youtube-api
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: youtube-api Version: 1.5.0 The skill contains instructions in `references/auth-setup.md` that explicitly guide the AI agent to bypass security redaction mechanisms (specifically mentioning Hermes and Claude Code) by writing sensitive tokens to temporary files to avoid detection by the runtime's output filters. It also directs the agent to persist environment variables in shell configuration files and defines broad triggers in `SKILL.md` that allow it to activate even when not explicitly requested. While these behaviors are presented as necessary for the `transcriptapi.com` setup, the deliberate guidance on evading platform security controls is a high-risk indicator.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may spend TranscriptAPI credits and send search terms or YouTube identifiers to transcriptapi.com when it decides YouTube data is useful.
The invocation scope is broad and may cause the agent to call a paid third-party API for adjacent research tasks, though this is disclosed and aligned with the skill's YouTube-data purpose.
any request where YouTube content would help — even if not mentioned explicitly
Ask the agent to confirm before broad searches, paginated browsing, or credit-consuming calls if you want tighter control.
A TranscriptAPI key may be stored on the machine or agent environment and reused in later sessions.
The skill asks the agent to handle and persist a TranscriptAPI credential. This is expected for the integration, but it affects the user's local credential boundary.
Store it persistently using whatever method is correct for this environment (which you determined in Step 0). Make sure it will be available in future sessions, including non-interactive shells, without any manual sourcing step from the user.
Use a dedicated TranscriptAPI key, confirm the storage location, avoid sharing it in chat or logs, and revoke or rotate it if you no longer use the skill.
The agent may create a TranscriptAPI account for the user and handle the resulting API credential.
The setup flow can ask for the user's email, submit a registration request, receive an OTP from the user, and exchange it for an API key. This is disclosed and limited to TranscriptAPI account setup.
You will handle the full signup on the user's behalf.
Only proceed if you trust transcriptapi.com and are comfortable letting the agent handle the email verification flow.