ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

YouTube Video Downloader

v1.0.4

Download YouTube videos by URL in various resolutions using a pay-per-use API with credit-based authentication and no charge on failed downloads. Use when us...

0· 75·0 current·0 all-time
bylordest@jxyyjm
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description and SKILL.md consistently describe a pay-per-use API for downloading YouTube videos; the endpoints, request/response examples, and usage examples all align with that purpose. However, the package metadata declares no required credentials or homepage/source while the runtime instructions explicitly require an API key from a third‑party host (https://skill.lordest.cn), creating an omission/inconsistency between claimed metadata and actual operation.
Instruction Scope
The SKILL.md only instructs the agent to call a single external API (skill.lordest.cn) and shows curl/Python examples. It does not instruct reading local files, scanning system state, or contacting additional unexpected endpoints. The only data the skill needs from the user is an API key and the requested YouTube URL/resolution.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk by the skill itself. That minimizes code-execution risk, but the skill routes network requests to an external service.
!
Credentials
Although metadata lists no required environment variables or primary credential, the SKILL.md explicitly requires an API key (format sk-yt-xxxxx) obtained from https://skill.lordest.cn. That API key requirement is not declared in the registry metadata — a mismatch that obscures the true credential needs. Requesting a user-provided API key is reasonable for a pay-per-use service, but you should verify who stores/uses that key, how OpenClaw will persist it, and whether the service's billing/privacy terms are acceptable.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide configuration changes. Autonomous model invocation is allowed by platform default, but there is no additional persistent privilege requested in the skill package itself.
What to consider before installing
This skill appears to be what it says (an API-backed YouTube downloader) but it has important gaps: the SKILL.md requires an API key from skill.lordest.cn but the registry metadata does not declare that credential or provide a homepage/source. Before installing, confirm: (1) who runs skill.lordest.cn and whether you trust that operator, (2) the service's privacy, billing, and retention policy for uploaded or processed videos and stored API keys, (3) how OpenClaw will store the API key (transient prompt vs persistent environment variable), and (4) whether you can review the service's source code or a trustworthy homepage. If you cannot verify those things, prefer alternatives that run locally (e.g., yt-dlp) or come from a verifiable vendor. If you proceed, avoid using high-privilege or reusable secrets and monitor billing/usage closely.

Like a lobster shell, security has layers — review code before you run it.

latestvk97199yks7fjcb7h50y8kmxj1983pt0b

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments