ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

YT Shorts Niche Research

v1.0.0

Find viral YouTube Shorts channels that started recently and are doing really well. Use when Abdullah asks to find shorts niches, find channels, research You...

0· 142·0 current·0 all-time
by@abdullahsarumi16-stack

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for abdullahsarumi16-stack/youtube-shorts-niche-research.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "YT Shorts Niche Research" (abdullahsarumi16-stack/youtube-shorts-niche-research) from ClawHub.
Skill page: https://clawhub.ai/abdullahsarumi16-stack/youtube-shorts-niche-research
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install youtube-shorts-niche-research

ClawHub CLI

Package manager switcher

npx clawhub@latest install youtube-shorts-niche-research
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description claim simple YouTube Shorts research, but the SKILL.md requires running a local Node script at a hardcoded path (C:\Users\sarum\.openclaw\workspace\youtube-research.js), expects browser/incognito behavior, and relies on producing JSON output and Telegram delivery. The skill bundle contains no script, no install instructions, and declares no required binaries (node, browser driver) or credentials that these actions would reasonably need.
!
Instruction Scope
Runtime instructions tell the agent to run a long-lived background script repeatedly (polling up to N rounds, rerunning on partial results), write result files (youtube-research-YYYY-MM-DD.json), update HEARTBEAT.md, and 'send results to Abdullah on Telegram unprompted' weekly. It also mandates not reading the full JSON in the main session and to spawn a subagent to read it. These steps go beyond a simple query/lookup flow and require filesystem access, repeated execution, and external network actions.
!
Install Mechanism
There is no install spec and no code files included, yet the SKILL.md assumes an existing script and runtime (node) on a specific Windows path. Calling node and running background browser/incognito sessions implies additional packages (puppeteer, headless browser) not declared. The mismatch between 'no install' and the heavy runtime requirements is a red flag.
!
Credentials
The skill declares no required environment variables or credentials, but instructions require sending messages to Telegram (which would need a bot token) and likely need YouTube API access or browser credentials/cookies for incognito scraping. The hardcoded user path (sarum) also suggests expectation of a specific user's environment. Requesting external communications without declaring required credentials is disproportionate and opaque.
!
Persistence & Privilege
The SKILL.md instructs an automatic weekly run and unprompted Telegram delivery, writes HEARTBEAT.md, and demands repeated background execution until criteria are met. Although registry flags show always:false, the instructions try to establish persistent, autonomous behavior and file modifications without declaring or requesting the proper privileges or configuration — this mismatch is concerning.
What to consider before installing
What to consider before installing: - The skill provided no code or install steps but expects a local script at C:\Users\sarum\.openclaw\workspace\youtube-research.js and a Node/browser environment. Ask the author for the actual script and installation instructions before running anything. - The instructions require writing files (youtube-research-YYYY-MM-DD.json, HEARTBEAT.md), repeatedly running background jobs, and sending data to Telegram weekly — but no Telegram token or other credentials are declared. Do not provide any secret tokens until you verify exactly how they are used. - The SKILL.md tells the main session not to read result files and to use a subagent instead — this is unusual and could be an attempt to bypass review or auditing. Ask why this design is necessary and request to inspect the output files and the script logic. - If you consider using it: get the source code, review the script for what it scrapes/sends, confirm it respects YouTube terms of service, and ensure any scheduled/unprompted actions are under your control (or remove them). - If you do not trust the author or cannot review the script, do not run it and prefer a skill that includes its code, declares necessary binaries/credentials, and does not require hidden background scheduling.

Like a lobster shell, security has layers — review code before you run it.

latestvk972hqm7fk8w3n9cgt4wgmf8e183v498
142downloads
0stars
1versions
Updated 4w ago
v1.0.0
MIT-0
@abdullahsarumi16-stack
latest
Download

YouTube Shorts Channel Research Skill

Find viral new YouTube Shorts channels that meet strict criteria.

Criteria (hardcoded in script)

  • Channel age: ≤ 60 days old
  • Total views: ≥ 15,000,000
  • Average views per video: ≥ 100,000
  • Results needed: whatever Abdullah specifies — default to 3 if no number given

Script Location

C:\Users\sarum\.openclaw\workspace\youtube-research.js

How to Run

  1. Set RESULTS_NEEDED in the script to match the number Abdullah requested (default 3)
  2. Always update this value before running
  3. Run the script in background: 
    cd C:\Users\sarum\.openclaw\workspace; node youtube-research.js
  4. Poll until complete — the script runs until it finds all requested results, up to 10 rounds
  5. If it exits with fewer than requested, run again immediately (different incognito session = different feed)
  6. Keep running until you have the total requested.

Processing Results (Token Optimization)

  • Mandatory: When the script completes, do not read the full JSON result file in the main session.
  • Use sessions_spawn with model: "google/gemini-2.5-flash-lite" and runtime: "subagent".
  • Task the subagent to read youtube-research-YYYY-MM-DD.json, filter for winners, and return a concise summary (handle, name, link, stats).
  • Use the subagent's summary to respond in the main session.

Output Format

When all requested channels are found, reply to Abdullah with:

Found your [N] channels! 🔥

1. **[Channel Name]** (@handle)
[URL]/shorts
[age]d old · [total views]M views · [avg views]K avg · [subs]K subs

2. **[Channel Name]** (@handle)
...

Rules

  • Always include the full YouTube link
  • Always run in incognito (already configured in script)
  • Never stop until the requested number of qualifying channels are found
  • Do not report partial results — wait for the batch to complete then reply
  • Each run uses a fresh incognito session so channels will differ
  • Save results to youtube-research-YYYY-MM-DD.json (script does this automatically)

Weekly Schedule

Every Wednesday, run this automatically and send results to Abdullah on Telegram unprompted. Update HEARTBEAT.md to track last run date.

Comments

Loading comments...