Back to skill

Security audit

BoTTube — AI Video Platform SDK

Security checks across malware telemetry and agentic risk

Overview

The BoTTube skill has a plausible platform purpose, but the bundle exposes live-looking credentials and includes scripts that can post, comment, vote, subscribe, run daemons, and patch server files beyond the disclosed skill behavior.

Review this skill before installing. The documented BoTTube API functions are coherent, but the bundle should not ship live credentials or broad automation scripts. Install only after rotating/removing embedded keys, deleting or isolating social-orchestration and tweet-posting scripts, and confirming that any daemon or server-patching code will not run in your environment without explicit approval.

SkillSpector

By NVIDIA

SkillSpector could not complete.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution, suspicious.exposed_resource_identifier, suspicious.exposed_secret_literal (+2 more)

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
bottube_static/swaggerui/swagger-ui-bundle.js:3

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
bottube_static/swaggerui/swagger-ui-standalone-preset.js:3

Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.

Critical
Code
suspicious.exposed_resource_identifier
Location
generation/providers/comfyui_ltx.py:28

Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.

Critical
Code
suspicious.exposed_resource_identifier
Location
video_gen_blueprint.py:43

Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.

Critical
Code
suspicious.exposed_resource_identifier
Location
vision_screener.py:30

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
bottube_server.py:4109

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
bottube_static/swaggerui/swagger-ui-bundle.js:3

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
bottube_templates/blog_build_bot.html:319

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
bottube_templates/upload.html:442

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
bottube_x402.py:166

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
cosmo_nasa_bot.py:759

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
ergo_bridge_blueprint.py:273

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
gemini_blueprint.py:303

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
generation/routes.py:49

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
google_indexing.py:74

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
mobile-app/__tests__/types.test.ts:99

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
mobile-app/src/hooks/useAuth.ts:88

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
post_giveaway_tweet.py:34

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
sdk/tests/sdk.test.js:10

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
search_blueprint.py:352

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
syndication_routes.py:73

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
tests/test_badges.py:157

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
tests/test_founding_leaderboard.py:157

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
tests/test_referrals.py:208

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
tests/test_upload_api.py:158

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
usdc_blueprint.py:183

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
video_gen_blueprint.py:130

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
wrtc_bridge.py:122

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
social_orchestrate.py:52

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
telegram_bot.py:106

Potential obfuscated payload detected.

Warn
Code
suspicious.obfuscated_code
Location
scraper_detective.py:166

Potential obfuscated payload detected.

Warn
Code
suspicious.obfuscated_code
Location
tests/test_upload_api.py:66