YouTube Video Downloader
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is coherent for downloading YouTube media, but it relies on a third-party paid API key and sends requested video URLs to an external service.
This appears safe to install if you intentionally want to use this third-party downloader service. Before adding credits or entering an API key, make sure you trust the provider, understand any costs, and avoid submitting private or sensitive video URLs.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the key is misused or entered into the wrong place, someone could use the associated downloader account or spend its credits.
The skill requires a bearer API key for a credit-based service. This is purpose-aligned, but the key represents account authority and may allow successful downloads to consume credits.
OpenClaw will ask you for an **API Key** ... All API calls require an API Key in the Authorization header: `Authorization: Bearer sk-yt-xxxxx`
Use a dedicated API key with limited funds if possible, store it only through trusted credential handling, and rotate or revoke it if exposed.
The external service can see the YouTube URLs you ask it to process and may host the generated media link.
The requested YouTube URL and resolution are sent to an external provider, which then returns a download URL. This is expected for the service, but it is a third-party data flow.
curl -X POST https://skill.lordest.cn/api/v1/download ... -d '{"youtube_url": "https://youtube.com/watch?v=dQw4w9WgXcQ", "resolution": "720"}'Avoid using the skill for private or sensitive video URLs unless you trust the provider and understand its retention and sharing practices.