ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

YouTube Channel Compare

v1.0.0

So sánh 2-5 kênh YouTube theo views, engagement rate, trending score và tần suất đăng bài. Dùng khi user hỏi "So sánh @KênhA vs @KênhB", "Kênh nào mạnh hơn t...

0· 27·0 current·0 all-time
byMCB AI@mcbaivn
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose (compare YouTube channels) matches the provided script, but the SKILL metadata declares no required binaries while the script calls the external program 'yt-dlp' and expects Python to run. The skill should declare yt-dlp (and network access) as a required dependency; the absence is an incoherence.
Instruction Scope
SKILL.md only instructs how to download the SKILL.md and the script from raw.githubusercontent.com and how to run the script. This is within scope for the stated purpose. However the docs do not mention the external dependency on yt-dlp or that the script will call subprocess to run that binary and will write report files locally, which users should be aware of.
Install Mechanism
Install uses raw.githubusercontent.com (well-known host) or git clone. Downloading raw script files and writing them to ~/.agents/skills is expected for instruction-only skills. This is moderate-risk (arbitrary code will be written and executed), but the source is a public GitHub repo rather than an obscure host or URL shortener.
Credentials
The skill requests no environment variables or credentials and the script does not read secrets from the environment. That is proportional to its purpose. It does require network access to fetch YouTube metadata via yt-dlp, which is reasonable but not declared.
Persistence & Privilege
always is false and the skill does not modify other skills or system-wide configuration. It only writes report files to a local 'Youtube_Compare' directory and installs itself under the user's skills folder when following the provided install steps.
What to consider before installing
Before installing: (1) Review the script compare_channels.py yourself— it invokes 'yt-dlp' via subprocess and writes files locally. (2) Ensure you have Python and yt-dlp installed from a trusted source; the SKILL.md does not declare yt-dlp as a required binary (this is the main inconsistency). (3) Installing by downloading raw scripts from GitHub will place executable code on your machine — only proceed if you trust the repo/author. (4) Run in a sandbox or inspect the script line-by-line if you need higher assurance. If the author intends this skill for general use, ask them to update metadata to list yt-dlp and any other prerequisites and to document network usage.

Like a lobster shell, security has layers — review code before you run it.

latestvk97avgsz5hy6fvw82k9mpza4x58493cfmcbaivk97avgsz5hy6fvw82k9mpza4x58493cfyoutubevk97avgsz5hy6fvw82k9mpza4x58493cf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments