ClawHub

YouTube Archiver

v1.0.0

Archive YouTube playlists into markdown notes with metadata, transcripts, AI summaries, and tags. Use when a user asks to import/sync YouTube playlists, arch...

1· 292·0 current·0 all-time
byBen Miller@benmillerat
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the implementation: scripts import playlists (yt-dlp), create markdown notes, add transcripts, and optionally call LLM providers for summaries/tags. The README, SKILL.md, and scripts reference the same workflow and configuration keys (playlists, browser, cookies_file, provider blocks). Requiring browser cookies / yt-dlp is coherent for private-playlist support.
Instruction Scope
Runtime instructions ask the agent/user to run the provided Python scripts, set an output directory, and (optionally) provide API provider config. They also instruct using browser cookie access (or cookies.txt export) to authenticate to YouTube and to grant macOS Full Disk Access to read Chrome cookies. That is within scope for importing private playlists, but it is a sensitive operation (accessing browser cookie stores). The instructions are explicit rather than open-ended (they don't instruct sweeping system enumeration).
Install Mechanism
No install spec; this is an instruction + script bundle. It uses yt-dlp (external dependency) and Python stdlib only. Not pulling code from arbitrary URLs or adding system-wide installers. Risk level is typical for a script-based skill that expects local dependencies to be present.
Credentials
The skill declares no required environment variables, which matches the metadata. The configuration supports optional API provider keys via an api_key_env name (e.g., OPENAI_API_KEY). This is proportional: summaries/tags require provider keys, but the agent will only use environment variables whose names the user supplies in config. Be aware that the skill will read whichever env var name you place in .config.json, so do not point it at unrelated secrets.
Persistence & Privilege
The skill is not always-enabled and uses only per-output-directory state (.config.json, .yt-archiver.lock, .sync-state.json). It does not request platform-wide privileges beyond reading browser cookies (which is a user-granted OS/browser-level permission) and does not modify other skills or global agent settings.
Assessment
This skill appears to do what it says, but it legitimately needs sensitive access in two places: (1) browser cookie access to fetch private playlists (on macOS the terminal may need Full Disk Access to read Chrome cookies) and (2) optional API keys for summaries/tags (the skill will read the env var name you place in .config.json). Before installing or running: review the scripts locally (they are included), prefer exporting cookies to a cookies.txt file rather than granting broad Full Disk Access when possible, run a dry-run first, and only provide API env var names that you intend the skill to use (avoid reusing env var names holding unrelated secrets). If you want to avoid remote providers, set provider to "none" or use a local provider such as Ollama. If you are uncertain, run the scripts in an isolated environment (container or VM) and inspect network activity during an initial run.

Like a lobster shell, security has layers — review code before you run it.

latestvk9778k7ajz4z1gz0854yk677xd81vkzp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments