ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Youtube Audio Download

v1.0.6

Download YouTube video audio and convert to MP3. Supports age-restricted videos with cookies.

1· 637·7 current·7 all-time
by@banner90

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for banner90/youtube-audio-download.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Youtube Audio Download" (banner90/youtube-audio-download) from ClawHub.
Skill page: https://clawhub.ai/banner90/youtube-audio-download
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install banner90/youtube-audio-download

ClawHub CLI

Package manager switcher

npx clawhub@latest install youtube-audio-download
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description match the instructions (download YouTube audio), but the package contains no code and declares no required binaries while the runtime instructions expect a Python script (scripts/download_audio.py), WSL, and Windows paths. The plugin entry points to an absolute host path (/mnt/h/AI/.../download_audio.py) outside the skill bundle — that is not proportionate to a self-contained 'download audio' skill and indicates a dependency on existing local files.
!
Instruction Scope
Runtime instructions tell the agent to run a local Python script via WSL and optionally read a cookies.txt (sensitive). They also reference Windows GUI automation and specific Windows directories (/mnt/h/, H:/works/) which are outside the skill's declared scope. Because the skill does not include the referenced script, the agent would execute code from the user's filesystem, which may read or transmit data beyond the stated purpose.
!
Install Mechanism
There is no install specification and no code bundled; yet openclaw.plugin.json's entry field points to an absolute file on the host. That means the skill relies on preexisting local files rather than installing its own code. This is risky: the runtime will execute whatever is at that path on the user's machine, and the skill provides no provenance or safe-install mechanism.
!
Credentials
The skill declares no required env vars or credentials but its workflow expects access to local filesystem paths and optional cookies.txt for age-restricted videos. Cookies files can contain sensitive session tokens for your YouTube account. The lack of explicit declaration of these sensitive inputs (and the absolute path dependency) is disproportionate to what the description communicates.
Persistence & Privilege
The skill does not request permanent presence (always:false) and is user-invocable. Autonomous invocation is allowed by default (disable-model-invocation:false) — this is normal — but combined with the ability to execute an arbitrary local script it increases potential impact. The skill does not appear to modify other skills or agent-wide settings in the manifest.
What to consider before installing
This skill is suspicious because it doesn't include the download script it instructs the agent to run and points to an absolute path on your machine. Before installing or using it: 1) Verify whether scripts/download_audio.py actually exists at the referenced /mnt/h/... path and inspect its contents to confirm it only downloads and converts audio (no exfiltration or privileged operations). 2) Be cautious about supplying cookies.txt — it can contain session tokens; prefer OAuth or account-limited methods if available. 3) Ensure required binaries (Python, WSL, ffmpeg or yt-dlp) are installed and review what the script will call. 4) If you don't control the file at the absolute path or can't audit it, do not install or run this skill. If unsure, run the referenced script manually in an isolated environment first or ask the author to provide a self-contained package with clear install steps and explicit declared dependencies.

Like a lobster shell, security has layers — review code before you run it.

latestvk978rmw6d27e70fktahkhnek6h82h6v7
637downloads
1stars
7versions
Updated 23h ago
v1.0.6
MIT-0
@banner90
latest
Download

Youtube Audio Download

Usage

python scripts/download_audio.py <URL> [--cookies cookies.txt] [--output-dir dir]

Parameters

  • url (required): YouTube video URL
  • cookies_path (optional): Path to cookies.txt for age-restricted videos
  • output_dir (optional): Output directory, default: "works/audio"

Returns

{
  "success": true,
  "audio_path": "H:/works/audio/video_title-xxxxx.mp3",
  "title": "Video Title",
  "duration": 1200,
  "file_size_mb": 15.5
}

Tools

download_audio

Download YouTube audio to MP3

Workflow Integration

This skill is part of the YouTube translation workflow:

  1. youtube-audio-download: Download audio from YouTube
  2. doubao-launch: Launch Doubao translation window
  3. audio-play: Play the downloaded audio
  4. doubao-capture: Capture translated subtitles

Execution

All skills execute on Windows Python via WSL cross-platform call:

wsl -> python.exe scripts/download_audio.py ...

Error Handling

All skills return JSON with success field:

  • success: true - Operation completed
  • success: false - Check error_code and error_message

Notes

  • Windows GUI automation requires visible desktop (no RDP disconnect)
  • Output files are stored in Windows works/ directory
  • WSL accesses Windows files via /mnt/h/...

Comments

Loading comments...