ClawHub
Back to skill
v1.0.1

YouTube SERP Scout (Rank + Discover)

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:32 AM.

Analysis

This appears to be a straightforward YouTube search helper that uses an AIsa API key and sends search queries to AIsa, with no destructive or persistent behavior shown.

GuidanceThis skill looks purpose-aligned for YouTube SERP research. Before installing, be comfortable providing an AIsa API key and sending your search topics or competitor terms to api.aisa.one. There is no evidence in the supplied artifacts of local data harvesting, persistence, credential leakage, or destructive actions.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
metadata
Source: unknown

The registry metadata does not identify an upstream source repository or package origin. No suspicious install behavior is shown, but provenance is limited.

User impactIt may be harder to independently verify the publisher history or compare this artifact to an upstream project.
RecommendationInstall only if you trust the listed owner/provider and review the included script before use.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/youtube_client.py
self.api_key = api_key or os.environ.get("AISA_API_KEY") ... "Authorization": f"Bearer {self.api_key}"

The client requires an AIsa API key and uses it as a bearer token for API requests. This is expected for the stated service integration and no hardcoded or logged credential is shown.

User impactAnyone using the skill must provide an AIsa API key, which could allow API usage or charges if exposed.
RecommendationUse a dedicated, least-privileged API key if available, keep it in the environment rather than source files, and rotate it if it is accidentally exposed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
scripts/youtube_client.py
BASE_URL = "https://api.aisa.one/apis/v1" ... urllib.request.urlopen(req, timeout=60)

The skill sends search requests to the external AIsa API. This is central to the skill's purpose, but it means search terms and filters leave the local environment.

User impactSearch queries, competitor names, topics, country/language filters, and the API authorization are transmitted to AIsa.
RecommendationAvoid entering confidential business terms unless you are comfortable sharing them with the AIsa service and have reviewed the provider's data handling terms.