Youtube Video Ideas

Security checks across malware telemetry and agentic risk

Overview

This appears to be a disclosed pay-per-use YouTube idea generator, but users should notice that normal runs contact SkillPay and can trigger a small charge.

Install only if you accept the 0.002 USDT pay-per-use model and trust SkillPay plus your local OpenClaw/Sloan setup. Use --test when evaluating it, avoid setting SKILLPAY_MERCHANT_KEY unless you intend this skill to use it, and consider regenerating dependencies from an HTTPS npm registry in stricter environments.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill references environment variables with security-sensitive purposes, including a merchant key and gateway token, but the manifest does not declare corresponding permissions or clearly bound how those secrets are accessed. This creates a transparency and least-privilege problem: operators may expose credentials to a skill whose declared capability surface does not mention secret access.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The skill is presented primarily as a YouTube idea generator, but the manifest also introduces payment processing and billing-related behavior via an external provider and merchant credentials. That mismatch is dangerous because users and platforms may invoke or trust the skill for benign content generation without realizing it can initiate monetization flows and handle billing secrets.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The skill charges an external billing API even though the advertised functionality is only YouTube idea generation. This creates an undisclosed financial side effect, and the charge occurs automatically unless the user knows to pass --test, which is risky for a narrow content-generation tool.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The skill invokes an external executable (openclaw) to fulfill its core function, which expands trust boundaries beyond the stated skill purpose. If that binary is replaced, malicious, or behaves unexpectedly, user input is sent to an uncontrolled subprocess and the skill may execute unreviewed functionality.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README states that payment is handled automatically via an embedded merchant key and notes a pay-per-use charge, but it does not give a prominent warning that normal execution may trigger real charges. This creates a meaningful risk of unintended paid actions by users who install or test the skill expecting ordinary local behavior, especially because the CLI examples do not repeat the billing warning.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: A hardcoded fallback merchant key is embedded directly in source code, exposing a credential to anyone with code access and encouraging unsafe secret management. Such keys can be reused, abused for unauthorized billing activity, or leak through logs, repositories, and package distributions.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill sends payment data to an external billing endpoint before any explicit user-facing warning or confirmation at execution time. In context, this is especially problematic because the tool presents itself as a simple idea generator, so users may not expect financial transactions to occur automatically.

Natural-Language Policy Violations

Medium

Confidence: 95% confidence
Finding: The lockfile hard-pins all package downloads to a specific third-party regional mirror over plain HTTP rather than the default trusted npm registry. This creates a supply-chain risk because dependency tarballs can be modified in transit or served from a compromised mirror, and users of the skill have no choice or visibility into that trust decision beyond the lockfile.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal