openclaw-trends Security Report — Low Risk | ClawSafe

25 /100

openclaw-trends

Fetch and aggregate OpenClaw-related content from across the internet

Legitimate OpenClaw trends fetcher with a critical hardcoded API key vulnerability but no malicious behavior detected.

Skill Nameopenclaw-trends

Duration33.1s

Enginepi

✓

Safe to install

Replace hardcoded YouTube API key with environment variable fallback only; the key should be provided externally, not embedded in source code.

Findings 1 items

Severity	Finding	Location
Critical	Hardcoded YouTube API Key Credential Theft A valid YouTube Data API v3 key is hardcoded in plaintext at line 26. While documented as intentional ('embedded for convenience'), this exposes a credential that could be extracted and abused if the source is leaked or the repo becomes public. `YOUTUBE_API_KEY = os.environ.get("YOUTUBE_API_KEY", "AIzaSyC-4zq2k2ohAwtQM7lF8jPct_QhzpENG88")` → Remove the default fallback value entirely. Require YOUTUBE_API_KEY to be set via environment variable, and fail gracefully with a clear error message if not present.	`scripts/fetch_trends.py:26`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No file read/write operations in code
Network	`READ`	`READ`	✓ Aligned	urllib requests to YouTube API (line 55) and DuckDuckGo (line 174)
Shell	`WRITE`	`WRITE`	✓ Aligned	subprocess.run(['gh', '--version'], ...) at line 91 - documented in SKILL.md
Environment	`READ`	`READ`	✓ Aligned	os.environ.get('YOUTUBE_API_KEY', ...) at line 26
Skill Invoke	`NONE`	`NONE`	—	No skill invocation detected
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database access

1 Critical 3 findings

🔑

Critical API Key 硬编码 API 密钥

AIzaSyC-4zq2k2ohAwtQM7lF8jPct_QhzpENG88

scripts/fetch_trends.py:26

🔗

Medium External URL 外部 URL

https://youtube.com/watch?v=

scripts/fetch_trends.py:78

🔗

Medium External URL 外部 URL

https://html.duckduckgo.com/html/?q=

scripts/fetch_trends.py:174

2 files · 10.2 KB · 313 lines

Python 1f · 252L Markdown 1f · 61L

├─ ▾ 📁 scripts

│ └─ 🐍 fetch_trends.py Python 252L · 8.4 KB

└─ 📝 SKILL.md Markdown 61L · 1.8 KB

Package	Version	Source	Known Vulns	Notes
`urllib`	`stdlib`	Python	No	Standard library - no external dependency risk
`json`	`stdlib`	Python	No	Standard library
`datetime`	`stdlib`	Python	No	Standard library

✓ All functionality is documented in SKILL.md - no hidden behavior

✓ No base64 encoding, obfuscation, or anti-analysis techniques

✓ No credential harvesting beyond its own legitimate API key

✓ No data exfiltration or C2 communication patterns

✓ No attempts to access sensitive paths (~/.ssh, ~/.aws, .env)

✓ subprocess usage limited to documented gh CLI tool

✓ No cron/job persistence mechanisms introduced

✓ HTTP requests limited to legitimate trend aggregation services