ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Youtube Video Publisher

v1.0.0

Upload videos and Shorts to YouTube. Use when the user says 'upload to YouTube', 'publish YouTube video', 'post a YouTube Short', 'upload video with thumbnai...

0· 48·0 current·0 all-time
by@snoopyrain
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to upload videos to YouTube and its runtime instructions call Boring connector functions (boring_list_accounts, boring_upload_file, boring_publish_post), which is consistent with that goal. However, the required credential is an MCP Connector link that—per the docs—grants publish/manage access across all connected social accounts, which is broader than strictly necessary for uploading to a single YouTube channel.
!
Instruction Scope
Instructions explicitly tell the agent to accept local video files and call boring_upload_file / boring_upload_from_url, which will upload user media to Boring's servers (re-hosting). That means user content leaves the local environment and is stored/processed by a third party. The SKILL.md does not limit uploads to YouTube-only or describe retention/processing details beyond a brief claim about server-side storage.
Install Mechanism
This is instruction-only with no install spec or code files, so nothing is written to disk or downloaded by the installer — lowest install risk.
!
Credentials
There are no environment variables, but the skill requires an MCP Connector link (a URL containing an embedded auth token). That token is effectively a secret and—according to the docs—grants broad publish/manage rights across connected platforms and has long-lived refresh semantics. Requesting a single broad-scoped token is disproportionate compared with a more minimal OAuth flow limited to one YouTube channel.
Persistence & Privilege
The skill is not marked always:true, and it does not request system-wide configuration changes. Model invocation is allowed (the platform default) which is expected for skills. There is no evidence the skill attempts to persist beyond normal connector usage.
What to consider before installing
This skill will upload your video files to a third-party service (boring.aiagent-me.com) using an MCP connector URL that contains an embedded auth token. Before installing or using it: 1) Only provide a connector link you trust; treat the URL as a password and never paste it publicly. 2) Verify the token scope with the service owner — confirm it is limited to the intended YouTube channel and does not grant write/publish access to other connected accounts. 3) Prefer testing with a disposable/test YouTube channel first and set uploads to unlisted/private until you trust the flow. 4) Ask the vendor for documentation on how uploaded media is stored, who can access it, retention policy, and how to revoke/regenerate the token. 5) If you prefer tighter control, consider using an integration that uses your own official YouTube OAuth credentials scoped only to youtube.upload. If you proceed, keep the ability to revoke the connector token and audit activity on your YouTube account.

Like a lobster shell, security has layers — review code before you run it.

latestvk974kyes8274b07r7txznzygyn83smbx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
ConfigMCP Connector link from boring.aiagent-me.com (contains embedded auth token)

Comments