ClawHub

youtube-video-api-skill

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill appears to do what it says: it sends a YouTube channel URL to BrowserAct using your BrowserAct API key and prints the returned video metrics.

This skill looks coherent and purpose-aligned. Before installing, confirm you are comfortable using BrowserAct for the extraction task, provide only a BrowserAct API key, and stop the script manually if a remote task appears to run indefinitely.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI03: Identity and Privilege Abuse
Low
What this means

Anyone installing the skill should understand that it uses their BrowserAct account/API key to run the workflow.

Why it was flagged

The script reads a BrowserAct API key from the environment and uses it to authorize requests to BrowserAct. This is expected for the stated service integration, but it is still account credential use.

Skill content
api_key = os.getenv("BROWSERACT_API_KEY") ... headers = {"Authorization": f"Bearer {api_key}"}
Recommendation

Use a BrowserAct API key intended for this purpose, rotate it if exposed, and avoid sharing unrelated credentials with the agent.

#
ASI07: Insecure Inter-Agent Communication
Low
What this means

The YouTube channel URL and workflow request are processed by BrowserAct rather than only locally.

Why it was flagged

The script sends the requested YouTube channel URL, video type, and authorization header to BrowserAct's API. This external provider call is central to the skill's purpose and is disclosed.

Skill content
API_BASE_URL = "https://api.browseract.com/v2/workflow" ... requests.post(f"{API_BASE_URL}/run-task-by-template", json=payload, headers=headers)
Recommendation

Use the skill only for channel URLs and analysis tasks you are comfortable sending to BrowserAct.

#
ASI02: Tool Misuse and Exploitation
Info
What this means

If the remote task never reaches a final status, the command may keep running and polling until stopped.

Why it was flagged

The script continuously polls the remote task until BrowserAct reports a terminal status. This matches the documented long-running workflow behavior, but there is no explicit timeout in the script.

Skill content
while True: ... requests.get(f"{API_BASE_URL}/get-task-status?task_id={task_id}", headers=headers).json() ... time.sleep(10)
Recommendation

Monitor long runs and stop the command manually if it appears stuck beyond a reasonable time.