Youtube
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent YouTube research skill, but users should notice that it uses a YouTube API key and third-party MCP/yt-dlp tooling.
Before installing, make sure you trust the youtube-mcp-server package or repository, restrict your YouTube API key to YouTube Data API v3, and avoid treating the documentation’s safety claims as a substitute for reviewing the external tool.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may use a quota-bearing Google API key to make YouTube API requests.
The skill expects a YouTube/Google API key for its stated YouTube Data API functionality.
"primaryEnv":"YOUTUBE_API_KEY"
Use a restricted API key limited to YouTube Data API v3, as the skill itself recommends, and avoid placing the key in shared files.
Installing or running the external MCP package gives that package local code execution and access to the configured YouTube API key.
The documented primary method depends on a third-party npm package that is not pinned to a version in the provided artifacts.
npm install -g zubeid-youtube-mcp-server
Install from a trusted source, pin or verify the package/version where possible, and review the MCP server repository before use.
Search terms, video IDs, transcript requests, and the API key may be processed by the local MCP server.
The skill routes YouTube operations through a local MCP server process, creating a tool boundary where requests and credentials may be handled by external code.
mcporter call --stdio "node /tmp/youtube-mcp-server/dist/cli.js"
Use only a trusted MCP server build and keep the API key restricted and separate from unrelated tools.
Users might rely on the security assurance without independently checking the third-party MCP server they are asked to install.
The documentation makes broad safety and review claims about external code, while the provided skill artifacts do not include that external code.
The YouTube API key is safe to use with this MCP server: ... No third-party servers involved ... Code reviewed (no data exfiltration)
Treat the statement as guidance, not proof; verify the package/source yourself and keep the API key restricted.