Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Yt

v1.4.1

Quick YouTube utility — fetch transcripts, search videos, get latest from channels. Use when someone shares a YouTube link, asks about a video, or says "yt", "youtube", "check this video", "what's this video about", "find videos about", "latest from".

⭐ 2· 3.3k·4 current·4 all-time

byRohit Das@therohitdas

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

Name/description, required binary (node), required env TRANSCRIPT_API_KEY, and the included tapi-auth CLI all align with a TranscriptAPI-backed YouTube transcript/search helper. Required config path (~/.openclaw/openclaw.json) is consistent with storing the API key for agent runtime.

✓

Instruction Scope

SKILL.md limits actions to registering/verifying with TranscriptAPI, calling its endpoints (curl examples), and saving the returned API key to ~/.openclaw/openclaw.json. The only file reads/writes are the OpenClaw config (backed up before modification). No instructions to read unrelated system files or exfiltrate other credentials.

✓

Install Mechanism

No install spec or remote downloads; skill is instruction-first with a bundled Node script. No external archives or arbitrary URLs are fetched at install time.

✓

Credentials

Only TRANSCRIPT_API_KEY is requested (declared as primary), which is appropriate for calling transcriptapi.com APIs. No additional unrelated credentials or broad environment access are required.

ℹ

Persistence & Privilege

The CLI writes the API key into ~/.openclaw/openclaw.json and sets an enabled flag for the transcriptapi entry (backing up the original file). Writing its own agent config is expected for convenience, but users should be aware the skill will modify that config file.

Assessment

This skill appears to do what it says: it will call transcriptapi.com and help you register/verify an account, then save the returned API key into ~/.openclaw/openclaw.json (it creates a .bak backup first). Before installing or running: 1) Confirm you trust transcriptapi.com and its privacy/billing terms; the script will transmit your email to that service for registration and will make network calls to their API. 2) If you prefer, perform the manual signup on transcriptapi.com and set TRANSCRIPT_API_KEY yourself instead of using the bundled CLI. 3) Inspect ~/.openclaw/openclaw.json before and after to verify only the intended fields were added. 4) The skill requires node to run the helper script. If you want stricter isolation, avoid running the register/verify commands and provide an API key you created manually. Overall this bundle is coherent and proportional to its stated purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fvsg8rxx06w8z6a854rx0c180yzev

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

▶️ Clawdis

Binsnode

EnvTRANSCRIPT_API_KEY

Config~/.openclaw/openclaw.json

Primary envTRANSCRIPT_API_KEY

Yt

License

Runtime requirements

Comments