ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

u2-downloader

v1.0.3

Download YouTube videos by URL in various resolutions using a pay-per-use API with credit-based authentication and no charge on failed downloads.

2· 425·0 current·0 all-time
byXiaosen Li@xjouska
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The described purpose (YouTube downloader via a pay-per-use API) matches the runtime instructions which call https://u2foru.site endpoints. However the registry metadata declares no primary credential or required env vars, while SKILL.md explicitly instructs the user to obtain and provide an API key (format sk-yt-xxxxx). The absence of a declared credential in the package metadata is an inconsistency.
Instruction Scope
SKILL.md is instruction-only and stays within the stated purpose: it tells the agent to send requests to the vendor API and to include a bearer API key. It does not instruct reading local files or other system credentials. However it directs the user to register at an external, unvetted domain (u2foru.site) and to paste the API key into OpenClaw, which is a sensitive user action.
Install Mechanism
There is no install script or code to download — the skill is instruction-only. This keeps disk-write and code-execution risk low. The Quick Install references a URL for installing the skill via OpenClaw but there is no archive or remote code fetch specified in the skill package itself.
!
Credentials
The skill requires a secret API key to operate, which is reasonable for a paid third‑party API. But the package metadata does not declare this credential (primaryEnv missing), so the required secret is not explicit in the registry. The external service is unknown and pay-per-use — providing a key may enable billing/charges and potential misuse. No other credentials are requested.
Persistence & Privilege
The skill does not request always: true, does not include installs that modify other skills, and is not requesting elevated or persistent system privileges. Autonomous invocation remains allowed (platform default) but does not combine with other high‑privilege flags here.
What to consider before installing
This skill routes downloads through an unvetted third-party (u2foru.site) and asks you to generate and paste a bearer API key — a payment-capable secret — into OpenClaw. Before installing: verify the vendor (look for a reputable homepage or source repo), confirm how OpenClaw stores and scopes the API key (is it stored only for this skill and encrypted?), review the service's billing and privacy terms, and prefer skills with published source code or well-known providers. If you only need downloads, consider running a local tool you control (e.g., yt-dlp) instead of giving a third party an API key. If you proceed, use a dedicated API key with minimal funds and monitor your account for unexpected charges.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fet393cb3zx8t10x945y26h81tzfp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments