Security Audit

youtube

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

youtube received a trust score of 74/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 2 findings: 0 critical, 2 high, 0 medium, and 0 low severity. Key findings include Global NPM Package Installation from External Source, Direct Git Clone and Build from External Repository.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

70%

Behavioral Risk Signals

Network Access

2 findings

Shell Execution

2 findings

Security Findings2

Severity	Finding	Layer	Location
HIGH	Global NPM Package Installation from External Source The skill instructs the user to install the 'zubeid-youtube-mcp-server' npm package globally. Installing packages globally from external sources can introduce significant supply chain risks. If the package or its dependencies are compromised, it could lead to arbitrary code execution or system compromise on the user's machine. Recommend installing packages locally where possible, or using a package manager with integrity checks. Advise users to verify the trustworthiness of the package and its maintainer. Consider sandboxing the execution environment for such installations.	LLM	SKILL.md:20
HIGH	Direct Git Clone and Build from External Repository The skill instructs the user to clone a project directly from a GitHub repository ('https://github.com/ZubeidHendricks/youtube-mcp-server') and then build it. This method bypasses package manager security checks and introduces a direct supply chain risk. A compromise of the GitHub repository or the 'ZubeidHendricks' account could lead to the execution of malicious code during the 'npm install' or 'npm run build' steps, potentially compromising the user's system. This instruction is given for both initial setup and troubleshooting. Advise against direct cloning and building from untrusted or unverified external repositories. If necessary, recommend thorough code review, using specific commit hashes, or sandboxing the build process. Prefer officially published and signed packages where possible.	LLM	SKILL.md:50

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/3e5d2d25b92b0b91.svg)](https://skillshield.io/report/3e5d2d25b92b0b91)