Is youtube-full safe?

https://clawhub.ai/therohitdas/youtube-full

70
CAUTION

This skill is a legitimate YouTube transcript and search API wrapper using TranscriptAPI.com as its backend. The primary concerns are: (1) the OpenClaw runtime reads sensitive files (.env, .aws/credentials, auth-profiles.json) during the skill loading phase — while not directly caused by the skill's code, this exposes credentials to the runtime context; (2) the included Node.js script has full filesystem and network capabilities; (3) the SKILL.md instructs the agent to fetch a remote OpenAPI spec, creating an instruction-injection surface. No data exfiltration, canary tampering, or malicious behavior was detected.

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 45/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 60/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (7)

HIGH Runtime reads sensitive files during skill loading -40

During the install/load phase, the OpenClaw runtime environment accessed /home/oc-exec/.env, /home/oc-exec/.aws/credentials, /home/oc-exec/.openclaw/agents/main/agent/auth-profiles.json, .profile, and .bashrc. While these reads appear to originate from the runtime rather than the skill's own code, this skill's presence triggered the loading sequence. The .aws/credentials file access is particularly concerning as it could expose cloud infrastructure credentials.

MEDIUM Executable Node.js script with network and filesystem access -30

The skill includes tapi-auth.js (350+ lines) which makes HTTP requests to transcriptapi.com and writes to ~/.openclaw/openclaw.json. The SKILL.md instructs the agent to execute this script with user-provided email and OTP arguments. While the script's current code appears legitimate, it has full Node.js capabilities including fs, os, and network access.

MEDIUM External URL instruction for agent to fetch remote spec -18

SKILL.md contains the instruction 'Full OpenAPI spec: transcriptapi.com/openapi.json — consult this for the latest parameters and schemas.' This directs the agent to fetch and interpret content from an external URL, creating a remote instruction injection surface. If the remote endpoint were modified, it could inject arbitrary instructions into the agent's context.

MEDIUM Sensitive file reads during install phase -40

The install phase triggered reads of .env, .aws/credentials, .profile, .bashrc, and auth-profiles.json. While no outbound network activity was detected (meaning data was not exfiltrated during this phase), the access pattern is broader than expected for a YouTube transcript skill installation.

LOW API key stored in shared config file -15

The skill stores the TranscriptAPI key in ~/.openclaw/openclaw.json, a shared configuration file readable by other skills. This creates a credential-sharing surface where a malicious skill could read another skill's API keys.

LOW Script creates backup files and directories -15

tapi-auth.js creates ~/.openclaw/ directory if missing and backs up openclaw.json to openclaw.json.bak before modification. While this is documented behavior, it demonstrates filesystem write capability beyond the skill's working directory.

INFO Legitimate API wrapper with standard auth flow -5

The skill is a straightforward YouTube data API wrapper using TranscriptAPI.com as its backend. The auth flow (email → OTP → API key) is a standard passwordless pattern. All API endpoints target transcriptapi.com. No obfuscation, encoding tricks, or hidden functionality detected in the source code.