YouTube Channel Videos API
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears to call the advertised JustOneAPI YouTube endpoint, but it passes the API token on the command line where it may be exposed locally.
Review this skill before installing. It appears focused on the advertised YouTube channel videos API call, but the token should not be passed with --token on the command line. Prefer a version that reads the token directly from the environment and ensure command invocations are not logged with expanded secrets.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Someone or something with access to local process details or command logs could potentially see and reuse the JustOneAPI token.
This expands the API token into the helper process's command-line arguments. The token is purpose-aligned, but argv-based credential passing can expose it to local process inspection or logs.
node {baseDir}/bin/run.mjs --operation "getChannelVideosV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"channelId":"<channelId>"}'Change the helper to read JUST_ONE_API_TOKEN directly from the environment or stdin instead of accepting it as a command-line argument, and avoid logging full command invocations.