ClawHub

youtube copy of yt

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: fetch YouTube transcripts through Apify, with clear user-directed operation and no hidden persistence or unrelated data access.

Install this only if you are comfortable using Apify to process the YouTube URLs you request, using residential proxies for transcript retrieval, and accepting any Apify billing, logging, privacy, and YouTube terms implications. Use a dedicated revocable Apify token and avoid submitting private or sensitive video URLs unless third-party processing is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The README explicitly markets bypassing YouTube bot detection from cloud IPs via proxy infrastructure. Even though the stated use is transcript fetching, advertising anti-detection/evasion capability materially expands the skill from ordinary API usage into behavior designed to circumvent platform restrictions, which can facilitate abuse and violate platform terms.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README instructs users to send transcript-fetching requests through APIFY but does not clearly disclose that video URLs, request metadata, and usage details are transmitted to a third-party service. This omission can mislead users about data flow and trust boundaries, especially in environments with privacy, compliance, or customer-data restrictions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly states that requests are routed through APIFY using residential proxies to bypass YouTube bot detection, but it does not provide a clear user warning about third-party data handling, proxying, and associated legal/privacy implications. This omission can mislead users into sending video URLs and potentially sensitive usage patterns to an external service under circumstances designed to evade platform controls.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal