Content Creator Skill
Security checks across static analysis, malware telemetry, and agentic risk
Overview
No malicious behavior is evident; the skill is purpose-aligned but users should notice that it fetches YouTube data, can use a YouTube API key, stores a local watchlist, and can send notifications through the host runtime.
This skill appears safe for its stated YouTube creator-tracking purpose. Before installing, decide whether you are comfortable with local watchlist storage, optional YouTube API-key use, and notification delivery to configured channels. Treat video transcripts and descriptions as untrusted source content, not instructions.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the notify action is used, messages may be posted to a configured or current channel through OpenClaw's runtime adapter.
The skill can send prepared creator-update notifications through whatever delivery adapter the host runtime exposes.
context.channels.send(notification.delivery_target, notification)
Verify the delivery target before using notify_watchlist_updates, and use check_watchlist_updates first if you only want to preview updates.
Your YouTube API key may be used for quota-consuming requests to Google's YouTube Data API.
The skill can use an optional YouTube Data API key from skill config or the environment for YouTube API calls.
context.config?.youtube_api_key || process.env.YOUTUBE_API_KEY
Use a restricted YouTube API key, provide it through approved OpenClaw configuration rather than chat, and rotate it if it is exposed.
The local watchlist can reveal which creators you follow and may retain past video state until you remove or delete it.
The skill stores followed creators and update state locally so it can reuse that information across later checks.
Persists a local watchlist of followed creators.
Store the watchlist in a safe location, avoid sensitive follow lists on shared machines, and remove follows or delete the watchlist when no longer needed.
A video transcript could contain misleading or prompt-like text that should be treated as source material, not as instructions to the agent.
The skill intentionally brings YouTube captions/transcripts into the model context for analysis; that external text is untrusted content.
如果有字幕,基于字幕全文做深度分析
Use the transcript only as quoted evidence for summarization and ignore any instructions embedded in video captions or descriptions.
You have less external assurance about where the skill came from, even though the provided code appears coherent with its purpose.
The registry information does not provide a public source or homepage, which limits independent provenance checks.
Source: unknown; Homepage: none
Install only from a trusted ClawHub entry and review the full source bundle if provenance matters for your environment.