ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Publora Youtube

v1.2.0

Upload and publish video content to YouTube using the Publora API. Use this skill when the user wants to upload or schedule YouTube videos via Publora.

0· 553·1 current·1 all-time
bySergey Bulaev@sergebulaev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the SKILL.md: it describes uploading and scheduling YouTube videos via the Publora API and the examples show the expected API calls. However the SKILL.md references a Publora core skill for auth and shows an x-publora-key header (sk_YOUR_KEY) even though the registry metadata lists no required credentials — a minor inconsistency.
Instruction Scope
The instructions are narrowly scoped to creating posts, requesting an upload URL, and PUTting video bytes to the upload URL (S3). They reference local video file bytes/paths and the x-publora-key header. They do not instruct the agent to read unrelated system files, but they implicitly require providing an API key and access to local video files.
Install Mechanism
Instruction-only skill with no install spec and no code files — low install risk. Nothing will be written to disk by an installer because there is no installer.
!
Credentials
The SKILL.md explicitly requires an API key header (x-publora-key: sk_YOUR_KEY) but the skill metadata declares no required environment variables or primary credential. This mismatch means the skill expects secrets (Publora API key) but does not declare them; that reduces transparency and is disproportionate to the published metadata.
Persistence & Privilege
always is false and there is no install or code that requests persistent presence or modifies other skills. The skill does not request elevated agent privileges in metadata.
Scan Findings in Context
[regex-scan-none] expected: No code files were present, so the regex-based scanner had nothing to analyze. This is expected for instruction-only skills, but it means runtime behavior is determined solely by SKILL.md.
What to consider before installing
Before installing: 1) Confirm how the Publora API key is supplied — the SKILL.md expects x-publora-key but the skill metadata doesn't declare any required env vars or primary credential; ask the author whether a separate 'publora' core skill is required to manage auth. 2) Only provide a limited-scope Publora key (not a broad admin key) and verify the Publora domain (https://api.publora.com) is correct and trusted. 3) Be aware the agent will upload local video files (you or the agent must supply the bytes), and uploads use returned S3 URLs — verify those URLs are legitimate before PUTing. 4) If you need stronger assurance, request the publisher to update the metadata to declare the required credential (e.g., PUBLORA_API_KEY) and to document any required scope/permissions for that key. 5) If you are unsure about the Publora service or the publisher identity, do not provide secrets or allow autonomous invocation that could use them.

Like a lobster shell, security has layers — review code before you run it.

latestvk972z2gktgrmmhn4qvrw5xv6yn82wbqv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments