YouTube SERP Scout (Rank + Discover)

PassAudited by ClawScan on May 1, 2026.

Overview

This appears to be a straightforward YouTube search helper that uses an AIsa API key and sends search queries to AIsa, with no destructive or persistent behavior shown.

This skill looks purpose-aligned for YouTube SERP research. Before installing, be comfortable providing an AIsa API key and sending your search topics or competitor terms to api.aisa.one. There is no evidence in the supplied artifacts of local data harvesting, persistence, credential leakage, or destructive actions.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI03: Identity and Privilege Abuse

What this means

Anyone using the skill must provide an AIsa API key, which could allow API usage or charges if exposed.

Why it was flagged

The client requires an AIsa API key and uses it as a bearer token for API requests. This is expected for the stated service integration and no hardcoded or logged credential is shown.

Skill content

self.api_key = api_key or os.environ.get("AISA_API_KEY") ... "Authorization": f"Bearer {self.api_key}"

Recommendation

Use a dedicated, least-privileged API key if available, keep it in the environment rather than source files, and rotate it if it is accidentally exposed.

Low

#ASI07: Insecure Inter-Agent Communication

What this means

Search queries, competitor names, topics, country/language filters, and the API authorization are transmitted to AIsa.

Why it was flagged

The skill sends search requests to the external AIsa API. This is central to the skill's purpose, but it means search terms and filters leave the local environment.

Skill content

BASE_URL = "https://api.aisa.one/apis/v1" ... urllib.request.urlopen(req, timeout=60)

Recommendation

Avoid entering confidential business terms unless you are comfortable sharing them with the AIsa service and have reviewed the provider's data handling terms.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

It may be harder to independently verify the publisher history or compare this artifact to an upstream project.

Why it was flagged

The registry metadata does not identify an upstream source repository or package origin. No suspicious install behavior is shown, but provenance is limited.

Skill content

Source: unknown

Recommendation

Install only if you trust the listed owner/provider and review the included script before use.