YouTube Live Broadcast Checking
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears purpose-aligned for checking YouTube live broadcasts, but users should notice that it needs a YouTube API key, installs npm dependencies, and persists a local watchlist.
Before installing, make sure you are comfortable providing a restricted YouTube Data API key, running npm install for the googleapis dependency, and storing a local watchlist file. The provided artifacts do not show malicious behavior, but the supplied skill.js content is truncated, so review the complete source if available.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A misconfigured or over-broad API key could consume quota or expose access to the associated Google Cloud project's YouTube Data API allowance.
The skill reads a Google/YouTube API key from the agent environment and uses it to authenticate YouTube Data API calls.
return process.env.YOUTUBE_API_KEY;
Use a restricted API key limited to the YouTube Data API, avoid sharing it with unrelated skills, and monitor quota usage in Google Cloud.
Installing the skill may fetch third-party Node dependencies, so dependency integrity depends on npm/package-lock behavior and the user's install process.
The skill depends on an npm package to call Google APIs. This is expected for the purpose, but npm installation introduces normal third-party dependency provenance considerations.
"dependencies": { "googleapis": "^126.0.0" }Install from the referenced repository or trusted package source, review the lockfile when possible, and keep dependencies updated.
The local watchlist can reveal which channels the user monitors and will remain available to future agent sessions using this skill.
The skill stores the user's channel watchlist on disk so it persists across agent restarts.
const STORAGE_FILE = path.join(__dirname, 'watchlist.json');
Only add channels you are comfortable storing locally, and delete watchlist.json or use the remove tool if you no longer want entries retained.