Is youtube-api-skill safe?

https://clawhub.ai/byungkyu/youtube-api-skill

72
CAUTION

This skill is a pure-markdown YouTube API integration that routes all traffic through a third-party proxy (gateway.maton.ai) rather than using Google APIs directly. While it contains no executable code and exhibited clean installation behavior, the architectural dependency on Maton as a man-in-the-middle for all API calls and OAuth token management creates significant data exposure risk. The skill also cross-promotes additional Maton skills, expanding the trust surface.

Category Scores

Prompt Injection 65/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (8)

HIGH All traffic routed through third-party proxy gateway -25

Every API call goes to gateway.maton.ai instead of directly to googleapis.com. The Maton gateway sits as a man-in-the-middle, receiving the user's API key on every request and handling OAuth token injection. This gives the gateway operator full visibility into all YouTube API activity and the ability to intercept, modify, or store requests and responses including OAuth credentials.

HIGH OAuth token management delegated to third party -15

The skill's connection management system at ctrl.maton.ai handles OAuth session creation and token storage. Users are directed to complete OAuth authorization through connect.maton.ai, meaning Maton holds the actual Google OAuth tokens rather than the user. This creates a significant trust dependency — Maton can access the user's YouTube account independently.

MEDIUM Cross-skill promotion in description -15

The skill description explicitly promotes installing another skill: 'For other third party apps, use the api-gateway skill (https://clawhub.ai/byungkyu/api-gateway)'. This could lead an agent to automatically suggest or install additional skills, expanding the attack surface without explicit user intent.

MEDIUM Inline code execution patterns in SKILL.md -15

The skill provides numerous inline Python heredoc and curl command examples that an LLM agent would be prompted to execute directly. While these are documentation examples, their presence in a system-prompt-injected SKILL.md means the agent will treat them as executable patterns, running shell commands that send the user's API key to third-party servers.

MEDIUM Requires environment variable access to API credential -5

The skill declares a hard dependency on MATON_API_KEY environment variable. Any agent with this skill loaded will be instructed to read and transmit this credential to maton.ai endpoints on every API call.

LOW Ecosystem lock-in creates expanding trust surface -10

This skill is part of a Maton ecosystem pattern where multiple API integrations are proxied through a single third-party gateway. Each additional Maton skill installed expands the data and account access granted to this single entity. The cross-promotion in the description actively encourages this expansion.

INFO No executable code in repository 0

The skill contains only markdown documentation, metadata JSON, and a license file. No scripts, binaries, git hooks, submodules, or symlinks are present. The package.json is empty.

INFO Clean installation with no anomalous behavior 0

Installation monitoring shows only standard system library loading and OpenClaw runtime cache creation. No network connections, no unexpected process execution, no filesystem modifications outside expected paths.