ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Youtube Full

v1.4.1

Complete YouTube toolkit — transcripts, search, channels, playlists, and metadata all in one skill. Use when you need comprehensive YouTube access, want to search and then get transcripts, browse channel content, work with playlists, or need the full suite of YouTube data endpoints. The all-in-one YouTube skill for agents.

18· 10k·44 current·49 all-time
byRohit Das@therohitdas
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (YouTube transcripts, search, channels, playlists) align with the declared requirements: node is required to run the included CLI helper, TRANSCRIPT_API_KEY is the API credential for transcriptapi.com, and the config path (~/.openclaw/openclaw.json) is where the script stores the key. Nothing requested appears unrelated to the claimed functionality.
Instruction Scope
SKILL.md and scripts/tapi-auth.js instruct the agent to create a passwordless account (email → OTP → API key) and to save the API key into ~/.openclaw/openclaw.json (backing up the file first). That is within scope for providing the described API access, but it does mean the agent will ask the user for an email and OTP and will write credentials to the local OpenClaw config — users should expect that behavior and confirm they want the agent to perform account creation on their behalf.
Install Mechanism
No install spec (instruction-only) and a single small helper script are included. There are no external downloads or archive extracts; the only runtime requirement is node, which is declared. This is lower risk than arbitrary remote installs.
Credentials
Only TRANSCRIPT_API_KEY is required (declared as primaryEnv). No unrelated credentials, passwords, or other service tokens are requested. The script uses and stores exactly that key in the OpenClaw config and does not request additional env vars in the visible code.
Persistence & Privilege
always is false (not force-included); the skill writes only to its own OpenClaw config path (~/.openclaw/openclaw.json) and creates a .bak of existing file. It does not request system-wide changes or modify other skills' configs in the provided code.
Assessment
This skill appears to do what it says: it uses TranscriptAPI and needs your TRANSCRIPT_API_KEY. Before installing, confirm you trust transcriptapi.com and are comfortable providing an email (and entering the OTP) for account creation. The helper script will save the API key into ~/.openclaw/openclaw.json and makes a .bak of the existing file — inspect that file after onboarding. Ensure node is present on the host. If you prefer, create an API key manually on transcriptapi.com and set TRANSCRIPT_API_KEY yourself (or paste into openclaw.json) instead of letting the agent perform registration. If the key is ever exposed or you have doubts, revoke it from your TranscriptAPI dashboard.

Like a lobster shell, security has layers — review code before you run it.

latestvk9795066wj5bq7atfbhdq5stys80yfb3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎯 Clawdis
Binsnode
EnvTRANSCRIPT_API_KEY
Config~/.openclaw/openclaw.json
Primary envTRANSCRIPT_API_KEY

Comments