Skillv1.0.3

ClawScan security

Boring YouTube Publisher · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 27, 2026, 9:00 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are internally consistent with its stated purpose (publishing YouTube videos via Boring), but it requires giving a single embedded MCP link that contains long-lived credentials and will upload your media to Boring's public storage — so review privacy and trust of the provider before use.
Guidance: This skill is coherent for publishing to YouTube via the Boring service, but before installing or using it: (1) only paste your MCP Connector link into the platform's secure Connector field — treat it like a password; (2) understand that media files will be uploaded to Boring's cloud and served from public URLs while being published to YouTube; (3) confirm the OAuth scopes requested (youtube.upload, youtube.readonly) and that you trust boring.aiagent-me.com; (4) if you have sensitive content, test with non-sensitive uploads first and consider creating a dedicated channel or account; (5) you may want to regenerate the MCP token after use and revoke access if you stop using the service. If you need higher assurance about provenance, request source code or a canonical release from the vendor before giving credentials.

Purpose & Capability: okName/description (uploading to YouTube via Boring) matches the instructions. The declared single required config (MCP Connector link with embedded auth token) is exactly what the instructions use to call boring_* endpoints and publish to YouTube.
Instruction Scope: noteInstructions are focused on uploads and metadata and do not ask the agent to read unrelated local files or env vars. They do, however, instruct uploading user media to Boring's Google Cloud Storage (public URLs) so Boring can call YouTube on the user's behalf — this is expected for this integration but has privacy implications (user media becomes hosted on the third party).
Install Mechanism: okNo install spec or code files — instruction-only. Lowest installation risk (nothing written to disk by the skill itself).
Credentials: noteNo environment variables or local credentials requested. The single required credential is an MCP link containing embedded OAuth tokens (treated like a password). That is proportional to the stated function but grants Boring full delegated access to the user's YouTube account/channel — a sensitive, high-privilege credential that should be handled carefully.
Persistence & Privilege: okSkill is not always-enabled and contains no install hooks or instructions to modify other skills or system settings. It relies on the user adding the MCP link as a Connector (platform-level action) which is expected for this integration.