ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Youtube Description Autoposter

v1.0.1

Generate SEO-optimized YouTube timestamps from a YouTube URL or a raw transcript string, then optionally append them to the description of that specific vide...

0· 81·0 current·0 all-time
by@robj1925
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The code and SKILL.md are consistent with the stated purpose (generate timestamps via Gemini and post them to YouTube). However the registry metadata lists no required environment variables or primary credential, while the SKILL.md and script explicitly require a Gemini API key and a Google OAuth credentials.json/token (to write to the user's YouTube channel). The missing declaration of these credentials in the registry is an incoherence that should be clarified.
!
Instruction Scope
The SKILL.md instructs the agent to run the included Python script and to supply a Gemini API key and (for posting) a credentials.json. The script will fetch transcripts, send transcript data to Gemini (external model), and — if requested — update video descriptions directly via the YouTube Data API. The script posts updates without an interactive confirmation step and will save OAuth tokens (token.pickle). All of these actions are within the advertised purpose, but the instructions grant the skill the ability to modify an external account and transmit content to an external LLM, which deserves explicit consent and is not reflected in the registry's declared requirements.
Install Mechanism
This is an instruction-only skill with an included Python script. There is no install spec that downloads arbitrary artifacts. Dependencies are standard Python packages (youtube-transcript-api, google-generativeai, google-auth-oauthlib, google-api-python-client) and must be pip-installed by the user. No suspicious download URLs or extract steps were found.
!
Credentials
The runtime requires a Gemini API key (passed as a positional argument or environment variable in examples) and Google OAuth credentials.json for write access to a YouTube channel (script requests scope youtube.force-ssl). The registry, however, lists no required env vars or primary credential — this mismatch is problematic. Also, the tool will send transcript/video text to Gemini (external service), so providing the Gemini key exposes potentially sensitive channel content to an external LLM; that is proportionate to the stated function but sensitive and should be declared.
!
Persistence & Privilege
The skill is not force-installed (always:false), but the script performs persistent actions on first run: it runs an OAuth browser flow and writes token.pickle to scripts/ to store credentials for future runs. It will update video descriptions programmatically and performs updates without an interactive confirmation step. These behaviors are consistent with an autoposter but increase blast radius and require user caution.
What to consider before installing
This skill appears to do what it claims (generate timestamps with Gemini and optionally append them to YouTube), but there are a few important cautions: (1) the registry doesn't declare the credentials it actually needs — the script requires a Gemini API key and a Google OAuth credentials.json (desktop app) and will save token.pickle with write access to your channel; (2) posting is automatic if you run with --post (the script appends timestamps and calls videos.update without an extra confirmation), so test without --post first; (3) transcript and video text are sent to Gemini (an external LLM) so avoid sending sensitive content and consider the privacy implications; (4) only run this code from a trusted source — inspect scripts/youtube_desc_generator.py yourself (it is included) and if you proceed, create a dedicated OAuth client with the minimal required YouTube account, store credentials securely, and be ready to revoke the OAuth client or delete token.pickle if you no longer trust the skill. If the publisher can clarify why registry metadata omits the required credentials, that would increase confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ac3awwrg22zsnek7jfesm4h849rwk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments