ClawHub

Edison Youtube Full

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This is a purpose-aligned YouTube API helper, but the submitted artifact only contains instructions and references missing scripts plus a YouTube credential that is not declared in metadata.

This appears benign for a YouTube data/transcript workflow, but it is incomplete as submitted. Before installing or using it, confirm the missing scripts and requirements come from the same trusted package, use a restricted YouTube API key, and monitor API quota usage.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

The skill may not work as published, and any scripts obtained from elsewhere would need to be verified separately before running.

Why it was flagged

The skill references helper scripts and a requirements file, but the supplied manifest contains only SKILL.md. This is a provenance and completeness gap rather than evidence of malicious behavior.

Skill content
pip install -r scripts/requirements.txt ... scripts/search_videos.py ... scripts/get_transcript.py
Recommendation

Only run helper scripts and install requirements if they are included from a trusted source and match the documented behavior.

#ASI03: Identity and Privilege Abuse
Low
What this means

A user may provide a Google/YouTube credential that can consume API quota or expose access if mishandled.

Why it was flagged

The skill asks for a YouTube API key and mentions OAuth token handling, while the registry metadata declares no credential or required environment variable. This credential use is expected for YouTube API access but should be visible to users.

Skill content
export YOUTUBE_API_KEY="YOUR_KEY" ... 或者在运行脚本时使用 `--api-key` 参数 ... `HttpAccessTokenRefreshError` | 使用 OAuth token
Recommendation

Use a restricted YouTube Data API key where possible, avoid broad OAuth scopes unless needed, and do not paste credentials into untrusted logs or shared transcripts.