Back to skill
Skillv2.0.1
ClawScan security
Youtube Script · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 18, 2026, 10:54 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements are consistent with a local YouTube script/SEO utility that stores usage logs under the user's home directory — nothing in the bundle requests unrelated credentials, network access, or elevated privileges.
- Guidance
- This skill appears to be what it says: a local content-writing toolkit that stores entries and activity logs in ~/.local/share/youtube-script. Before installing or running it, review the script (provided) and be aware that anything you pass to commands (draft, edit, translate, etc.) will be written to local log files — avoid entering secrets or private data. The export feature writes aggregated files and does not escape JSON values robustly (may produce malformed JSON if you include quotes/newlines), so verify exports before sharing. If you want an extra safety step, run the script in a restricted user account or container and inspect the generated files to confirm behavior.
Review Dimensions
- Purpose & Capability
- okName/description (YouTube script writer, headlines, hooks, scheduling, export) match the provided shell tool and SKILL.md. No extraneous cloud credentials, binaries, or capabilities are requested.
- Instruction Scope
- okSKILL.md and the script limit operations to drafting, editing, optimizing, searching, exporting, and scheduling content; all file I/O is confined to ~/.local/share/youtube-script and standard Unix utilities are used. There are no instructions to read unrelated system files or transmit data externally.
- Install Mechanism
- okNo install spec is provided (instruction-only with an included script). That is the lowest-risk install model and the included Bash script is readable, not obfuscated, and does not download or execute remote code.
- Credentials
- okThe skill requests no environment variables or credentials. It does use HOME implicitly to build a data directory, which is expected for a local CLI tool.
- Persistence & Privilege
- noteThe tool persists data under ~/.local/share/youtube-script (logs, exports). This is appropriate for a content-tracking tool, but it is persistent on the user's filesystem — not privileged, but worth noting for privacy.