Skillv1.0.0

ClawScan security

youtube-comment-miner · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 1:21 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (scrape and analyze YouTube comments) matches the included scripts, but the SKILL metadata and instructions omit required system dependencies and contain small inconsistencies, so review before running.
Guidance: This skill is plausibly what it says: it scrapes YouTube (via yt-dlp) and analyzes saved comment JSON files. Before installing/running: 1) Inspect and run the scripts in an isolated environment (VM/container) because they perform web scraping and write files to disk. 2) Ensure you have the required system tools (yt-dlp, jq, Python 3.8+) and a JS runtime if yt-dlp needs it—these are referenced in SKILL.md but not declared in metadata. 3) Check requirements.txt and remove unused packages (python-dotenv) if you don't need .env support. 4) Note potential ToS/legal issues: automated scraping of YouTube may violate YouTube's Terms of Service—confirm this is acceptable for your use. 5) Because the package owner/source is unknown and there are small inconsistencies in filenames/examples, prefer running it in a disposable environment and review the scripts for any modifications before use.

Review Dimensions

Purpose & Capability: noteThe name/description (YouTube comment mining for product insights) aligns with the included scripts (fetch_comments.sh and analyze.py) and requirements (yt-dlp, youtube-search). However the registry metadata claims no required binaries/env but the runtime clearly depends on system tools (yt-dlp, jq, Python 3).
Instruction Scope: concernSKILL.md and the scripts instruct the agent/user to fetch YouTube pages and save comments to disk using yt-dlp and jq. That stays within the stated purpose, but the instructions reference additional system tools (jq, a JS runtime for yt-dlp) that are not declared in the metadata. There are also small inconsistencies in filenames/examples (SKILL.md references analyze_comments.py in examples while repository has scripts/analyze.py), and requirements include python-dotenv though neither scripts nor docs use environment variables—these sloppy mismatches could lead to confusion or unexpected behavior.
Install Mechanism: okThere is no automated install spec; this is instruction+script based. The Python dependencies are provided via requirements.txt (yt-dlp, youtube-search, python-dotenv) which is a standard approach. No downloads from unknown URLs or archive extraction are present in the skill files.
Credentials: okThe skill requests no environment variables or credentials and the scripts do not attempt to read secrets. The inclusion of python-dotenv in requirements.txt is unnecessary given no .env usage in code—benign but sloppy.
Persistence & Privilege: okThe skill is not marked always:true and does not request persistent or elevated privileges, nor does it attempt to modify other skills or system configuration. It writes comment JSON files to a local directory, which is expected behavior for this purpose.