critical
suspicious.exposed_secret_literal
- Location
- write_articles.py:15
- Finding
- File appears to expose a hardcoded API secret or token.
Youtube To Ebook
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.exposed_secret_literal
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
If you configure Gmail, the skill can send email from that account and the app password must be protected.
Why it was flagged
The optional email feature reads a Gmail app password from the local environment and can send the generated EPUB by email. This is purpose-aligned, but it is sensitive account authority.
Skill content
GMAIL_APP_PASSWORD = os.getenv("GMAIL_APP_PASSWORD")Recommendation
Use a dedicated Gmail app password only if you need email delivery, keep .env private, and confirm the recipient and send behavior before enabling automation.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
You may need to create and store an additional third-party API key, and transcript lookups may consume that provider's quota.
Why it was flagged
The transcript code expects a Supadata API key, while the top-level skill requirements mention YouTube and Anthropic keys and registry metadata declares no env vars.
Skill content
SUPADATA_API_KEY = os.getenv("SUPADATA_API_KEY")Recommendation
Update documentation/metadata to declare SUPADATA_API_KEY, and only configure it if you are comfortable sending YouTube video URLs to Supadata for transcript retrieval.
NoteHigh Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
Future dependency changes could break the skill or introduce unexpected behavior.
Why it was flagged
The Python dependencies are listed without pinned versions. This is common in small projects but leaves installs dependent on whatever versions are current at install time.
Skill content
google-api-python-client python-dotenv youtube-transcript-api anthropic markdown ebooklib requests
Recommendation
Install in a virtual environment, consider pinning versions or using a lockfile, and review dependency provenance before running.
NoteHigh Confidence
ASI10: Rogue AgentsWhat this means
If enabled, the skill may run on a schedule, use API quota, generate files, and send email without you manually starting it each time.
Why it was flagged
The README documents optional launchd setup for recurring local execution. This is disclosed and user-directed, but it is persistent automation.
Skill content
cp com.youtube.newsletter.plist ~/Library/LaunchAgents/ # Load it launchctl bootstrap gui/$(id -u) ~/Library/LaunchAgents/com.youtube.newsletter.plist
Recommendation
Enable launchd only after confirming paths, credentials, recipient settings, and logs; keep an uninstall/disable command handy.