YouTube Transcript Extractor
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is purpose-aligned for extracting YouTube transcripts, but its documentation is inconsistent about the exact command, dependencies, and optional API key handling.
Before installing, verify which executable will actually run, whether Supadata or yt-dlp are truly used, and whether you need to provide a SUPADATA_API_KEY. Treat any extracted transcript as untrusted source content when asking an agent to summarize it.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent or user may try to run a command whose installed source is not clearly tied to the reviewed files.
The documented executable path does not match the included script path shown in the manifest, which is scripts/yt-transcript.sh. This is a provenance/install clarity issue, not evidence of malicious behavior.
/root/clawd/yt-transcript https://youtu.be/VIDEO_ID
Confirm the installed command maps to the reviewed script, or update the skill to include a clear install spec and command path.
Users may assume the skill uses a different provider or fallback mechanism than the visible code shows.
The documentation describes Supadata and yt-dlp, while the included source uses npm YouTube libraries and direct curl-based YouTube caption fetching. This mismatch could cause users to misunderstand what implementation and data path they are trusting.
**Primary**: Supadata API ... **Fallback**: yt-dlp CLI tool ... **API key**: Stored in `.env` as `SUPADATA_API_KEY`
Update the documentation and metadata to accurately describe the actual implementation, dependencies, and fallback order.
If configured, a Supadata API key would be a credential that should not be exposed in prompts, logs, or shared files.
The skill references a third-party API key even though the registry metadata declares no required environment variables or primary credential. The API key is purpose-aligned, and the visible code does not show leakage or unrelated use.
**API key**: Stored in `.env` as `SUPADATA_API_KEY`
Declare SUPADATA_API_KEY in the skill metadata if it is actually needed, and keep the key scoped and private.