Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Keyapi Youtube Video Analysis
v1.0.0Analyze YouTube videos at depth — retrieve full metadata, comments, sub-comment threads, stream formats, related video recommendations, Shorts, search result...
⭐ 0· 39·0 current·0 all-time
by@lycici
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
The skill claims to call KeyAPI's MCP YouTube tools and the included files implement a generic MCP tool runner that targets https://mcp.keyapi.ai. Required runtime (node) and required env var (KEYAPI_TOKEN) are exactly what you'd expect for a hosted API client.
Instruction Scope
SKILL.md instructs the agent to call the KeyAPI MCP server, inspect tool schemas, and cache responses locally. The instructions do not ask the agent to read unrelated system files or other credentials. The runner will read/write a .env file and create a local cache directory; these are documented and scoped to the skill directory.
Install Mechanism
There is no custom install script in the registry metadata (instruction-only), but package.json declares a dependency on @modelcontextprotocol/sdk and SKILL.md tells the user to run npm install. Pulling dependencies from npm is normal but carries the usual third-party package risk; there are no opaque downloads or URL-shortener installs in the bundle.
Credentials
Only KEYAPI_TOKEN is required and is the declared primary credential; that directly maps to calls to the KeyAPI MCP server. The runner will load a .env file and offers to persist an entered token to .env — this local persistence is logical for convenience but should be noted by the user.
Persistence & Privilege
The skill writes a local cache (.keyapi-cache) and can write a .env file with the KEYAPI_TOKEN in the skill directory. It does not request permanent platform-level privileges (always: false) and does not modify other skills or system-wide settings. Users should be aware the token may be stored on disk in plain text under the skill folder.
Assessment
This package appears coherent with its description, but before installing: (1) confirm the KEYAPI_TOKEN you provide is from a trusted KeyAPI account and understand its scope/limits; (2) note that the runner will create a .env file and a .keyapi-cache directory in the skill folder (the token is written in plain text if you choose to persist it); (3) npm install will fetch @modelcontextprotocol/sdk from the public registry — review that dependency if you have policy constraints; (4) network calls go to https://mcp.keyapi.ai by default — ensure you trust that service for the data you will send/receive. If you need higher assurance, inspect the full run.js (already included) and run the tool in an isolated environment before providing sensitive tokens.scripts/run.js:52
Environment variable access combined with network send.
scripts/run.js:37
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk9775zc19cq6zzhg0y137y782s84cdqk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
Binsnode
EnvKEYAPI_TOKEN
Primary envKEYAPI_TOKEN