AI Hookbot
ReviewAudited by ClawScan on May 10, 2026.
Overview
The video-making purpose is clear, but the skill depends on running an external, unreviewed pipeline script that is not bundled or pinned, optionally with a YouTube API key.
Before installing, make sure you have a trustworthy source for the Hookbot pipeline scripts and review them before execution. Pin any external repo to a known commit, keep CTA/output directories scoped, use a restricted YouTube API key only if needed, and do not share unsanitized error logs that may contain paths or secret values.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill does not provide the reviewed pipeline itself; running it may execute whatever code is present in the configured scripts directory.
The skill’s main behavior depends on external scripts from a placeholder/unpinned repository and then executes pipeline.py; that code is not included in the provided artifacts.
git clone https://github.com/YOUR_REPO/hookbot-scripts ~/hookbot ... cd "$SCRIPTS_DIR" && ... python3 pipeline.py "<creator_url>" "<cta_video>"
Only use a trusted, reviewed pipeline repository; pin it to a known commit; inspect pipeline.py before running; and prefer packaging the reviewed pipeline with the skill or declaring a precise dependency.
A misbehaving or verbose pipeline could expose local paths or secret values in the chat/debug output, especially if errors are relayed verbatim.
The optional YouTube API key is expected for viral sorting, but it is passed into the external pipeline and the error-reporting instructions conflict with earlier guidance to strip env var values.
YOUTUBE_API_KEY="${YOUTUBE_API_KEY:-}" ... If the pipeline errors, relay the error output to the user verbatimUse a restricted YouTube API key, avoid storing secrets in broadly sourced shell files, and redact environment values and sensitive paths from any pipeline error output.