YouTube Summarizer

The skill is classified as suspicious due to its reliance on an external GitHub repository (`https://github.com/kimtaeyoon83/mcp-server-youtube-transcript`) for its core functionality. Both `SKILL.md` and `package.json` instruct the agent to `git clone` this repository into `/root/clawd/mcp-server-youtube-transcript`, followed by `npm install` and `npm run build`, and then execute Node.js code from it. This introduces a significant supply chain risk, as the integrity of the external repository cannot be guaranteed, and its code is executed with the agent's permissions. Additionally, the skill writes full transcripts to `/root/clawd/transcripts/`, which involves privileged directory access. While the stated purpose of YouTube summarization appears benign, the method of fetching and executing code from an external, potentially unvetted source, combined with system-level file operations, raises security concerns.