yt
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: yt Version: 1.5.1 The skill provides YouTube transcript functionality via transcriptapi.com but includes high-risk instructions in references/auth-setup.md. It explicitly directs the AI agent to bypass platform security redaction features by writing sensitive credentials (JWTs and API keys) to temporary files instead of standard output. Additionally, it instructs the agent to modify system-level configuration files (such as shell profiles) to persist environment variables, which is a high-privilege operation that could be abused for persistence or unauthorized system modification.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can use the TranscriptAPI key for requests, which may consume credits tied to the user’s account.
The skill requires a bearer API credential and can help create the service account/key. This is expected for the TranscriptAPI integration, but it is still sensitive authority.
name: TRANSCRIPT_API_KEY
prompt: Your TranscriptAPI key (starts with sk_)
help: Free account at https://transcriptapi.com — 100 credits, no card required. Or let the agent create one for you.
required_for: all API requestsUse a dedicated TranscriptAPI key, store it through the platform’s secret or environment-variable mechanism, and revoke or rotate it if it is exposed.
The API key may remain available to future agent sessions or local commands until the user removes it.
The setup may modify local shell or agent configuration so the key persists. This is disclosed and aligned with setup, but the storage location and scope should be verified.
Store it persistently using whatever method is correct for this environment ... available in future sessions, including non-interactive shells, without any manual sourcing step from the user.
Confirm where the key will be stored, prefer a secure secret store over broad shell profiles, and remove temporary files or config entries when no longer needed.