Content Creator Skill
v0.2.0Track YouTube creators and analyze video content. Paste a YouTube link to get an AI-powered breakdown (summary, key points, why it matters), then optionally...
⭐ 0· 90·0 current·0 all-time
byLee Lin@glin23
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the included code and manifest. The skill normalizes YouTube inputs, fetches transcripts/uploads, summarizes video metadata, and persists a local watchlist — all expected for a YouTube creator tracking/analysis tool. No unrelated cloud credentials or unrelated binaries are requested.
Instruction Scope
SKILL.md describes runtime actions (analyze_video, add_follow, check/notify updates) that map to the code. The instructions limit automated follows (require user confirmation) and document the fallback scraping path when no API key is present. The runtime does read/write the local watchlist JSON and may call host-provided delivery adapters to send notifications; both are within the described scope.
Install Mechanism
No install spec and no external archive downloads are used. Code is included in the package (node runtime) and package.json is minimal. There are no downloads from personal servers or URL shorteners. This is a normal packaged skill.
Credentials
The skill does not require any env vars but supports an optional YouTube Data API key. The code checks context.config.youtube_api_key and falls back to process.env.YOUTUBE_API_KEY; manifest lists config.youtube_api_key as an optional config. This is proportionate for the functionality, but note the code will read process.env.YOUTUBE_API_KEY (not declared as a required env var) if provided.
Persistence & Privilege
The skill persists a local JSON watchlist (default ./data/watchlist.json or a user-configured path). It does not request global 'always' inclusion, nor does it modify other skills' configs. Persisting to a user-configurable path is expected, but verify watchlist_path to avoid overwriting sensitive files.
Assessment
This skill appears to do what it says: analyze YouTube videos, manage a local watchlist, and optionally send notifications through whatever delivery adapter the host runtime provides. Before installing, consider the following:
- Watchlist persistence: it writes a local JSON file (default ./data/watchlist.json or a path you set). Ensure watchlist_path is not pointed at any sensitive system file.
- Optional API key: providing a YouTube Data API key (config.youtube_api_key or YOUTUBE_API_KEY env var) enables the official API path; if you don’t provide it the skill will scrape public YouTube pages/feeds which is more brittle but expected.
- Notifications: the skill will call host-provided delivery methods (context.deliver, context.notify, channel.send, etc.) to push updates. Review what delivery adapters your OpenClaw runtime exposes so you know where notifications may be sent.
- No external installers or obscure network endpoints are present in the package — only youtube/google endpoints and the host runtime delivery interfaces are used.
If you want higher assurance before installing: review the omitted truncated functions (public-source resolver) to confirm only YouTube/Google endpoints are contacted, and decide if you are comfortable with a local watchlist file being created/updated by the skill.src/youtube-api.js:20
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.Like a lobster shell, security has layers — review code before you run it.
creatorvk97baxzdnka9m3sxsd6mvj65ch83agm4latestvk97fxbrh2wmnzbmfqerwt19kks83a5h1notificationsvk97baxzdnka9m3sxsd6mvj65ch83agm4watchlistvk97baxzdnka9m3sxsd6mvj65ch83agm4youtubevk97baxzdnka9m3sxsd6mvj65ch83agm4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.