Exposed secret literal
Critical
- Finding
- File appears to expose a hardcoded API secret or token.
- Skill content
const apiKey = [REDACTED]?.selectedProvider
Openclaw Youdotcom
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to do what it says: provide You.com web search, research, and page-content extraction, with only minor metadata/documentation inconsistencies.
This skill looks internally coherent for a You.com search/research/content-extraction plugin. If you install it, expect it to use or request a You.com API key for research and content extraction, while basic search may work without one. The main caveat is that the provided index.ts content was truncated and the external @youdotcom-oss/api dependency was not shown, so review the full source/dependency if you need higher assurance.
Static analysis
VirusTotal
VirusTotal engine telemetry is currently stale for this artifact.
Risk analysis
No visible risk-analysis findings were reported for this release.