YouTube Video Details API
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is a focused YouTube details API wrapper, but it passes the JustOneAPI token on the command line, which can expose the credential locally.
This skill appears to do what it claims: call one JustOneAPI YouTube video-details endpoint. Review the credential handling before installing: use a limited, revocable token, run it only in a trusted local environment, and consider changing the helper so it reads JUST_ONE_API_TOKEN directly rather than placing the token in the command line.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your JustOneAPI token could be exposed on the local machine while the command is running, potentially allowing someone with local access to use your API account.
The documented invocation expands the API token into a command-line argument. Command-line arguments can be visible to other local processes, shell tooling, or logs, so this is weaker credential handling than reading the token directly from the environment or stdin.
node {baseDir}/bin/run.mjs --operation "getYoutubeVideoDetailV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"videoId":"<videoId>"}'Only run this on a trusted machine, use a scoped and revocable JustOneAPI token if available, and prefer updating the helper to read JUST_ONE_API_TOKEN directly from the environment instead of passing it with --token.