ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Youtube Api

v1.4.1

YouTube API access without the official API quota hassle — transcripts, search, channels, playlists, and metadata with no Google API key needed. Use when the user needs YouTube data programmatically, wants to avoid Google API quotas, or asks for "youtube api", "get video data", "youtube without api key", "no quota youtube".

0· 3.8k·6 current·6 all-time
byRohit Das@therohitdas
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (YouTube data via TranscriptAPI) match the required pieces: node binary for the provided JS CLI and a TRANSCRIPT_API_KEY. Requiring ~/.openclaw/openclaw.json is consistent with the skill saving the API key there.
Instruction Scope
SKILL.md instructs only: prompt user for email/OTP, run scripts/tapi-auth.js to register/verify, and call transcriptapi.com endpoints via curl. The instructions only reference TRANSCRIPT_API_KEY and ~/.openclaw/openclaw.json (both declared). No unrelated file reads, environment access, or external endpoints are present.
Install Mechanism
No install spec (instruction-only) and one included CLI script. This is low-risk: nothing is downloaded from arbitrary URLs and no archives are extracted. Requiring node is proportionate to the shipped JS script.
Credentials
Only TRANSCRIPT_API_KEY is required and declared as the primary credential. The script stores that key in the declared OpenClaw config path. No other unrelated secrets or credentials are requested.
Persistence & Privilege
always is false and the skill only writes to its own OpenClaw config (~/.openclaw/openclaw.json), backing up the existing file to .bak. It does not request system-wide privileges or modify other skills' configs.
Assessment
This skill appears internally consistent, but note: it sends requests to transcriptapi.com (you must trust that third party), and the CLI will save your API key in plain JSON at ~/.openclaw/openclaw.json (the file is backed up to .openclaw/openclaw.json.bak). Before installing, verify TranscriptAPI's reputation and privacy policy, ensure your machine's ~/.openclaw directory is secure, and understand that any queries/transcripts you send go to transcriptapi.com rather than Google. If you prefer not to store keys in a local file, plan to set TRANSCRIPT_API_KEY manually in your environment instead of using the provided save flow.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fb163pe5pqdq5rrm28scjbn80yb9w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
Binsnode
EnvTRANSCRIPT_API_KEY
Config~/.openclaw/openclaw.json
Primary envTRANSCRIPT_API_KEY

Comments