Back to skill
Skillv1.0.1
ClawScan security
youtube-comments-api-skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 12, 2026, 12:06 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and required environment variable (BROWSERACT_API_KEY) are consistent with its stated purpose of calling the BrowserAct YouTube Comments API and do not request unrelated credentials or install arbitrary software.
- Guidance
- This skill appears internally consistent, but it sends your search parameters to a third party (BrowserAct) and returns scraped YouTube data. Before installing or running: 1) Confirm you trust BrowserAct and its privacy/usage policy; do not share secrets beyond the required BROWSERACT_API_KEY. 2) Use an API key with minimal permissions and monitor or rotate the key if concerned. 3) Be aware the script prints scraped comment data to stdout (the agent will see it), so avoid fetching sensitive or private information. 4) If you operate in a constrained environment, review network egress rules to control data sent to api.browseract.com.
Review Dimensions
- Purpose & Capability
- okThe skill is described as a BrowserAct-based YouTube comments extractor and it only requires Python and a BROWSERACT_API_KEY. The included script calls api.browseract.com and uses a template ID; these requirements are proportional and expected for the stated purpose.
- Instruction Scope
- okSKILL.md instructs the agent to check for BROWSERACT_API_KEY, request it from the user if missing, invoke the bundled Python script with search parameters, monitor stdout for status logs, and follow a limited retry logic. The instructions do not ask the agent to read unrelated files, access other environment variables, or transmit data to endpoints beyond BrowserAct.
- Install Mechanism
- okThere is no install spec (instruction-only skill) and the only included code is a small Python script. No downloads from arbitrary URLs, package installs, or extraction steps are present.
- Credentials
- okOnly one environment variable (BROWSERACT_API_KEY) is required and it directly matches the service the skill integrates with. No unrelated secrets, keys, or system config paths are requested.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system-level presence or modify other skills or agent-wide configuration. It uses normal autonomous invocation behavior but nothing overly privileged.