Exposed secret literal
Critical
- Finding
- File appears to expose a hardcoded API secret or token.
- Skill content
const apiKey = [REDACTED]?.selectedProvider
Openclaw Youdotcom
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to do what it says: provide You.com web search, research, and page-content extraction, with only minor metadata/documentation inconsistencies.
This skill looks internally coherent for a You.com search/research/content-extraction plugin. If you install it, expect it to use or request a You.com API key for research and content extraction, while basic search may work without one. The main caveat is that the provided index.ts content was truncated and the external @youdotcom-oss/api dependency was not shown, so review the full source/dependency if you need higher assurance.
SkillSpector
By NVIDIA
SkillSpector findings are pending for this release.
Static analysis
VirusTotal
VirusTotal engine telemetry is currently stale for this artifact.
Risk analysis
No visible risk-analysis findings were reported for this release.