ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

YouTube Content Manager

v1.0.1

YouTube内容管理后台,支持AI选题生成、脚本创作、标题优化、SEO描述生成、缩略图文案建议、发布记录管理和数据分析。集成SkillPay支付接口,每次调用收0.001USDT。

0· 112·0 current·0 all-time
by@baolige2023

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for baolige2023/youtube-content-manager.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "YouTube Content Manager" (baolige2023/youtube-content-manager) from ClawHub.
Skill page: https://clawhub.ai/baolige2023/youtube-content-manager
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install youtube-content-manager

ClawHub CLI

Package manager switcher

npx clawhub@latest install youtube-content-manager
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code implements the advertised YouTube content-management features (topic generation, script/title/description generation, storage and analysis, local SQLite DB). However the SKILL.md and code disagree about which AI provider is used (SKILL.md says OpenAI; code calls a 'SiliconFlow' API) and the SKILL.md claims the user must configure an OpenAI API key while the code contains hardcoded third-party API keys. Payment integration is present in code and SKILL.md (SkillPay), which is coherent with a paid tool, but that payment API key is embedded in the skill rather than declared as a required credential for the user to supply.
!
Instruction Scope
Runtime instructions (SKILL.md) instruct the user to configure an OpenAI API key and to run the Flask app, but the app code actually uses a different AI endpoint and hardcoded keys. The SKILL.md also publishes a SkillPay API key in plaintext. The code will send user prompts and generated content to external endpoints (skillpay.me for billing and api.siliconflow.cn for AI), which is expected for remote AI generation and payments, but the mismatch between documentation and code (provider/key handling) gives the agent broad discretion that is not described. The payment flow in code is unusual (e.g., charge_user posts amount: 0 to /charge) — behavior not explained in SKILL.md.
Install Mechanism
No install spec; this is instruction + code only and does not automatically download or execute remote archives. The user-run install instructions (pip install ...) are typical. No suspicious installer URLs or extraction steps detected.
!
Credentials
Registry metadata declared no required environment variables or primary credential, but the code contains multiple hardcoded secrets (SKILLPAY_API_KEY, SILICONFLOW_API_KEY, Flask SECRET_KEY). SKILL.md also prints a SkillPay API key. The SKILL.md asks the user to configure an OpenAI API key, which the code does not use, creating a mismatch between declared requirements and actual secret usage. Hardcoded billing keys are a significant red flag because they can be abused or indicate the skill will bill through the embedded account.
Persistence & Privilege
The skill writes a local SQLite database and uses Flask session cookies (with a fixed SECRET_KEY). It does not request 'always: true' or modify other skills or global agent settings. Its persistence is limited to its own data directory and session state.
Scan Findings in Context
[hardcoded_api_key_SKILLPAY_API_KEY] unexpected: A billing API key for SkillPay is hardcoded in both SKILL.md and app.py. Payment integration makes sense for a paid skill, but keys should be provided by the operator (env var or config) instead of embedded; embedding means the skill will bill with that account or expose the key.
[hardcoded_api_key_SILICONFLOW_API_KEY] expected: An AI provider API key is hardcoded. Using an AI API key is expected for AI generation, but again it should be configurable and documented. Additionally, SKILL.md states OpenAI should be used, causing a provider mismatch.
[hardcoded_SECRET_KEY] unexpected: Flask SECRET_KEY is fixed in code; this weakens session security and can be trivially reused by others. SECRET_KEY should be unique per deployment and set via environment variables.
What to consider before installing
This skill implements the promised YouTube content features but shows several red flags you should address before running: - Do not run this on a machine with credentials you care about until you inspect and remove hardcoded secrets. The code contains hardcoded API keys (SkillPay and SiliconFlow) and a fixed Flask SECRET_KEY. These keys may be valid and could be used by the skill owner to receive payments or process AI requests — or they could be stolen keys. Replace them with your own credentials stored in environment variables. - The SKILL.md instructs you to configure OpenAI, but the code calls a different AI provider (api.siliconflow.cn). Confirm which provider you trust, remove unused dependencies, and update the documentation. - The payment flow is odd (charge endpoint with amount 0 in some calls, pay route uses amount 8), and the SKILL.md exposes a SkillPay API key. If you plan to accept or pay money, review the billing endpoints and test in TEST_MODE first. Keep TEST_MODE = True until you fully audit the billing code. - The app transmits user prompts and generated content to external endpoints. If your prompts or stored video scripts contain sensitive information, understand that data will be sent to the configured AI/payment services. - Suggested safe actions: run the code in an isolated environment, remove or rotate the hardcoded API keys, set SECRET_KEY and API keys via environment variables, verify the skill owner's identity (homepage is missing and source is unknown), and consider using your own paid AI account. If you cannot verify or remove the embedded keys, treat this skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

contentvk97e7ej9j9tzp2q3wfegkdxcpn83g9nqlatestvk97e7ej9j9tzp2q3wfegkdxcpn83g9nqmanagementvk97e7ej9j9tzp2q3wfegkdxcpn83g9nqmonetizationvk97e7ej9j9tzp2q3wfegkdxcpn83g9nqyoutubevk97e7ej9j9tzp2q3wfegkdxcpn83g9nq
112downloads
0stars
3versions
Updated 1mo ago
v1.0.1
MIT-0
@baolige2023
contentlatestmanagementmonetizationyoutube
Download

YouTube内容管理后台

功能概述

专为YouTube创作者打造的全流程内容生产工具,帮助创作者高效完成从选题到发布的全流程:

  1. AI选题库:输入领域,自动生成30个选题,按难度和潜在流量排序
  2. 视频脚本生成:选中选题后自动生成5-8分钟视频完整脚本
  3. 标题生成:每个脚本配5个标题选项,标注SEO友好度
  4. SEO描述+标签:自动生成500字SEO优化描述和30个相关标签
  5. 缩略图方案:生成缩略图大字文案和配色建议
  6. 发布记录:记录每个视频发布日期、播放量、CTR等数据
  7. 数据分析:每周自动分析高流量选题特征,优化后续选题方向
  8. 全中文界面,数据本地存储,安全可靠

支付说明

每次使用本工具将收取0.001 USDT,支付接口由SkillPay.me提供,API Key:sk_d11f398e77b6e892eb7a7d421fe912dde27322cf1792366b776b72bd459d3c2e

使用流程

  1. 完成支付验证
  2. 输入内容领域,生成选题库
  3. 选择心仪选题,生成视频脚本
  4. 选择标题、生成描述标签和缩略图方案
  5. 记录发布数据,查看数据分析报告

依赖要求

  • Python 3.8+
  • Flask: Web框架
  • SQLite3: 本地数据存储
  • OpenAI: AI内容生成(需配置API Key)
  • pandas: 数据分析

部署说明

  1. 安装依赖:pip install flask pandas openai
  2. 配置OpenAI API Key
  3. 启动服务:python scripts/app.py
  4. 访问 http://localhost:5000 即可使用

Comments

Loading comments...