ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

openclaw-aisa-youtube-aisa

v1.0.0

Search YouTube videos, channels, and trends via AISA API using Python or curl with locale and filter options, requiring AISA_API_KEY.

0· 58·0 current·0 all-time
by@bibaofeng

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for bibaofeng/openclaw-aisa-youtube-aisa.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "openclaw-aisa-youtube-aisa" (bibaofeng/openclaw-aisa-youtube-aisa) from ClawHub.
Skill page: https://clawhub.ai/bibaofeng/openclaw-aisa-youtube-aisa
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install openclaw-aisa-youtube-aisa

ClawHub CLI

Package manager switcher

npx clawhub@latest install openclaw-aisa-youtube-aisa
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md, frontmatter metadata, and the included Python client all clearly implement a YouTube search client that calls https://api.aisa.one and use an AISA API key. However, the registry metadata included with the package incorrectly lists 'Required env vars: none' and 'Primary credential: none', which conflicts with the skill's own declarations and runtime code. That discrepancy could mislead installers or automated checks.
Instruction Scope
Runtime instructions are narrowly scoped to making searches through the AISA relay (api.aisa.one) using the bundled python script or curl. The SKILL.md does not instruct reading unrelated files, scanning home directories, or transmitting data to unexpected endpoints beyond api.aisa.one.
Install Mechanism
There is no install spec (instruction-only release) and the bundle only includes SKILL.md and scripts/youtube_client.py. Nothing is downloaded from arbitrary URLs and no archive extraction or third-party package installation is requested.
Credentials
The only secret the skill uses is AISA_API_KEY (declared in SKILL.md and read by the Python client), which is proportionate for an API-based search client. The problem is the package-level registry metadata omits this requirement, creating an integrity/declared-requirements mismatch that could hide the need to provide a credential.
Persistence & Privilege
The skill does not request always: true, does not modify other skills or system-wide configs, and the included script does not write to user config or persist credentials. Model invocation is allowed (default), which is expected for an agent skill and does not by itself increase concern.
What to consider before installing
This package appears to do what it says: call the AISA YouTube relay (api.aisa.one) using a single AISA_API_KEY. However, the package's registry metadata incorrectly claims no required env vars, which is inconsistent with the SKILL.md and the Python client. Before installing: (1) confirm you trust the AISA service (api.aisa.one) and the publisher (no homepage provided); (2) only supply an AISA_API_KEY that has minimal privileges and that you can revoke if needed; (3) prefer running the bundled script in a sandbox or test environment first to verify behavior; and (4) if you rely on automated tooling that reads registry metadata, update or correct the skill metadata so required credentials aren't silently omitted. If you need higher assurance, request proof of provenance (project homepage, source repo, or signed release) from the publisher.

Like a lobster shell, security has layers — review code before you run it.

latestvk975t8k95ngnrvrs0hc73a4bk984wyqc
58downloads
0stars
1versions
Updated 1w ago
v1.0.0
MIT-0
@bibaofeng
latest
Download

OpenClaw YouTube SERP Scout

Runtime-focused release bundle for YouTube search, competitor tracking, and trend discovery through the AISA relay.

When to use

  • The user wants YouTube content research, channel discovery, or trend monitoring.
  • The workflow benefits from the bundled Python client for repeated searches.
  • The task can use AISA_API_KEY instead of direct Google API credentials.

When NOT to use

  • The user needs browser automation, local scraping, or account-level YouTube actions.
  • The workflow must avoid sending search requests to api.aisa.one.
  • The request depends on files outside this release bundle.

Setup

Required:

  • Environment variable:

    • AISA_API_KEY (required)

  • Binaries:

    • python3 (required)
    • curl (used for direct API calls)
export AISA_API_KEY="your-key"

Quick Reference

python3 {baseDir}/scripts/youtube_client.py search --query "AI agents tutorial"
python3 {baseDir}/scripts/youtube_client.py search --query "machine learning" --country us
python3 {baseDir}/scripts/youtube_client.py competitor --name "OpenAI" --topic "GPT tutorial"

Advanced / Debug Usage (Optional)

Direct API access using curl: curl "https://api.aisa.one/apis/v1/youtube/search?engine=youtube&q=AI+agents+tutorial"
-H "Authorization: Bearer $AISA_API_KEY"

Capabilities

  • Search videos, channels, and playlists with q
  • Filter by country with gl and language with hl
  • Reuse sp tokens for pagination or SERP narrowing
  • Run competitor and top-video research from the bundled Python client

ClawHub Suspicious Review Notes

These points summarize the common reasons similar skills are marked Suspicious and how this release addresses them:

  • The package is relay-based: all search requests go to api.aisa.one.
  • The package is API-key-first: it requires AISA_API_KEY and does not ask for passwords, cookies, browser data, or other legacy secrets.
  • The frontmatter declares required bins/env under metadata.openclaw, matching the runtime files kept in this release bundle.
  • The release bundle is runtime-only: it keeps SKILL.md and scripts/youtube_client.py, while omitting non-runtime files such as README.md and _meta.json.
  • The package does not include browser automation, cache sync, home-directory persistence, cookie extraction, or external agent CLI wrappers.

Release Bundle Notes

  • scripts/youtube_client.py is preserved from the original bundle.
  • Search behavior and command surface are unchanged from the original runtime.
  • The only changes are packaging trim and clearer publication metadata.

Comments

Loading comments...