Youtube To Ebook
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: youtube-to-ebook Version: 1.0.0 The skill bundle exhibits high-risk behaviors by using a Streamlit dashboard (`dashboard.py`) that modifies its own Python source code (`get_videos.py`, `write_articles.py`) via regex based on user input, creating a significant code injection vulnerability. It also utilizes `subprocess` to manage system-level persistence through macOS `launchctl` and contains hardcoded paths to a specific corporate user environment (`/Users/bytedance/` in `run_newsletter.sh`). While these functions serve the stated purpose of scheduling and configuration, the implementation lacks basic security sanitization and employs dangerous execution patterns that could be exploited to achieve remote code execution.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you configure Gmail, the skill can send email from that account and the app password must be protected.
The optional email feature reads a Gmail app password from the local environment and can send the generated EPUB by email. This is purpose-aligned, but it is sensitive account authority.
GMAIL_APP_PASSWORD = os.getenv("GMAIL_APP_PASSWORD")Use a dedicated Gmail app password only if you need email delivery, keep .env private, and confirm the recipient and send behavior before enabling automation.
You may need to create and store an additional third-party API key, and transcript lookups may consume that provider's quota.
The transcript code expects a Supadata API key, while the top-level skill requirements mention YouTube and Anthropic keys and registry metadata declares no env vars.
SUPADATA_API_KEY = os.getenv("SUPADATA_API_KEY")Update documentation/metadata to declare SUPADATA_API_KEY, and only configure it if you are comfortable sending YouTube video URLs to Supadata for transcript retrieval.
Future dependency changes could break the skill or introduce unexpected behavior.
The Python dependencies are listed without pinned versions. This is common in small projects but leaves installs dependent on whatever versions are current at install time.
google-api-python-client python-dotenv youtube-transcript-api anthropic markdown ebooklib requests
Install in a virtual environment, consider pinning versions or using a lockfile, and review dependency provenance before running.
If enabled, the skill may run on a schedule, use API quota, generate files, and send email without you manually starting it each time.
The README documents optional launchd setup for recurring local execution. This is disclosed and user-directed, but it is persistent automation.
cp com.youtube.newsletter.plist ~/Library/LaunchAgents/ # Load it launchctl bootstrap gui/$(id -u) ~/Library/LaunchAgents/com.youtube.newsletter.plist
Enable launchd only after confirming paths, credentials, recipient settings, and logs; keep an uninstall/disable command handy.