YouTube Digest
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: yt-digest Version: 1.0.0 The skill utilizes `child_process.execSync` in `src/cli.js` to execute the external `yt-dlp` command with user-provided URLs. While this capability is plausibly needed for the skill's stated purpose of extracting YouTube video information and transcripts, the direct execution of external commands with user input, even when quoted, introduces a potential command injection vulnerability if the URL is maliciously crafted or if `yt-dlp` itself has a vulnerability that could be exploited. There is no clear evidence of intentional malicious behavior such as data exfiltration or persistence, but the use of this high-risk capability warrants a 'suspicious' classification.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent runs this skill on a malicious or malformed URL, unintended commands could execute on the user’s computer.
The CLI takes the URL from command-line arguments and interpolates it into a shell command. Double quotes do not safely prevent shell metacharacters or command substitution, and the code validates only that a YouTube-looking ID exists while still passing the original URL to the shell.
const url = args[1]; ... execSync(`yt-dlp --dump-json --no-download "${url}"`, {Replace execSync shell strings with execFile/spawn using an argument array, or strictly accept only an 11-character video ID and reconstruct the YouTube URL internally before calling yt-dlp.
Users may not realize they need to install and trust an external command-line tool before the skill works.
The code requires an external yt-dlp binary, while the registry requirements list no required binaries and SKILL.md says it uses YouTube's transcript API. This is purpose-aligned but under-disclosed.
execSync('which yt-dlp', { stdio: 'pipe' }); ... console.error('❌ yt-dlp is required. Install with: brew install yt-dlp');Declare yt-dlp as a required binary in metadata and document the actual implementation path clearly in SKILL.md.