ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

youtube-ads

v1.0.1

When the user wants to run YouTube ads, set up TrueView or Bumper campaigns, or optimize video ad creative. Also use when the user mentions "YouTube ads," "T...

0· 87·0 current·0 all-time
by@kostja94
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the instructions: the skill is about YouTube ad formats, creative guidance, targeting and checklists. The requested capabilities (none declared) are minimal and generally appropriate for campaign planning. However, the skill asks the agent to read project-context files for planning context even though no config paths are declared in the metadata.
!
Instruction Scope
SKILL.md explicitly directs the agent to read local files (.claude/project-context.md or .cursor/project-context.md) and specific sections (3 and 4) for context. Those file reads are not listed in requires.configPaths and therefore are a mismatch between declared and actual instructions. Reading repository or workspace files can expose sensitive project information; the instruction is reasonable for campaign planning but should have been declared.
Install Mechanism
No install spec and no code files — instruction-only skill. This is low-risk from an install perspective because nothing is downloaded or written to disk by an installer.
Credentials
The skill does not request environment variables, credentials, or external tokens. The guidance does not instruct the agent to access secrets or external services directly, which is proportionate to the stated purpose.
Persistence & Privilege
always is false and the skill does not request persistent system-wide privileges or claim to modify other skills or configs. Autonomous invocation is allowed by default but not combined with other concerning privileges here.
What to consider before installing
This skill appears to do what it says (YouTube ad planning and creative guidance), but its runtime instructions tell the agent to read local project-context files (.claude/project-context.md or .cursor/project-context.md) even though those paths aren't declared. If you install it, consider: 1) Review the contents of those project-context files (they may contain sensitive business information) or avoid placing secrets there; 2) Ask the skill author to declare the config paths in metadata so the access is transparent; 3) If you prefer stricter controls, run the skill in an environment where repository files are safe to read or remove/replace the project-context files before invoking the skill. No network credentials are requested by this skill, which reduces risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk978w0jm0s9z2h4cwnz4qrp5gd842kzx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments