critical
suspicious.exposed_secret_literal
- Location
- skill.js:10
- Finding
- File appears to expose a hardcoded API secret or token.
YouTube Live Broadcast Checking
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.exposed_secret_literal
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
A misconfigured or over-broad API key could consume quota or expose access to the associated Google Cloud project's YouTube Data API allowance.
Why it was flagged
The skill reads a Google/YouTube API key from the agent environment and uses it to authenticate YouTube Data API calls.
Skill content
return process.env.YOUTUBE_API_KEY;
Recommendation
Use a restricted API key limited to the YouTube Data API, avoid sharing it with unrelated skills, and monitor quota usage in Google Cloud.
What this means
Installing the skill may fetch third-party Node dependencies, so dependency integrity depends on npm/package-lock behavior and the user's install process.
Why it was flagged
The skill depends on an npm package to call Google APIs. This is expected for the purpose, but npm installation introduces normal third-party dependency provenance considerations.
Skill content
"dependencies": { "googleapis": "^126.0.0" }Recommendation
Install from the referenced repository or trusted package source, review the lockfile when possible, and keep dependencies updated.
What this means
The local watchlist can reveal which channels the user monitors and will remain available to future agent sessions using this skill.
Why it was flagged
The skill stores the user's channel watchlist on disk so it persists across agent restarts.
Skill content
const STORAGE_FILE = path.join(__dirname, 'watchlist.json');
Recommendation
Only add channels you are comfortable storing locally, and delete watchlist.json or use the remove tool if you no longer want entries retained.