ClawHub

Keyapi Youtube Channel Analysis

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real KeyAPI YouTube analysis skill, but its bundled runner is broader than the YouTube-only purpose and persists tokens/results locally in ways users should review first.

Install only if you trust KeyAPI with your API token and YouTube research queries. Use explicit --platform youtube commands, avoid arbitrary tool names unless you intentionally want broader KeyAPI MCP access, prefer setting KEYAPI_TOKEN through your environment or secret manager instead of interactive .env storage, and use --no-cache or delete .keyapi-cache for sensitive lookups.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Tp4

High
Category
MCP Tool Poisoning
Confidence
84% confidence
Finding
The skill claims a narrow YouTube-channel-analysis purpose, but the described runner behavior can enumerate tools, inspect schemas, target multiple platforms, cache arbitrary responses locally, and potentially invoke broader functionality than the description suggests. That mismatch weakens user consent and increases the chance that operators expose data to unintended APIs or invoke capabilities outside the expected scope.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The runner is materially broader than the stated YouTube-channel-analysis skill: it accepts an arbitrary platform and builds the server URL from user input, enabling access to non-YouTube MCP namespaces. This creates a scope-expansion problem where an agent or user may invoke capabilities unrelated to the declared skill, defeating least-privilege expectations and increasing the chance of misuse or unexpected data access.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script is a generic MCP runner that will call any server-exposed tool name supplied via --tool, rather than only the YouTube channel discovery/profile/search tools described in the manifest. In an agent setting, this mismatch can allow invocation of unintended high-risk operations on the remote MCP server, turning a narrowly described skill into a general remote capability broker.

Context-Inappropriate Capability

Low
Confidence
89% confidence
Finding
The code interactively captures a KEYAPI token and persists it to a local .env file, which goes beyond pure YouTube analysis and introduces credential-handling behavior into the skill. While not inherently malicious, storing secrets on disk without explicit consent or secure storage controls increases the chance of accidental disclosure through filesystem exposure, backups, or repository commits.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill omits an explicit privacy warning that user-supplied channel URLs, search queries, and the bearer-token-authenticated request are sent to a third-party service and that returned data may be cached locally. This is dangerous because users may unknowingly transmit sensitive research targets or leave retained artifacts on disk that other local users or processes can access.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script writes the sensitive API token directly to a .env file and logs that future runs will load it automatically, but it does not present a strong warning about credential persistence, secure handling, or the risk of committing the file. In shared development environments or agent workspaces, this can lead to credential leakage and unauthorized reuse of the API token.

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
Execute tool calls and persist responses to the local cache.

**Calling a tool:**

```bash
node scripts/run.js --platform youtube --tool <tool_name> \
Confidence
88% confidence
Finding
tool:*

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal