ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

YouTube-Hook

v1.0.0

Generate high-performing YouTube video scripts, titles, thumbnails, descriptions, and chapter markers from any topic or content

0· 547·0 current·0 all-time
byMarkus Mikely@markusmikely
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is a YouTube content generator and includes three small scripts: hook_generator and title_optimizer (local, no network), and trend_analyzer which clearly documents use of the Tavily API. Requiring TAVILY_API_KEY is appropriate and proportional to the stated trend-analysis capability.
Instruction Scope
SKILL.md instructs the agent to generate titles, thumbnails, scripts, chapters, etc. It does not direct reading of unrelated local files, other environment variables, or exfiltration to arbitrary endpoints beyond Tavily. The runtime steps are scoped to content-generation tasks.
Install Mechanism
No install spec / remote downloads are present (instruction-only with bundled scripts). The included Python files are small and readable; there are no URLs or archives being fetched during install.
Credentials
Only one environment variable is required (TAVILY_API_KEY) and it is used only by scripts/trend_analyzer.py to call https://api.tavily.com/, which matches the skill purpose. No unrelated credentials or broad secrets are requested.
Persistence & Privilege
always is false, the skill does not request permanent/forced inclusion, and there is no indication it modifies other skills or global agent settings. Autonomous invocation is allowed by default (expected).
Assessment
This skill appears internally consistent, but before installing consider: (1) it will send your query text to Tavily when using trend analysis — only provide non-sensitive topics and review Tavily's privacy policy; (2) use a dedicated, limited-scope TAVILY_API_KEY (rotate if compromised); (3) if you need stronger isolation, run the skill in an environment with network egress controls or monitor outbound calls to api.tavily.com; (4) the bundled Python scripts are small and readable—review them yourself if you have concerns. Overall the requested access is minimal and expected for the described functionality.

Like a lobster shell, security has layers — review code before you run it.

latestvk97amkpd84ehhm5btb3ze2exmx81m9as

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvTAVILY_API_KEY

Comments