Back to skill
Skillv1.0.0
ClawScan security
Keyapi Youtube Video Analysis · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 7, 2026, 2:59 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and requested environment variable (KEYAPI_TOKEN) align with its stated purpose of calling the KeyAPI MCP YouTube tools; nothing in the bundle appears disproportionate or intentionally misleading.
- Guidance
- This package appears coherent with its description, but before installing: (1) confirm the KEYAPI_TOKEN you provide is from a trusted KeyAPI account and understand its scope/limits; (2) note that the runner will create a .env file and a .keyapi-cache directory in the skill folder (the token is written in plain text if you choose to persist it); (3) npm install will fetch @modelcontextprotocol/sdk from the public registry — review that dependency if you have policy constraints; (4) network calls go to https://mcp.keyapi.ai by default — ensure you trust that service for the data you will send/receive. If you need higher assurance, inspect the full run.js (already included) and run the tool in an isolated environment before providing sensitive tokens.
Review Dimensions
- Purpose & Capability
- okThe skill claims to call KeyAPI's MCP YouTube tools and the included files implement a generic MCP tool runner that targets https://mcp.keyapi.ai. Required runtime (node) and required env var (KEYAPI_TOKEN) are exactly what you'd expect for a hosted API client.
- Instruction Scope
- okSKILL.md instructs the agent to call the KeyAPI MCP server, inspect tool schemas, and cache responses locally. The instructions do not ask the agent to read unrelated system files or other credentials. The runner will read/write a .env file and create a local cache directory; these are documented and scoped to the skill directory.
- Install Mechanism
- noteThere is no custom install script in the registry metadata (instruction-only), but package.json declares a dependency on @modelcontextprotocol/sdk and SKILL.md tells the user to run npm install. Pulling dependencies from npm is normal but carries the usual third-party package risk; there are no opaque downloads or URL-shortener installs in the bundle.
- Credentials
- okOnly KEYAPI_TOKEN is required and is the declared primary credential; that directly maps to calls to the KeyAPI MCP server. The runner will load a .env file and offers to persist an entered token to .env — this local persistence is logical for convenience but should be noted by the user.
- Persistence & Privilege
- noteThe skill writes a local cache (.keyapi-cache) and can write a .env file with the KEYAPI_TOKEN in the skill directory. It does not request permanent platform-level privileges (always: false) and does not modify other skills or system-wide settings. Users should be aware the token may be stored on disk in plain text under the skill folder.