youtube-data
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: youtube-data Version: 1.5.0 The skill bundle contains instructions in 'references/auth-setup.md' that explicitly direct the AI agent to employ evasion techniques to bypass platform security controls. Specifically, it instructs the agent to write sensitive credentials (JWTs and API keys) to temporary files to avoid detection or redaction by the agent runtime's output filters. While these actions are intended to facilitate the setup of the 'transcriptapi.com' service, the methodology of teaching an agent to circumvent security logging and autonomously modify system-wide environment persistence is a high-risk behavior that could be repurposed for malicious data handling.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
YouTube URLs, creator names, or search terms may be sent to transcriptapi.com, and some requests consume TranscriptAPI credits.
The skill directs the agent to make external HTTP requests using user-provided YouTube/search inputs and the TranscriptAPI key. This is central to the skill's purpose and is clearly documented.
curl -s "https://transcriptapi.com/api/v2/youtube/search?q=QUERY&type=video&limit=20" ... Authorization: Bearer $TRANSCRIPT_API_KEY
Use it for intended YouTube-data lookups, avoid sending sensitive search terms unnecessarily, and monitor TranscriptAPI credit usage.
The configured environment or agent may be able to use the user's TranscriptAPI account and credits in future sessions.
The setup flow has the agent collect or create a TranscriptAPI credential and persist it in the user's environment. This is purpose-aligned but involves sensitive account credentials.
If yes, paste your API key and I'll set it up. If not, I can create a free account for you right now ... Store it persistently ... available in future sessions, including non-interactive shells
Store the key only in a trusted secret store or secure environment configuration, confirm where it is saved, and revoke or rotate the key if it is exposed.