Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Teleskopiq
v1.1.2Creates and manages AI-generated YouTube scripts, metadata, thumbnails, and schedules via a GraphQL API with specialized Markdown tags for production.
⭐ 0· 368·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md and scripts/teleskopiq.py clearly implement a GraphQL-based client that needs a TELESKOPIQ_API_KEY and optional TELESKOPIQ_ENDPOINT — this is coherent with the skill's description. However, the top-level registry metadata included with the evaluation initially reported "no required env vars" and no homepage, while skill.json and SKILL.md declare TELESKOPIQ_API_KEY (required) and a homepage (https://teleskopiq.com). That discrepancy between registry metadata and the files is an inconsistency that should be resolved.
Instruction Scope
The SKILL.md instructs only to set the API key/endpoint, use the included CLI, fetch style profiles, write scripts, and call the remote Teleskopiq GraphQL API. The instructions do not ask the agent to read unrelated local files, system credentials, or send data to unexpected endpoints — all network I/O goes to the declared TELESKOPIQ endpoint. The ai-write flow streams AI output from the service (SSE), which is consistent with the described functionality.
Install Mechanism
This is instruction-only (no install spec). skill.json lists Python requirements (requests, websocket-client), but there is no automated install step — meaning the script will fail unless those packages exist. There is no external download from untrusted URLs and no archive extraction, so install risk is low, but the lack of an install spec is a packaging omission to be aware of.
Credentials
The runtime code and skill.json require a secret TELESKOPIQ_API_KEY (format tsk_...) and optional endpoint, which is appropriate for a remote API client. However, the registry metadata supplied in the evaluation initially listed no required env vars and no primary credential; that mismatch is problematic: users may be unaware this skill needs a secret API key. Verify the registry metadata matches skill.json before trusting the package. Aside from the API key, no other credentials or unrelated env vars are requested.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and declares no config paths. It can be invoked by the agent autonomously (disable-model-invocation is false), which is the platform default and appropriate for an API-integration skill. No excessive persistence or cross-skill modification is present.
What to consider before installing
This skill appears to implement what it claims (a Teleskopiq GraphQL client) but there are packaging inconsistencies you should resolve before installing: skill.json and SKILL.md require a secret TELESKOPIQ_API_KEY and list a homepage, yet the registry metadata provided here omitted those. Before use, verify the publisher and homepage (https://teleskopiq.com), confirm you trust that service, and only provide an API key with the least privileges needed. Note there is no automatic installer — the script depends on Python and the requests/websocket-client packages. Review network traffic policy for your environment because the skill will send full script content and prompts to the remote API (this may include sensitive or private information you include in prompts). If you decide to proceed, consider creating a dedicated API key that can be revoked and run the skill in a minimal-privilege environment.Like a lobster shell, security has layers — review code before you run it.
apivk97a1j0s9c32dj2hsbb60n807h823yr2content-creationvk97a1j0s9c32dj2hsbb60n807h823yr2graphqlvk97a1j0s9c32dj2hsbb60n807h823yr2latestvk97a1j0s9c32dj2hsbb60n807h823yr2youtubevk97a1j0s9c32dj2hsbb60n807h823yr2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.