ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

YouTube Scheduler

v1.0.0

Phân tích lịch đăng video của kênh YouTube để tìm "khung giờ vàng" — thời điểm đăng có nhiều view và engagement nhất. Dùng khi user yêu cầu "Tìm giờ vàng đăn...

0· 24·0 current·0 all-time
byMCB AI@mcbaivn
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (analyze YouTube upload schedule) matches the code: the Python script fetches video metadata and computes best days/hours. However the registry metadata lists no required binaries while the script invokes the external tool 'yt-dlp' via subprocess — that binary is necessary for the skill to function but isn't declared. This is an incoherence (likely an oversight) but impacts usability and trust.
Instruction Scope
SKILL.md instructs the agent/user to run a local Python script with a channel URL and optionally set timezone/limit. The script spawns an external process (yt-dlp) to fetch data from YouTube, parses outputs, and writes a plaintext report under Youtube_Schedule/. The instructions do not request unrelated files, credentials, or other system data. Note: the script will perform network calls (via yt-dlp) and writes output to disk — expected for the task.
Install Mechanism
There is no formal install spec; SKILL.md shows optional install methods that download raw files from raw.githubusercontent.com or clone a GitHub repo. Downloading raw scripts from GitHub is common but has moderate risk if you don't review the code first. The skill does not fetch code from obscure/personal servers or use archive extraction, which reduces risk.
Credentials
The skill requests no environment variables, no credentials, and no config paths. The code does not attempt to read secrets or other environment values. This is proportionate to its stated purpose.
Persistence & Privilege
Skill does not request always:true, does not modify other skills or system-wide agent settings, and only writes its own report file to a local directory. It has normal, limited persistence (output file creation).
What to consider before installing
This skill is largely consistent with its description, but proceed carefully: 1) The Python script calls the external tool 'yt-dlp' (not declared in the metadata). Ensure you have yt-dlp installed and from a trusted source before running. 2) SKILL.md advises downloading raw scripts from GitHub — review the script contents (provided) yourself before executing. 3) The script will make network requests to YouTube (through yt-dlp) and will write a plaintext report to a local folder (Youtube_Schedule). If you are unsure, run it in an isolated environment (VM/container) or inspect/transfer to a trusted package manager that declares dependencies. If the missing yt-dlp declaration concerns you, ask the author to update metadata to list required binaries and to provide a vetted install mechanism.

Like a lobster shell, security has layers — review code before you run it.

latestvk971008943xkgdv6wb6gzx2xq5848kk3mcbaivk971008943xkgdv6wb6gzx2xq5848kk3youtubevk971008943xkgdv6wb6gzx2xq5848kk3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments