ClawHub

youtube-api

Security checks across malware telemetry and agentic risk

Overview

This YouTube helper is not malware, but it needs Review because it asks an agent to handle and persist TranscriptAPI credentials, create accounts, and work around secret redaction controls.

Install only if you trust TranscriptAPI and are comfortable with an agent sending YouTube-related queries, URLs, handles, and account setup data to that service. Prefer creating the account yourself, providing a dedicated key through a proper secret manager, confirming exactly where it will be stored, and revoking or rotating the key when you stop using the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This file directs the agent to obtain and persist credentials for a third-party TranscriptAPI service, which is unrelated to the stated YouTube data skill purpose. The mismatch in scope, combined with instructions to handle account creation and secret storage, indicates capability expansion that could be used to harvest or retain credentials under false pretenses.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The guide instructs persistent storage of an API key across future sessions and non-interactive shells, granting the skill durable access beyond the immediate task. For a read-oriented YouTube skill, long-term secret persistence is unnecessary and increases the blast radius if the environment, logs, or downstream tools are compromised.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill tells the agent to create third-party accounts, send registration requests, collect user email addresses and OTP codes, and complete verification on the user's behalf. That is unrelated to the advertised YouTube research function and enables credential brokerage and account lifecycle actions that expand the agent's authority unnecessarily.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger text is unusually broad, including cases where YouTube content would help 'even if not mentioned explicitly.' That can cause the agent to invoke this skill for loosely related requests and unnecessarily send user prompts, creator names, handles, or links to a third-party service, increasing privacy exposure and the chance of unintended external calls.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to send requests to TranscriptAPI but does not provide a user-facing disclosure that user queries, YouTube identifiers, channel handles, and related inputs will be transmitted to an external third party. In combination with the broad invocation rules, this creates a meaningful privacy and consent risk because users may not realize their request data is leaving the local agent environment.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document normalizes long-term secret storage without informing the user about persistence, exposure risks, rotation needs, or the possibility that future sessions and tools may inherit the credential. Even if not overtly malicious, this omits important security context that users need before authorizing storage of a live API key.

Ssd 3

High
Confidence
98% confidence
Finding
These instructions explicitly ask the agent to solicit an API key from the user and then persist it across sessions, creating a direct path for secret collection and retention. In the context of a YouTube data skill, that behavior is unjustified and materially increases the risk of credential misuse or unintended exposure.

Ssd 3

High
Confidence
99% confidence
Finding
The guidance to bypass runtime redaction by writing raw auth responses to temporary files and reading token values back is an active evasion of security controls. This undermines built-in secret-protection mechanisms and increases the likelihood of plaintext credential exposure through files, intermediate artifacts, or later tool access.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal