YouTube AnyCaption Summarizer
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This looks like a coherent YouTube transcript-and-summary skill, with important cautions around optional browser-cookie use for restricted videos and transcript processing through an OpenClaw LLM gateway.
This skill appears purpose-aligned and not malicious in the provided artifacts. Before installing, be comfortable with installing yt-dlp/ffmpeg/whisper-cpp, downloading the Whisper model, saving transcripts and summaries locally, and using cookies only when you explicitly need access to restricted videos. For private/internal videos, confirm your OpenClaw model/gateway setup is appropriate because transcript text may be processed by that model path.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you use cookie options, the workflow may access logged-in YouTube session state to retrieve private or restricted videos.
The skill can use user-provided cookies or browser cookies to access restricted YouTube videos. This is expected for the feature, but browser/session cookies are sensitive account material.
supports private/restricted videos via cookies ... --cookies /path/to/cookies.txt ... --cookies-from-browser chrome
Use cookie options only when needed, prefer a purpose-limited cookies.txt file over a full browser profile when possible, and avoid using this with highly sensitive accounts unless you trust the local environment.
Transcript text, including content from restricted videos if you process them, may be provided to the configured OpenClaw model/gateway for summary generation.
The script builds an LLM prompt containing transcript text and sends it through OpenClaw's gateway/model invocation path. This is central to summarization, but it matters for private or internal video content.
"**TRANSCRIPT:**\n\n{normalized_text}" ... ["openclaw", "infer", "model", "run", "--model", model, "--gateway", "--prompt", full_prompt]Only summarize private or internal videos if your OpenClaw model/gateway configuration is acceptable for that data. Consider reviewing or changing the model path before batch processing sensitive content.
You rely on the remote model URL serving the intended Whisper model file.
The documented setup downloads a model file from Hugging Face without a checksum or pinned integrity check. It is user-directed and purpose-aligned, but still a supply-chain dependency.
curl -L https://huggingface.co/ggerganov/whisper.cpp/resolve/main/ggml-medium.bin \
-o "$MODEL_PATH.part" && mv "$MODEL_PATH.part" "$MODEL_PATH"If integrity matters, verify the model checksum from a trusted source or provide your own known-good model via --models-dir.