ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nate B Jones Digest

Monitor Nate B Jones's YouTube channel, pull each new video transcript (YouTube captions or auto-transcribed audio), summarize it with an abstract + bullet h...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 5 · 0 current installs · 0 all-time installs
by@arpee
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description match the runtime instructions: polling a channel, fetching transcripts (captions or Whisper), summarizing, and publishing. The required tools referenced in SKILL.md (youtube_transcript_api, yt-dlp, Whisper, and a 'gog' helper for Google actions) are coherent with the described workflow. However, the skill metadata declares no required credentials or env vars while the instructions clearly expect a YouTube API key, Google/Gmail/Docs credentials (via the gog helper), and potential chat/webhook tokens — this documentation gap is unexpected and worth flagging.
!
Instruction Scope
Instructions explicitly tell the agent to poll YouTube, download audio (yt-dlp), run Whisper, save transcripts and logs, and publish digests via email/chat/docs. These are within the stated purpose. Concerningly, the included config.yml (not just the example) is pre-populated with outputs.email.enabled:true and a concrete recipient (richard@saito.tech). If someone runs the workflow without editing config.yml, summaries (and potentially credentials via the gog tool) could be sent to that external address. The SKILL.md also uses a GOG_KEYRING_PASSWORD example and references other auth flows but the skill metadata doesn't declare those requirements.
Install Mechanism
Instruction-only skill (no install spec, no code files with executable installers). This minimizes install-time risk; runtime will call external CLIs (yt-dlp, whisper, gog) which must be installed separately by the operator. No suspicious download URLs or archive extraction are present.
!
Credentials
The workflow legitimately needs a YouTube API key (or yt-dlp) and Google/Gmail/Docs access to publish via the gog helper, and chat/webhook tokens for chat outputs. None of these are declared in the skill's metadata. Additionally, the provided config.yml already enables email delivery to an external address (richard@saito.tech) — that is a disproportionate default (it routes data to a third party). The skill also demonstrates use of an environment variable in examples (GOG_KEYRING_PASSWORD and $YOUTUBE_API_KEY) but doesn't list them as required; this mismatch is a documentation and privacy/credential risk.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It suggests creating a cron job or OpenClaw cron entry to run periodically, which is consistent with its monitoring purpose. It does write logs and a last-video marker in its own directory; that is expected behavior.
Scan Findings in Context
[NO_MATCHES_FOUND] expected: The regex-based scanner found no code patterns to analyze. This skill is instruction-only; the primary security surface is SKILL.md and included config/log files.
What to consider before installing
This skill appears to do what it says (poll YouTube, transcribe, summarize, publish), but take these precautions before installing or running it: - Do NOT run with the bundled config.yml unchanged. The provided config already has email delivery enabled and a hard-coded recipient (richard@saito.tech). If you run the workflow without editing config, summaries could be sent to that external address. - Expect to provide credentials yourself: a YouTube API key (or rely on yt-dlp), and Google/Gmail/Docs authorization if you use the 'gog' publishing path. Also supply any chat/webhook tokens (Telegram/Control UI/Slack) you intend to use. The skill metadata does not declare these env vars, so be explicit about what you configure. - Inspect and control where logs/transcripts are stored. The skill keeps full transcripts in logs; if transcripts contain sensitive info, ensure archive_dir is secure and retention is acceptable. - Install and run external tools (yt-dlp, Whisper, youtube_transcript_api, gog) in a controlled environment; these CLIs will download audio and write files to disk. - Before enabling automation (cron), run one manual test with outputs disabled or directed to a trusted, controlled address to verify behavior. - If you need higher assurance, ask the publisher to update the skill metadata to declare required env vars and remove or neutralize any default external recipients. If you cannot verify the publisher, treat the default config as suspicious and do not use it as-is.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk979kaywwzmbqb5nwspehmnch1835d90

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Overview

Use this skill whenever you need to keep Richard (or any configured subscriber) up to date on new Nate B Jones videos. The workflow:

  1. Detect a new upload on https://www.youtube.com/@NateBJones.
  2. Retrieve the transcript (official captions first, Whisper fallback if missing).
  3. Summarize the video into an abstract, bullet highlights, and a "References & Links" list.
  4. Publish according to the installation's config: email, Control UI/Telegram chat, Google Doc, Markdown file, etc.

All runtime options live in references/config-example.yml. Copy that file, rename it (e.g. config.yml), fill in your preferences, and point the workflow to it.

1. Configure

  1. Copy references/config-example.yml to config.yml (or any path you prefer).
  2. Fill in:
    • channel_url or channel_id (the example already targets @NateBJones).
    • poll_cron (default daily at 09:00 local).
    • outputs.email.to, outputs.chat.targets, outputs.doc.type/path.
    • API credentials: YouTube Data API key (for upload polling), Gmail/Google Docs auth handled via gog skill.
  3. Store the config path somewhere easy to reference (e.g. skills/nate-b-jones-digest/config.yml).

2. Poll for new videos

  • Preferred: use the YouTube Data API playlistItems endpoint for the channel's uploads playlist. Example: 
    curl "https://www.googleapis.com/youtube/v3/playlistItems?part=snippet,contentDetails&maxResults=5&playlistId=UPLOADS_PLAYLIST_ID&key=$YOUTUBE_API_KEY"
  • Lightweight alternative: use yt-dlp to check the latest upload ID without downloading video: 
    yt-dlp --flat-playlist --dump-json "https://www.youtube.com/@NateBJones/videos" | head -n 1 > latest.json
jq -r '.id' latest.json
  • Compare the discovered video ID with the last processed ID stored in your run logs (e.g., a simple last_video.txt or a Notion/Sheets tracker). Only proceed if it's new.

3. Fetch transcripts

  1. Try official captions via youtube_transcript_api: 
    from youtube_transcript_api import YouTubeTranscriptApi
transcript = YouTubeTranscriptApi.get_transcript(video_id, languages=['en'])
text = '\n'.join([chunk['text'] for chunk in transcript])
  2. If captions are unavailable, download audio and run Whisper: 
    yt-dlp -f 140 -o audio.m4a "https://www.youtube.com/watch?v=$VIDEO_ID"
whisper audio.m4a --model medium --language en --task transcribe --output_format txt
  3. Save the raw transcript alongside metadata (title, URL, publish date, duration). Keep it in your logs for traceability but do not distribute it by default.

4. Summarize

Produce:

  • Abstract (2–3 sentences) summarizing the thesis of the video.
  • Highlights – 4–6 bullets (verb-led). Mention timestamps where possible (e.g., [05:42] Key insight).
  • References & Links – always include the YouTube URL and any external resources the video mentions.

Template:

# Nate B Jones Daily Digest — {{DATE}}

**Video:** {{TITLE}} ({{DURATION}}) → {{URL}}
**Abstract:** ...

## Highlights
- ...

## References & Links
- {{URL}}
- ...

5. Publish per config

Email (uses gog skill)

Do not attach the transcript unless someone explicitly asks for it—email only the digest body linked above.

GOG_KEYRING_PASSWORD=... gog gmail send \
  --to "{{config.outputs.email.to}}" \
  --subject "Nate B Jones Digest — {{DATE}}" \
  --body-file summary.txt \
  --body-html summary.html

Chat

  • Control UI / Telegram: paste the summary or use the relevant messaging command (e.g., message action=send ...).
  • Respect config.outputs.chat.targets (list of surfaces).

Document archive

  • Google Docs: 
    gog docs create "Nate B Jones Digest {{DATE}}" --body summary.md
gog docs share <docId> --email {{config.outputs.doc.share_with}}
  • Markdown on disk: write to the specified path in outputs.doc.path.

6. Automate (optional)

  • Create a cron job or OpenClaw cron entry using poll_cron from config. Each run should:
    1. Poll for new video.
    2. If found, fetch transcript, summarize, publish, log the video ID.
  • Keep lightweight audit logs (CSV or JSON) so you can prove what was sent and avoid duplicate emails.

References

Stick to the playbook format every time so downstream consumers get consistent digests, and always fall back to Whisper if captions are missing.

Files

8 total
Select a file
Select a file to preview.

Comments

Loading comments…