ClawHub
Back to skill
v1.0.0

Youtube Reporter by CreatorDB

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 4:55 AM.

Analysis

The skill is a coherent CreatorDB API reference for looking up YouTube creator data, with only purpose-aligned notes about using curl, an API key, and an external service.

GuidanceThis looks safe to use for CreatorDB YouTube lookups if you expect it to call CreatorDB’s API. Before installing, be aware that it needs curl and a CREATORDB_API_KEY even though the registry requirements say none, and that API requests may reveal your lookup queries to CreatorDB and consume quota.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityInfoConfidenceHighStatusNote
SKILL.md
curl --request POST \
  --url https://apiv3.creatordb.app/youtube/search

The skill documents user-directed curl calls to CreatorDB. This is expected for an API lookup skill, but users should know that searches and channel IDs are sent to an external service.

User impactUsing the skill can send creator search terms or channel identifiers to CreatorDB and may consume API quota.
RecommendationUse it when you are comfortable sending the requested YouTube lookup data to CreatorDB, and monitor API usage if quota or billing matters.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
SKILL.md
metadata: {"moltbot":{"emoji":"🐽","requires":{"bins":["curl"],"env":["CREATORDB_API_KEY"]},"primaryEnv":"CREATORDB_API_KEY","install":[]}}

SKILL.md declares a curl and API-key requirement, while the registry fields list no required binaries or environment variables. This appears to be an under-declaration rather than hidden behavior because the commands plainly show curl and the API key.

User impactThe registry may not warn users up front that they need curl and a CreatorDB API key.
RecommendationConfirm the environment has curl available and configure CREATORDB_API_KEY intentionally before invoking the skill.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
--header "api-key: $CREATORDB_API_KEY"

The API examples authenticate with a CreatorDB API key. This is purpose-aligned for the CreatorDB service and there is no artifact evidence of logging, hardcoding, or unrelated credential use.

User impactAnyone using the skill needs a CreatorDB API key, and requests made with it may access the associated account’s quota or permissions.
RecommendationUse a dedicated CreatorDB key if possible, keep it out of shared prompts or logs, and rotate it if exposed.