youtube-playlist
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: youtube-playlist Version: 1.5.0 The skill includes an authentication setup guide (`references/auth-setup.md`) that explicitly instructs the AI agent to bypass security redaction mechanisms by writing sensitive tokens (JWTs and API keys) to temporary files instead of standard output. It also directs the agent to perform reconnaissance on the host environment to identify and modify system configuration files (such as shell profiles) for persistence. While these actions are framed as a setup process for the `transcriptapi.com` service, the deliberate circumvention of agent-level security controls and the modification of host environment settings represent significant security risks.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Playlist and video identifiers may be sent to TranscriptAPI, and API requests can consume TranscriptAPI credits.
The skill uses authenticated HTTP requests to TranscriptAPI to list playlist videos. This is expected for the stated purpose, but it means playlist requests are handled by an external provider.
curl -s "https://transcriptapi.com/api/v2/youtube/playlist/videos?playlist=PL_PLAYLIST_ID" ... -H "Authorization: Bearer $TRANSCRIPT_API_KEY"
Use the skill only for playlist or video data you are comfortable querying through TranscriptAPI, and monitor credit or billing limits.
If you let the agent create an account, it will handle your email, OTP, and resulting TranscriptAPI key.
The optional setup flow has the agent create a TranscriptAPI account using the user's email and verification code. This is disclosed and user-directed, but it involves account and credential handling.
You will handle the full signup on the user's behalf. This is a two-step flow: register ... then verify ... exchanges the OTP for the API key.
Only share the OTP if you intend the agent to complete TranscriptAPI signup, and review TranscriptAPI account, privacy, and billing terms.
Future agent sessions may be able to use your TranscriptAPI account and credits until the key is removed or revoked.
The skill asks for persistent storage of the provider API key so later agent sessions can authenticate. This is purpose-aligned, but it extends credential availability beyond the current task.
Store it persistently using whatever method is correct for this environment ... available in future sessions, including non-interactive shells
Store the key in your agent's secret manager if available, use a dedicated/revocable API key, and remove or revoke it when you no longer need the skill.