ClawHub

YouTube Scheduler

Security checks across malware telemetry and agentic risk

Overview

This appears to be a normal YouTube scheduler skill with a disclosed manual install flow, but its install commands fetch mutable files from GitHub into a persistent agent skills folder.

Install only if you trust the publisher and repository. Prefer reviewing the GitHub files first, pinning to a commit or verifying checksums, and removing ~/.agents/skills/youtube-scheduler if you no longer want the skill available to future agent sessions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill embeds shell commands and writes files into the user's persistent ~/.agents/skills directory, but does not declare any permissions or capability requirements. This creates a trust and review gap: users or orchestration systems may treat the skill as low-risk while it can modify local state and fetch remote code, increasing the chance of unnoticed installation of unreviewed content.

Session Persistence

Medium
Category
Rogue Agent
Content
```bash
# macOS / Linux
mkdir -p ~/.agents/skills/youtube-scheduler/scripts
curl -o ~/.agents/skills/youtube-scheduler/SKILL.md \
  https://raw.githubusercontent.com/mcbaivn/openclaw-skills-mcbai/main/skills/youtube/youtube-scheduler/SKILL.md
curl -o ~/.agents/skills/youtube-scheduler/scripts/analyze_schedule.py \
Confidence
83% confidence
Finding
mkdir -p ~/.agents/skills/youtube-scheduler/scripts curl -o ~/.agents/skills/youtube-scheduler/SKILL.md \ https://raw.githubusercontent.com/mcbaivn/openclaw-skills-mcbai/main/skills/youtube/youtube-

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal