YouTube Archiver
PassAudited by ClawScan on May 10, 2026.
Overview
This looks like a purpose-aligned YouTube archiving skill, but it can use your browser YouTube session/cookies and optional AI-provider calls, so review those permissions before use.
Before installing, make sure you trust the skill source and scripts, install yt-dlp from a trusted source, run a dry run first, and review .config.json. Be especially careful with browser cookie access, macOS Full Disk Access, cookies.txt files, remote AI providers, and any cron schedule you enable.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The scripts will create and update files in the chosen archive directory and may invoke yt-dlp and provider APIs as part of the workflow.
The skill instructs the agent to run local Python helper scripts. That is expected for this archiving workflow, but users should recognize that it is local code execution that can write files and call external tools/services.
Run init: `python3 <skill>/scripts/yt-import.py --output <output-dir> --init` ... Run real import ... Run enrichment (optional): `python3 <skill>/scripts/yt-enrich.py --output <output-dir> --limit 10`
Run the documented dry run first, choose a specific output directory, and review the generated .config.json before running a full import or enrichment.
If enabled, the workflow can use your logged-in YouTube session to read private playlists such as Liked Videos or Watch Later.
The skill may use the user's existing browser YouTube session or a cookies file to access private playlists. This is disclosed and purpose-aligned, but browser cookie access is high-impact.
- A browser signed into YouTube (for private playlists like Liked/Watch Later) - **macOS**: terminal needs Full Disk Access to read browser cookies
Only grant Full Disk Access or provide cookies if you trust the skill and toolchain; consider using an exported cookies.txt file or a separate browser profile where practical.
Video transcripts, titles, and related metadata may be sent to the selected AI provider for summarization or tagging, and provider API keys may be used from environment variables.
Optional summaries and tags can involve sending transcript or metadata content to the configured AI provider. The providers are disclosed and optional, but this is still an external data flow.
Works with any LLM provider (OpenAI, Gemini, Anthropic, Ollama, OpenRouter) or none at all ... Each video gets: metadata, full transcript, AI summary, and topic tags
Use provider `none` or local Ollama if you do not want transcript data sent to a remote service; otherwise review the provider, model, cost, and API key environment variables in the config.
Users have less source/provenance context than they would for a skill with a homepage, pinned dependency guidance, or an explicit install spec.
The registry metadata provides limited provenance for a skill that includes runnable scripts and depends on external tooling. This is not suspicious by itself, but it reduces user visibility into origin and installation details.
Source: unknown; Homepage: none; Install specifications: No install spec — this is an instruction-only skill.
Inspect the scripts before use and install yt-dlp only from trusted package sources such as the official project, pip, or a trusted OS package manager.
If you set up cron, the archive may continue syncing and enriching videos on a schedule without a new manual prompt each time.
The skill documents optional recurring automation. It is disclosed, user-directed, and bounded by the archive workflow, but recurring jobs can continue using cookies/API providers and writing files.
Automation with cron (single-agent default) Offer cron only after one successful manual run. Example schedule (daily 11:00):
Only enable cron after reviewing the config and a successful manual run; keep enrichment limits, logs, and an easy disable path.