Skillv1.0.2

ClawScan security

Youtube Notification Analysis · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 24, 2026, 5:44 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions broadly match its stated goal (analyzing YouTube notifications and extracting subtitles), but there are several mismatches and omissions — most importantly it instructs the agent to execute real trades via another skill while declaring no credentials and it expects local binaries/models that are not declared — this incoherence is a security and safety concern.
Guidance: This skill is internally inconsistent in ways that matter for safety: it tells the agent to download videos and run a local speech model, and—most importantly—to execute trades via a separate skill, but it declares no binaries, install steps, or credentials. Before installing or enabling it: 1) Confirm how trading will be authorized — never give live brokerage credentials without explicit, auditable confirmation and least-privilege controls; prefer a sandbox/test account. 2) Ensure yt-dlp and whisper-cpp (and the model file) come from trusted sources and understand disk/CPU impact. 3) Require explicit human confirmation before any trade execution and audit/logging to a secure location (not world-readable /tmp). 4) Verify the tiger-trade skill (or any trading integration) separately — check what credentials it needs and how it transmits orders. 5) If you don’t want automated trades, disallow autonomous invocation for this skill or remove the trade-execution steps from its instructions. If you want a lower-risk test, run the skill in a restricted environment with no trading credentials and monitor file/network activity.

Review Dimensions

Purpose & Capability: concernThe name/description (YouTube notification analysis for investment insights) is plausible, but the SKILL.md calls for capabilities that are not declared: it expects yt-dlp and whisper-cpp binaries and a 'tiger-trade' skill to execute trades. The registry metadata lists no required binaries, env vars, or primary credential, which is inconsistent with a skill that will download videos, run local speech models, and place trades.
Instruction Scope: concernRuntime instructions tell the agent to open YouTube in a browser, click a specific notification element, extract video IDs from snapshots, download videos and subtitles, run a local speech model (whisper-cpp) and then 'execute trades' using tiger-trade. The trade-execution step is out-of-band for a passive analysis skill and grants broad operational authority (network calls, account operations) without describing constraints or confirmations. Instructions also write logs to /tmp and reference local model paths (whisper-cpp/models/ggml-base.bin) not provided.
Install Mechanism: concernThere is no install spec (instruction-only), which by itself is low risk, but the instructions assume presence of external tooling (yt-dlp, whisper-cpp binary and model files). Those are not declared as required and no safe install source is provided; the skill's workflow expects large model files and binaries that would need to be fetched/installed by the agent or operator — the absence of a vetted install mechanism is a gap.
Credentials: concernThe skill intends to execute trades but declares no required environment variables or credentials (API keys, broker account tokens). Placing trades requires sensitive credentials and auditing/confirmation. The SKILL.md does not explain where trading credentials come from, how trades are authorized, or what permissions tiger-trade needs. This is disproportionate and risky for a user-facing skill that can act on financial accounts.
Persistence & Privilege: notealways:false (good). The skill is allowed to be invoked autonomously by default (platform normal). Combined with the instruction to execute trades, autonomous invocation increases potential harm if the agent is permitted to call tiger-trade without human confirmation. The skill does not request persistent system-wide changes, but it does write logs to /tmp (temporary) and expects local models — both require local storage and could leak sensitive context if not managed.