Keyapi Youtube Channel Analysis
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a legitimate KeyAPI YouTube analysis skill, but it uses an API token, an external MCP service, local caching, and a generic runner that users should configure carefully.
This skill looks purpose-aligned for YouTube channel analysis. Before installing, make sure you trust KeyAPI, protect your KEYAPI_TOKEN, use --platform youtube explicitly, and clear or disable the local cache for sensitive lookups.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can read that local .env file may be able to use the user's KeyAPI token.
If the token is entered interactively, the runner saves it in a plaintext .env file in the skill directory for future runs.
writeFileSync(envPath, `KEYAPI_TOKEN=${token}\n`, "utf8");Prefer setting KEYAPI_TOKEN through a secure environment manager where possible, restrict permissions on the skill directory, and rotate the token if the .env file is shared or exposed.
KeyAPI will receive the API token and the channel/search parameters sent through the skill.
The skill sends authenticated MCP requests to KeyAPI's external YouTube MCP server, which is expected for this integration but is still a third-party data flow.
Server URL : https://mcp.keyapi.ai/youtube/mcp Auth Header: Authorization: Bearer $KEYAPI_TOKEN
Install only if you trust KeyAPI for this analysis workflow, and avoid sending confidential research terms or private data as tool parameters.
Cached channel searches and results may remain on disk and could be read by local users or reused later when stale.
The runner caches retrieved API results locally by default, creating persistent local copies of queries/results.
--cache-dir <path> Cache directory (default: .keyapi-cache)
Use --no-cache for sensitive lookups, periodically delete .keyapi-cache, and avoid sharing the cache directory.
A mistaken invocation could call the wrong platform or a broader KeyAPI tool than the user intended, potentially consuming quota or producing unexpected results.
The included helper can call arbitrary named KeyAPI MCP tools and defaults to a non-YouTube platform, even though the skill purpose is YouTube channel analysis.
--tool <name> MCP tool name to call (required for tool calls) --platform <name> Platform to target (default: tiktok)
Use explicit commands such as --platform youtube with the documented YouTube tools, and review tool parameters before running broad or all-pages requests.
This is normal for many Node tools, but dependency updates can change runtime behavior over time.
The setup relies on an npm package version range, so installation may resolve to newer compatible package versions rather than an exact pinned dependency.
"dependencies": {
"@modelcontextprotocol/sdk": "^1.10.2"
}Review the dependency before installing, consider using a lockfile or pinned version in controlled environments, and install from a trusted package registry.