youtube-channel-api-skill
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears to do what it claims—call BrowserAct with a user-provided API key to fetch public YouTube channel data—with no evidence of hidden exfiltration or destructive behavior, though users should notice the third-party API use and minor operational issues.
This skill is reasonable to install if you intend to use BrowserAct for YouTube channel research. Before using it, make sure you trust BrowserAct with your search terms, set the API key securely as an environment variable, monitor API usage/quota, and be aware that the script may keep polling until manually stopped if a task gets stuck.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed and used, the agent may ask for or use a BrowserAct API key to run workflow tasks.
The skill requires a BrowserAct API key. That is expected for the stated service, but it is still a credential that grants access to the user's BrowserAct account/API quota.
Before running, you must first check the `BROWSERACT_API_KEY` environment variable. If it is not set... request and wait for the user to provide it.
Prefer setting the key as an environment variable rather than pasting it into chat, and monitor or rotate the key if it may have been exposed.
BrowserAct will receive the keywords or business research terms used for YouTube channel searches.
The script sends the user's search terms and upload-date filter to the BrowserAct workflow API. This is disclosed and central to the skill, but it is a third-party data flow.
API_BASE_URL = "https://api.browseract.com/v2/workflow" ... {"name": "KeyWords", "value": keywords}, {"name": "Upload_date", "value": upload_date}Avoid entering confidential or sensitive search terms unless you are comfortable sharing them with BrowserAct under its terms and privacy practices.
A failed or stuck BrowserAct task could leave the agent waiting and polling until interrupted.
The task-status loop has no maximum timeout; if the provider never returns a terminal state, the foreground command can keep polling indefinitely.
while True: ... requests.get(f"{API_BASE_URL}/get-task-status?task_id={task_id}", headers=headers).json() ... time.sleep(10)Run with user-visible terminal output and stop the process manually if it appears stuck; a future version should add a maximum wait time.
Automatic requirement checks may fail or may not verify the actual Python runtime needed to run the script.
The declared required binary appears to misspell `python`, while the documented command uses `python`. This is a setup/provenance quality issue, not evidence of malicious behavior.
requires":{"bins":["pyhon"],"env":["BROWSERACT_API_KEY"]} ... python -u ./scripts/youtube_channel_api.py "Search Keywords" "Upload date"Confirm Python is installed and correct the requirement metadata before relying on automated installation or preflight checks.