Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Youtube Analytics CLI
v1.0.0YouTube channel statistics, video data, and analytics reporting via youtube-analytics-cli. Use when the user wants to check YouTube channel stats, video perf...
⭐ 0· 13·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description and SKILL.md are coherent: they describe a CLI that queries YouTube Data/Analytics. However the registry metadata claims no required binaries, no env vars, and no config paths, while the instructions clearly require the youtube-analytics-cli binary (or an npm install), environment variables (YOUTUBE_API_KEY, YOUTUBE_CLIENT_ID, YOUTUBE_CLIENT_SECRET, YOUTUBE_REFRESH_TOKEN), and an auto-detected credentials file (~/.config/youtube-analytics-cli/credentials.json). The omission of these requirements in the metadata is an inconsistency.
Instruction Scope
The instructions stay within the stated purpose (fetch channel/video/analytics data), but they explicitly direct the agent to read environment variables and to auto-detect/read a credentials JSON in the user's home config directory. Those actions are necessary for OAuth operations but are sensitive and should have been declared in the skill metadata. The SKILL.md also instructs installing a global npm package if the CLI is missing.
Install Mechanism
There is no formal install spec in the metadata, but SKILL.md tells users/agents to run `npm install -g youtube-analytics-cli`. Installing from the public npm registry is a moderate-risk action (writes code to disk and executes it); the skill does not provide a package URL, version, or author, so users should verify the npm package and its source before installing.
Credentials
The runtime docs require OAuth credentials (client_id, client_secret, refresh_token) and optionally an API key, which are reasonably needed for the CLI's full capabilities. However, the skill metadata declared no required environment variables or config paths — that mismatch reduces transparency. OAuth credentials are sensitive (can provide account access), so the request should be explicit in metadata and limited to what is necessary.
Persistence & Privilege
The skill does not request 'always: true' or any special persistent privileges. It does not declare modifying other skills or system-wide settings. Autonomous invocation is allowed by default but not combined with other elevated privileges here.
What to consider before installing
This skill's instructions are consistent with a YouTube analytics CLI, but the published metadata fails to declare that it needs a CLI binary, environment variables, and a credentials file. Before installing or using it: 1) Verify the npm package name and maintainer on the npm registry and review the package source (or prefer installing in an isolated environment). 2) Prefer using an API key for public data; avoid supplying client_secret/refresh_token unless you trust the package and understand the risk. 3) If you must use OAuth, consider using the `--credentials <path>` flag with a temporary credentials file rather than leaving credentials in your home config. 4) Ask the skill author to update metadata to list required env vars/config paths so you can make an informed decision.Like a lobster shell, security has layers — review code before you run it.
latestvk97fwaf2yytgm1e31t03k4mtt184fj86
License
MIT-0
Free to use, modify, and redistribute. No attribution required.