Back to skill
Skillv1.2.0
ClawScan security
Publora Youtube · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 14, 2026, 11:45 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions clearly use the Publora API and require an API key and local video files, but the skill metadata does not declare any required credentials or config — that mismatch is concerning and worth confirming before install.
- Guidance
- Before installing: 1) Confirm how the Publora API key is supplied — the SKILL.md expects x-publora-key but the skill metadata doesn't declare any required env vars or primary credential; ask the author whether a separate 'publora' core skill is required to manage auth. 2) Only provide a limited-scope Publora key (not a broad admin key) and verify the Publora domain (https://api.publora.com) is correct and trusted. 3) Be aware the agent will upload local video files (you or the agent must supply the bytes), and uploads use returned S3 URLs — verify those URLs are legitimate before PUTing. 4) If you need stronger assurance, request the publisher to update the metadata to declare the required credential (e.g., PUBLORA_API_KEY) and to document any required scope/permissions for that key. 5) If you are unsure about the Publora service or the publisher identity, do not provide secrets or allow autonomous invocation that could use them.
- Findings
[regex-scan-none] expected: No code files were present, so the regex-based scanner had nothing to analyze. This is expected for instruction-only skills, but it means runtime behavior is determined solely by SKILL.md.
Review Dimensions
- Purpose & Capability
- noteThe name/description match the SKILL.md: it describes uploading and scheduling YouTube videos via the Publora API and the examples show the expected API calls. However the SKILL.md references a Publora core skill for auth and shows an x-publora-key header (sk_YOUR_KEY) even though the registry metadata lists no required credentials — a minor inconsistency.
- Instruction Scope
- noteThe instructions are narrowly scoped to creating posts, requesting an upload URL, and PUTting video bytes to the upload URL (S3). They reference local video file bytes/paths and the x-publora-key header. They do not instruct the agent to read unrelated system files, but they implicitly require providing an API key and access to local video files.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — low install risk. Nothing will be written to disk by an installer because there is no installer.
- Credentials
- concernThe SKILL.md explicitly requires an API key header (x-publora-key: sk_YOUR_KEY) but the skill metadata declares no required environment variables or primary credential. This mismatch means the skill expects secrets (Publora API key) but does not declare them; that reduces transparency and is disproportionate to the published metadata.
- Persistence & Privilege
- okalways is false and there is no install or code that requests persistent presence or modifies other skills. The skill does not request elevated agent privileges in metadata.