no install spec that downloads or extracts external code. The skill is instruction-only (plus a bundled python script). No suspicious external URLs or archive extraction steps are present in the install phase.
- Credentials
- noteThe skill requests a single API credential (AISA_API_KEY), which is proportional to contacting a third‑party search API. Note: the API is a third‑party service (api.aisa.one); users should verify the provider's trustworthiness and what data the provider logs/retains before supplying the key.
- Persistence & Privilege
- okThe skill does not request always:true, does not modify other skills or system-wide settings, and relies on the agent to call it explicitly or autonomously per platform defaults. No elevated persistence is requested.